Dive Brief:
- State chief information security officers are less confident in their ability to keep public data secure, according to a 2026 cybersecurity study by the National Association of State Chief Information Officers and Deloitte. Only 22% of state CISOs described themselves as “extremely” or “very confident” they could protect public data, down from 48% in 2022, the study found.
- Aging technology infrastructure and increasingly sophisticated cyberthreats were the top challenges survey participants identified, followed by insufficient cybersecurity budgets.
- The lowered confidence comes as cyberattacks on local government networks are on the rise and the Trump administration stopped funding for a major federal cybersecurity program for states in 2025.
Dive Insight:
The biggest cyberthreats to states the respondents anticipate in the coming year are security breaches involving a third party (cited by 78%), phishing attacks (67%) and artificial intelligence-enabled attacks (55%).
The CISOs also signaled a loss in confidence in the ability of local government and public higher education to protect public data. CISOs who describe themselves as “not very confident” in those institutions’ abilities jumped from 35% in 2022 to 63% in 2026.
Some experts point to the proliferation of artificial intelligence for increasing state and local government vulnerability to cyberthreats. AI has the capacity “to generate vast numbers of attacks at minimal cost,” the NASCIO-Deloitte report states, and it can also create convincing deepfakes that can infiltrate systems.
State CISOs expressed concern that increased AI adoption within state and local governments creates increasing liability, as employees might enter sensitive data into newly AI-enabled features of existing programs and platforms.
“Vendors are increasingly embedding AI capabilities into products and services without sufficient transparency or state-level control, effectively inflicting AI on operational environments before comprehensive risk assessments or policy frameworks can be applied,” one CISO told researchers. Such updates can leave states “in a reactive position.”
Nearly all the survey respondents say their states are adopting state-level generative AI strategies, policies and best practices, however, and the vast majority are using or planning to use genAI to enhance state cybersecurity operations.
With 43% of state CISOs “not very confident” in local government cyber practices, more states are also exploring whole-of-state cybersecurity, a centralized plan that extends support to local governments and schools.
“A stronger whole-of-state orientation could help municipalities defend against cyber threats that could also affect state systems,” the report states.
Despite growing cybersecurity needs, state CISOs say resources are diminishing: 16% reported budget reductions in 2026, compared with no declines reported in 2024. Only 22% reported budget increases of 6% or more, down from 40% two years ago.
States are also relying less on federal support following Trump administration changes and uncertainty about future funding. The administration switched to a fee-based membership for the Multi-State Information Sharing and Analysis Center, which previously received federal funding. Many state CISOs said they received federal State and Local Cybersecurity Grant Program funding, but some noted challenges with meeting program application requirements, the program’s short time frame and the level of funding available.
The survey received responses from the CISOs of all 50 states, the District of Columbia and the U.S. Virgin Islands.
