State CISOs Losing Confidence in Ability to Manage Cyber Risks

The Deloitte‑NASCIO study reveals a stark erosion of confidence among state CISOs, dropping from nearly half in 2022 to just a quarter today. This shift reflects a broader fatigue as cyber threats multiply and resources dwindle. When senior security leaders lack confidence, they are less likely to pursue proactive measures, leaving critical state systems—ranging from health records to transportation networks—more exposed to exploitation. The data also highlights a growing anxiety about the security posture of local governments and higher‑education institutions, which often operate with even tighter budgets.

Two interlocking forces are driving this crisis. First, the proliferation of AI tools introduces new attack vectors while demanding sophisticated defenses that many state teams are not equipped to implement. Second, recent federal budget cuts have transferred a larger share of the cyber‑risk burden to state and local officials, forcing them to stretch limited staff and funding across an expanding threat landscape. Coupled with the rise of state‑sponsored hackers and ransomware gangs, these pressures compel CISOs to prioritize metric‑driven security programs, a priority that has surged from 15% in 2022 to half of respondents today.

Financial repercussions are already evident. Nevada’s 28‑day ransomware incident in 2025 cost roughly $1.3 million in recovery, while Rhode Island’s breach of the RIBridges portal incurred a $5 million settlement. These cases illustrate how inadequate security can translate into multi‑million‑dollar losses, not to mention reputational damage. For policymakers, the findings underscore the urgency of allocating dedicated cyber‑funds, fostering inter‑agency collaboration, and investing in AI‑aware talent to restore confidence and safeguard public assets.