State CISOs say insufficient funding, increasing sophistication of threats and inadequate availability of cybersecurity professionals are the top three barriers in addressing cybersecurity.
The overarching surprise [of the survey] is the lack of sustained progress since the 2010 benchmark.
Doug Robinson, executive director, NASCIO
Eighty-six percent of CISOs said insufficient funding was the biggest barrier to addressing cybersecurity issues at the state level, according to the 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study (.pdf). Fifty U.S. state enterprise-level CISOs from 48 states and two U.S. territories participated in the survey. The increasing sophistication of threats was a barrier for 52% of respondents, and 46% said the inadequate availability of professionals in the field was a major barrier to addressing cybersecurity.
"Retaining talent is a challenge because of the market for cybersecurity professionals," said Srini Subramanian, principal at Deloitte & Touche LLP, who said it is also difficult for the state to attract IT talent to begin with.
Part of the problem, Subramanian said, is that the government is competing with the private sector for a limited number of qualified cybersecurity professionals.
South Carolina Data Breach
Millions of Social Security numbers and thousands of credit and debit cards were exposed after an attacker penetrated a state agency server.
Doug Robinson, executive director at NASCIO, echoed Subramanian when he said cybersecurity professionals that begin in government are trained up and move on to the private sector because the compensation is better. He also said location is an issue with government jobs, as some states are less desirable places to live than others.
Robinson said in some cases security budgets did not include funds for security professionals to get adequate certifications. The biannual Deloitte-NASCIO survey, which assessed the security of all state digital data and cyber assets administered by CISOs, supports Robinson's assertion that funding is an issue.
Despite the lack of funding, CISOs have to find a way to train their employees and address threats. The Deloitte-NASCIO survey found that 24% of CISOs believe their staff has large gaps in competency, up from 17% in 2010. Only 32% of CISOs said their staff has all of the required competencies, up from 25% in 2010. Half of those surveyed said they respond to these deficiencies through training. Others close the gaps through staff augmentation and outsourcing the affected areas.
Subramanian said organizations should practice "selective outsourcing of security services," being careful to only outsource in circumstances where the integrity of the security can be maintained.
Many issues presented in the report were similar to the information gathered in the 2010 survey.
"The overarching surprise [of the survey] is the lack of sustained progress since the 2010 benchmark," Robinson said. "The challenges are real."
The report also highlighted which threats CISOs believe will have the largest impact on state governments in 2013. The top four were phishing, pharming and other related variants; social engineering; increasing sophistication and proliferation of threats, such as viruses and worms; and mobile devices.
Deloitte & Touche LLP is a business firm that works in audit, financial advisory, tax and consulting. The company was founded in London and is currently headquartered in New York. NASCIO is a nonprofit organization that represents state CIOs and information technology executives and managers. It strives for government excellence through quality business practices, information management, and technology policy.