While state chief information officers have a long list of hot-button issues that are demanding their attention, the broad cybersecurity problem remains the top concern, the National Association of State Chief Information Officers (NASCIO) said in its 2023 State CIO Survey released on Oct. 10.
“Cybersecurity continues to be THE top priority of State CIOs for ten years running,” the group said in the report that derives data from responses submitted by 49 state CIOs.
Within the broader cybersecurity category – and framed as a risk to the continuity of state government – “ransomware continues to be the top cyber risk as it was when we last asked in 2021,” the group said.
Following ransomware on the list of state CIO cybersecurity worries were the use of “shadow” IT components on state networks, human error, compromises of software supply chains, and phishing and business email compromises.
“Surprisingly, only 15 percent of CIOs reported that human error is their top cybersecurity risk,” NASCIO said. “We know that human error accounts for a large number of cybersecurity breaches, but we wonder if CIOs are so used to human error that they don’t rank it highly,” the group said.
As for ongoing work to meet cybersecurity challenges, “when asked to characterize the current status of the cybersecurity program and environment in their states, there aren’t any big surprises here,” NASCIO said. “States continue to provide cyber awareness training, adopt the NIST framework and other fundamentals.”
Breaking those cybersecurity fundamentals categories down further, the NASCIO survey reveals that endpoint detection technologies are receiving the most attention, with 80 percent of state CIO respondents reporting that focus. In other categories, 71 percent are giving high attention to cybersecurity awareness training, and 69 percent are doing the same with identity and access management (IAM) adoption and expansion.
“We also asked about a few cybersecurity topics that we haven’t covered in depth in this survey before,” NASCIO said, including bans on foreign technology, social media, application platforms and software due to cybersecurity concerns.
“Eighty percent of states have banned foreign-made technology, application platforms or software due to cybersecurity concerns and the top two categories banned are social media apps (89 percent) and telecommunications/networking platforms (46 percent),” the group said.
“Of those states who have bans in place, most were banned by executive order (54 percent) or enterprise policy (51 percent) and only 32 percent via legislation,” NASCIO said.