Though the number of scarily understaffed offices has dropped — just two respondents reported having one to five full-time employees, down from six in 2022 — more than half of state CISOs report that their staff lack the competencies necessary to deal with the demands of the job. "Until the security program is not perceived as a 'cost' but rather a 100 times unplanned-for-cost-avoiding department, CISOs will struggle with budget and relevance," says Pete Nicoletti, global field CISO at Check Point Software. "In the early 2000s, the advent of the Internet and the desire to develop citizen-facing applications accessible from the Internet really started that trend," explains Srini Subramanian, co-author of the newly released biennial cybersecurity report from Deloitte and the National Association of Chief Information Officers (NASCIO). Among all 51 US state CISOs surveyed in the Deloitte/NASCIO report, many report an expansion of their responsibilities with regard to protecting data privacy, risk management, and more. As a result, "State CISOs have to go and seek resources from the CIOs as part of their technology budget. Subramanian recalls how, "in Texas, there is a regional security operations center that has been set up with a combination of a university, private sector, and the government. Whether it be a private company or a government organization, large or small, the issues that face CISOs today are pretty consistent across the board, because the underlying gap between security leaders and their colleagues always tends to take a similar shape. "CISOs and security practitioners typically have a hard time justifying their programs to leadership. In 2020 (52%) and 2022 (54%), a majority of CISO's offices handled physical security for data centers and other pertinent facilities, but in 2024 that number plummeted to 35%. The lone counterpoint is that state CISOs today have markedly less to worry about when it comes to physical security, providing a kind of counterbalance. Like CISOs of corporations, these individuals are responsible for building and managing statewide IT security programs and policies, managing cyber-risks and incident response efforts, ensuring compliance with relevant regulations and standards, and more. "State systems don't have as many resources as the private sector," Subramanian says. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. More CISO's offices now provide support to stage agencies in the realms of strategy, governance, and risk management (up 17%), security management and operations (up 8% over 2022), incident response (up 17%), and network and infrastructure (up 7%). Budget constraints and a talent shortage help explain why nearly four in five state CISOs cite staffing as a challenge. "States collect, share, and use data of residents from birth, including school, driving records, health records, and more," he explains. Chief information security officers (CISOs) of US states are being stretched thin by widening responsibilities and insufficient resources to achieve them. Compared to their increased workloads, however, state CISOs offices are not being financed and staffed with equivalent fervor. Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG. CISOs for US states face the same kinds of challenges those at private companies do: lots of work to handle, but not necessarily enough money or people to handle it sufficiently well. He also co-hosts "The Industrial Security Podcast," the most popular show in its field. Today, just six state cybersecurity budgets allocate anything toward physical security. "The rigor and emphasis on cyber has always been greater in the federal government," Subramanian notes.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 30 Sep 2024 21:10:18 +0000