Each year, the National Association of State CIOs (NASCIO)  publishes a survey of the state CIOs, with the October 2023 version getting responses from 49 of the 50 states. We highly recommend reading the summarized results, which cover funding issues, emerging technology, workforce challenges (of course), cloud services, organizational structure, legacy modernization, data management, AI, and other topics. 

Cybersecurity has been the top CIO priority for ten years, and here  are our takeaways from the most recent survey about that critical topic.

In terms of the details about how cybersecurity is handled, several relatively major changes have occurred since the 2019 survey, which collected CIO views of cybersecurity activities in the year before the pandemic began.

Two areas stand out as having substantial increases in cybersecurity activities. 92% of CIOs in 2023 cited the establishment of “trusted partnerships for information sharing and response” compared with 82% in 2019. The other major increase in cybersecurity activity involves the establishment of cybersecurity disruption plans, cited by 80% of CIOs in 2023 compared to 61% in 2019.

Given the dramatic increase in cyberattacks in recent years, this change doesn’t surprise us, though we worry a bit that the percentage of developed plans isn’t higher.  The following passage from a 2016 NASCIO issue brief describes some of the basic components (taken directly from that NASCIO report):

• A governance structure that clearly designates who is in charge in a given event or phase of an event

• Development of a risk profile for state assets

• Collaboration among the various agencies that have cyber responsibility

• A communication plan to ensure the right people have the right information as early as possible so they can respond effectively.

What’s more, “integration with existing plans and protocols must be considered. Most importantly, what is clearly needed is collaboration and integration among the state CIO organization, law enforcement, homeland security, emergency management, the National Guard and the state fusion center.”

One other thought: As longtime believers in performance measurement and evaluation, we were surprised that in 2023, just 57% said they documented the effectiveness of their “cybersecurity program with metrics and testing” – only 2% higher than in 2019.