State information technology officials have been making progress in beefing up cybersecurity, but a lack of funding and a serious workforce shortage remain significant barriers for many of them, a new report has found.
Nearly half of states don’t have a separate cybersecurity budget and more than a third have seen no growth or a reduction in those budgets, according to a survey of top IT security officers in 50 states.
State officials need to take “bold action” to address these longstanding problems, the report concluded. Among its recommendations: advocating for dedicated cyber funding on the state level, seeking money from federal agencies and teaming with the private sector and local colleges and universities to provide a pipeline of new talent.
The report by the National Association of State Chief Information Officers and Deloitte & Touche LLP was released today at the group’s national conference in San Diego.
Cybersecurity is a serious issue for states, as sophisticated hackers and cybercriminals increasingly take aim at government networks, which contain detailed information such as Social Security numbers, birth certificates, driver’s licenses and bank account and credit card numbers of millions of people and businesses.
Many states typically spend only 1 to 2 percent of their IT budget on cybersecurity, compared with federal agencies, which spend much more, according to the report. The U.S. Department of Transportation, for example, spent 5 percent of its IT budget on cybersecurity in 2018; the U.S. Treasury Department nearly 12 percent.
Staffing also continues to be a major problem for states, the report found. Among the obstacles: low salaries, competition from the private sector, where the pay often is much higher, and a lack of qualified candidates.
Most state IT security offices only have a small cyber team, the survey found. More than half employed 15 or fewer full-time professionals.
To address the workforce problem, the report recommended that more states outsource certain cyber functions, such as threat monitoring and risk assessments, and create internships and apprenticeship programs with colleges and universities.