States at Risk: Facing Escalating Threats and Resource Constraints, States Struggle to Make Progress on Cybersecurity: 2012 Deloitte/NASCIO Cybersecurity Study
NEW YORK, Oct. 23, 2012 /PRNewswire/ — Less than one quarter (24 percent) of chief information security officers (CISOs) are very confident in their states’ ability to guard data against external threats, according to the just-released 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study www.deloitte.com/us/nascio
Moreover, while some threats to state information technology (IT) security diminished since 2010, the increasing sophistication of cyber-attacks presented a new set of challenges to state officials tasked with safeguarding citizens’ personally identifiable information (PII). The second biennial Deloitte-NASCIO Cybersecurity survey assessed the security of all state digital data and cyber assets administered by CISOs.
“Through the programs and services they deliver states have become enormous repositories of citizen data. As such, the privacy of individual citizens is contingent on adequate IT safeguards,” said Srini Subramanian, principal, Deloitte & Touche LLP and leader of its security and privacy practice to state governments. “Citizen trust in government is severely impacted when the data is compromised and hence it is not just an information technology issue, but an issue that could adversely impact elected officials and the credibility of governments.”
The survey results call for a greater collaboration among state CIOs/CISOs and business/program leadership of the executive branch agencies and elected officials.
“The biennial Deloitte-NASCIO CISO Cybersecurity survey has become a key element in NASCIO’s advocacy focused on improving states IT security programs,” said Doug Robinson, NASCIO Executive Director. “Particularly in a time of aggressive threats, tight budgets and gaps in compliance, it’s critical that CIOs and CISOs work collaboratively with state policy-makers and agency leadership in an effort to reduce risks and better protect citizen data.”
Key findings of the 2012 Deloitte-NASCIO Cybersecurity Study included:
- Budget a continued problem: More than four out of five (86 percent) CISOs reported that insufficient funding posed the most significant barrier to addressing cyber security issues at the state level.
- Shortage of IT talent: The inadequate availability of cyber security professionals ranked among the top five barriers to addressing cyber security.
- New officials, same challenges: Despite the significant rate of turnover since the initial survey (31 new state CIOs and 22 new state CISOs since 2010), the challenges reported in the survey are remarkably similar, highlighting ongoing issues within state offices of information technology.
- State officials value a security agenda: A parallel survey targeting a limited cross-section of state business and elected officials shows that cyber security is indeed on their radar – 92 percent of respondents ranked cyber security as “most important” or “very important.”
Budget Hurdles Demand Business Partnerships
Elaborate and sophisticated threats receive the headlines and keep CISOs up at night – more than half (52 percent) listed increasingly sophisticated threats as a barrier to addressing cybersecurity – but a lack of resources remains the primary concern cited by respondents.
Based on the findings, one of the recommendations provided by Deloitte and NASCIO is for CISOs to develop a network of business stakeholder advocates across state government offices and agencies. When CISOs communicate strategies and report on risks, progress and results to business stakeholders within government, there is a potential for an increased rate of budget support for cyber security initiatives.
“There’s never been a better opportunity for CISOs to partner with business stakeholders–and advocate jointly for increases in cybersecurity budgets through well-articulated strategies, measures, and outcomes,” Subramanian added.
Mobile Devices Rank Among Top Threats
Fast-forwarding to 2013, the top four threats anticipated by CISOs to have the greatest impact on state governments include: (1) phishing, pharming and other related variants; (2) social engineering; (3) increasing sophistication and proliferation of threats, such as viruses and worms; and (4) mobile devices.
“In this report, we propose a set of strategic action items for states, in addition to helping build a compelling business case based on survey findings,” said Subramanian. “CIOs and CISOs are encouraged to use these recommendations to build greater awareness and support at each level of state government. We hope this document is a catalyst for CIOs/CISOs and their state official partners to drive their mutual cybersecurity initiatives to even greater success.”
For a copy of the full report, “2012 Deloitte-NASCIO Cybersecurity Study,” please visit www.deloitte.com/us/nascio
For more information about Deloitte’s U.S. State Government practice, please visit http://www.deloitte.com/view/en_US/us/Industries/us-state-government/index.htm.
About the Survey
Deloitte, in conjunction with NASCIO, conducted an online survey of CISOs and state officials in July and August of 2012. Survey respondents included 50 CISOs or equivalents responsible for the security oversight of 48 states and two U.S. territories. CISOs surveyed were at the U.S. state enterprise-level, with the majority (63 percent) identified as Chief Information Security Officers; alternate designations included Security or IT Director and Acting or Interim CISO. Four of the respondents were CIOs.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
The National Association of State Chief Information Officers is the premier network and resource for state CIOs and a leading advocate for technology policy at all levels of government. NASCIO represents state chief information officers and information technology executives from the states, territories, and the District of Columbia. The primary state government members are senior officials who have executive level and statewide responsibility for information technology leadership. State officials who are involved in agency level information technology management may participate as state members. Representatives from other public sector and non-profit organizations may also participate as associate members. Private sector firms may join as corporate members and participate in the Corporate Leadership Council. For more information about NASCIO visit www.nascio.org.
About Deloitte’s Security & Privacy Services
Security, privacy and operational resilience are critical issues facing both public and private organizations today. Security & Privacy (S&P) services help organizations in their management of information and technology risks by delivering end-to-end solutions, using demonstrated methodologies and tools in a consistent manner. Our services help organizations address timely and pervasive issues such as identity theft, data security breaches, data leakage, cyber security and system outages across organizations of various sizes and industries, with the goal of enabling ongoing, secure and reliable operations across the enterprise. For deeper insights and new research on information security and privacy, visit our new innovation center, the Center for Security and Privacy Solutions.
 Q37 – What were the estimated total monetary damages sustained by the state resulting from the security breaches in $USD over the last twelve months?
 Q33 – Indicate your level of confidence that your state’s information assets are protected from threats.
Contact: Daniel Mucisko Maggie Edinger Public Relations Deloitte Hill + Knowlton Strategies +1 973-602-4126 +1 212-885-0370 firstname.lastname@example.org email@example.com