State CISOs Report Alarming Drop in Confidence Amid Rising Cyber Threats

The recent 2026 NASCIO-Deloitte Cybersecurity Study has brought to light a troubling trend among state Chief Information Security Officers (CISOs) regarding their confidence in safeguarding public data. The study, which surveyed CISOs across all 50 states, the District of Columbia, and the U.S. Virgin Islands, revealed a staggering decline in confidence levels, plummeting from 48% in 2022 to just 22% in 2026. This 26-percentage-point drop marks a significant deterioration in the perception of security among state leaders and underscores the urgent need for enhanced cybersecurity measures.

Several factors contribute to this decline, primarily the sophisticated nature of AI-enabled cyber threats. A striking 78% of state CISOs identified third-party breaches as the largest anticipated risk, and 55% flagged AI-driven attacks as a major concern. As technology evolves, so do the tactics utilized by cybercriminals, leaving organizations vulnerable to unprecedented forms of attack. The increasing complexity of such threats, coupled with an apparent decline in confidence, indicates that many states are feeling overwhelmed and under-resourced to combat these challenges effectively.

Moreover, the state cybersecurity landscape is further hindered by aging IT infrastructure and shrinking budgets. 16% of CISOs reported a reduction in their budgets for 2026, a sharp reversal from previous years where zero such declines were reported. The absence of adequate funding directly affects states' capabilities to invest in modern technologies and training to mitigate risks associated with emerging threats. The historical data shows that while threats have evolved, funding and resources to counteract these threats have not kept pace, creating a gap that CISOs struggle to close.

In the face of such adversity, state governments are seeking comprehensive solutions to bolster their defenses. Many are exploring whole-of-state cybersecurity governance models, which advocate for a united front against cyber threats by extending support from state-level authorities to municipalities and schools. As the NASCIO-Deloitte report suggests, a “stronger whole-of-state orientation could help municipalities defend against cyber threats that could also affect state systems.” This approach recognizes the interconnectedness of various state and local stakeholders in the realm of cybersecurity and promotes collaboration across jurisdictions.

In light of the evolving cybersecurity landscape, states are increasingly developing generative AI strategies, policies, and best practices. Notably, 84% of state CISOs are involved in shaping strategies pertaining to generative AI to better respond to current threats. However, the adoption of AI technologies does not come without its risks. Many vendors are embedding AI capabilities within existing products without transparent governance frameworks, potentially leaving states “in a reactive position” when it comes to evaluating the risks.

As procurement professionals refine their strategies in response to the report’s findings, several implications emerge that can reshape how states and organizations acquire cybersecurity solutions in the near future. With reduced federal funding pressing states to explore more cost-effective options, a trend toward scalable cybersecurity technologies that can address both AI-driven threats and support integrated governance structures is evident. Moreover, increased engagement with federal grant programs, such as the State and Local Cybersecurity Grant Program, will be crucial for aligning procurement plans with available resources and compliance requirements.

This pivotal moment in cybersecurity also presents opportunities for vendors capable of delivering innovative solutions tailored to meet the complex challenges presented by state CISOs. Vendors offering AI risk management frameworks and modernization efforts for legacy systems will likely find a burgeoning market as states navigate their multifaceted cybersecurity challenges.

In summary, the findings of the NASCIO-Deloitte Cybersecurity Study call for urgency in addressing the declining confidence of state CISOs. As states ramp up efforts to reassess their cybersecurity strategies in light of these findings, procurement professionals should be prepared to adapt their approaches, focusing on innovative solutions to effectively combat evolving cyber threats while remaining responsive to budgetary constraints.

• The confidence of state CISOs has collapsed from 48% to 22% between 2022 and 2026.
• 78% of state CISOs identify third-party breaches as their largest anticipated threat.
• Budget constraints are evident, with 16% reporting budget reductions in 2026.
• States are likely to shift procurement strategies towards cost-effective and scalable cybersecurity technologies.
• Exploring whole-of-state governance models may create a unified defense against cyber threats.
• Vendors focusing on AI risk management frameworks will find increasing opportunities in state contracts.
• Engagement with federal programs like the State and Local Cybersecurity Grant Program is essential for funding alignment.