State CISOs Are Losing Confidence. The Federal Government Just Made It Worse.
A new Deloitte-NASCIO study dropped this week, and the headline number is hard to ignore: only about one in four state CISOs say they’re “extremely” or “very” confident in their ability to protect state assets from cyber threats. In 2022, nearly half said so.
That’s not a minor dip. That’s a collapse in confidence over four years – and it’s happening while the threat environment is getting worse, not better.
I’ve spent 25 years in this field, from the Pentagon and Army ITA to Fortune 500 boardrooms. I’ve seen budget cycles squeeze security programs before. What’s different right now is the compounding effect: ransomware groups are specifically targeting state and local governments, AI is introducing risks that most public sector security teams aren’t staffed to evaluate, and the federal government is pulling back on the cyber support that state CISOs used to count on. That combination is genuinely dangerous.
What the data actually says
The confidence number is bad, but a second finding in the report deserves equal attention. Almost two-thirds of state CISOs said they’re “not very confident” in local governments’ and higher education institutions’ ability to secure public data. In 2022 that figure was 35%.
That’s the problem beneath the problem. State CISOs aren’t just worried about their own agencies; they’re worried about the sprawling ecosystem of cities, counties, school districts, and universities that sit on sensitive public data and share infrastructure with the state. When one of those entities gets hit, it becomes a state problem fast.
Nevada learned this in August 2025: a 28-day ransomware attack that traced back to a single malware download by one employee. The state refused to pay the extortion demand, but still incurred roughly $1.5 million in total recovery costs – $1.3 million to outside contractors alone. Rhode Island’s December 2024 attack on its RIBridges social services portal exposed the personal data of roughly 700,000 Rhode Island residents who rely on those systems.
These aren’t edge cases. They’re what happens when security programs are under-resourced for years and then get hit by a threat actor who is very well-resourced.
The metric problem and why it matters
Here’s the detail in the Deloitte-NASCIO report that I think gets overlooked. Half of all statewide CISOs said implementing effective metrics is now their top priority. In 2022, only 15% said so.
That shift tells you something important. State CISOs used to struggle to get resources. Now they’re struggling to justify the resources they have – or to make the case for more. You can’t walk into a governor’s budget office and say “we need more funding because threats are increasing.” You need to show what you’re doing with what you have, what the gaps are, and what the dollar cost of those gaps looks like.
This is exactly the conversation I hear from security leaders in the public sector all the time. They know the risk is real. Their executives are starting to ask harder questions. But the reporting infrastructure to answer those questions clearly doesn’t exist.
Where SideChannel fits
SideChannel built its vCISO model around a simple premise: most organizations – including state agencies and their downstream partners – don’t need a full-time CISO on every team. They need access to experienced security leadership that can build a real program, drive it to the right frameworks, and make the risk case to the people who control resources.
We’ve done this across hundreds of clients in healthcare, finance, and regulated industries. The public sector challenge is structurally identical: constrained budgets, complex regulatory environments, undersized security teams, and senior leadership that needs security translated into business and mission terms.
A few things we bring that directly address what the Deloitte-NASCIO data describes:
Our RealCISO platform gives state security programs a measurement framework built on the NIST Cybersecurity Framework. If the top priority for state CISOs right now is implementing effective metrics, that’s where you start. You can’t communicate risk to a governor or a legislature without a way to score your program, track progress, and show what the gaps are costing. RealCISO does that. Over 3,000 security providers are already using it.
Our vCISO practitioners bring the kind of experience that most state agencies can’t hire full-time – people who have run programs at national scale, who understand how NIST CSF, CIS Controls, and state-specific regulatory requirements all interact. When a state agency needs to respond to a ransomware incident, conduct a program gap assessment, or prepare a board-level security briefing, that depth matters.
And on the network side, our Enclave platform addresses one of the most persistent problems in state environments: flat, over-permissioned networks where one malicious download can become a 28-day crisis. Microsegmentation isn’t a new idea, but it’s one that most state agencies haven’t been able to execute – usually because they lack the internal expertise. Enclave is built specifically for environments where you need meaningful network segmentation without a large internal team to manage it.
No pitch deck. 30 minutes with a tenured vCISO who’s worked in public sector. We’ll tell you where the gaps are.
The federal pullback is real, and states need a plan
The budget cuts and shifting priorities at the federal level have moved significant cyber risk burden to state and local officials. The state-local cybersecurity grant program that many small jurisdictions depended on is under pressure. CISA’s capacity to support state-level incidents has shrunk. The expectation that federal resources will backstop a state ransomware response is no longer reliable.
State CISOs who haven’t already recalibrated their programs around this reality need to do it now. The question isn’t whether you can get by on existing resources – it’s whether your program is positioned to make the argument for the resources you actually need, and whether you have the external partners in place to fill gaps your team can’t fill alone.
That’s what SideChannel does. Not as a vendor selling a product, but as a firm that has spent the last seven years building the model for what effective, accessible security leadership looks like at scale.
If you’re a state CISO, a state agency CISO, or a security leader in a municipality trying to figure out how to respond to exactly what this report describes – reach out. We’ve been in this conversation with public sector security teams for years, and we have a clear point of view on what actually works.
