Inside the 2026 NASCIO-Deloitte Cybersecurity Study with Meredith Ward

The 2026 NACIO‑Deloitte Cybersecurity Study, released mid‑year for the first time, captured responses from all 50 states and two territories. Its headline finding is a steep drop in state CISO confidence, reflecting a surge in AI‑enabled threats, critical‑infrastructure worries, and stagnant or shrinking budgets. By shifting the launch to a quieter conference window, NACIO highlighted how the cyber landscape is evolving faster than ever, making confidence a key barometer for state resilience.

AI dominates the conversation this cycle. Nearly all state CISOs are now directly involved in drafting generative AI security policies, with 94% shaping strategy and 84% reviewing use cases. Yet only ten respondents feel very confident defending against AI‑driven attacks, while half admit to being merely somewhat confident. This paradox underscores the dual nature of AI as both a powerful defensive tool and a novel attack vector, prompting a whole‑of‑state mindset that treats cyber hygiene as a shared responsibility across local governments, utilities, schools, and health systems.

Budget constraints intensify the pressure to demonstrate measurable outcomes. CISOs are increasingly tasked with quantifying cybersecurity ROI, tying spend to overall IT budgets, and justifying continued funding through the State and Local Cyber Grant. The study reveals that local jurisdictions often lack dedicated CIO or CISO leadership, leaving them vulnerable and dependent on state support. As threats grow more sophisticated, the emphasis on metrics, cross‑agency collaboration, and sustained grant funding becomes essential for maintaining a resilient public‑sector cyber posture.