National Association of State Chief Information Officers Reports Lower Cyber Confidence
The 2026 NASCIO–Deloitte cybersecurity study, based on survey input from state Chief Information Security Officers, reported lower confidence in cyber protections and increasing attention to measurement and policy work around generative AI. The findings reflect how state-level security planning has been moving amid changing threat conditions described in the study.
Survey results covering all 50 states and two territories found that 26% of state CISOs said they were “extremely” or “very” confident their state information assets were protected, down from 48% in 2022. The study also reported that 16% of CISOs said their budgets had been cut, up from none in 2024, and that the share describing local government and public higher education as “not very confident” rose from 35% in 2022 to 63% in 2026.
On policy and tooling, nearly all state CISOs said they were involved in developing Generative AI security policies (94%) and in Generative AI strategy development (84%). The study also linked AI to both threat activity and operational defense, citing AI-enabled tactics such as deepfakes, AI agents that probe for weaknesses, and AI-driven ransomware-as-a-service operations, while also describing AI used to triage alerts, summarize events, and explore report creation, threat identification, and training.
The report described effectiveness metrics as the top 2026 priority for CISOs, with 49% identifying implementation of such metrics, compared with 15% in 2022. It also said CISOs described Generative AI use in core security operations, including security information and event management (SIEM) and security orchestration, automation and response (SOAR). “We're seeing more states move toward a 'whole-of-state' cybersecurity approach where the state helps extend protection beyond state agencies to local governments, public education and other critical entities that can become an entry point for attackers. At its core, it's about scaling capabilities through shared services and better collaboration so a weakness in one part of the ecosystem doesn't become a statewide incident. Many states are looking to scale capabilities through security operations centers and regional support, so counties, cities and schools can benefit from the same cyber-defense muscle as the enterprise.” Mike Wyatt, Stale local and higher education cyber risk leader, Deloitte, said. The study also included: “It's an encouraging development that state CISOs are being placed at the center of Generative AI security. They are helping shape the strategy, establishing security policies and reviewing proposed use cases. By being involved from the beginning, CISOs are helping governments move faster without sacrificing safeguards because security and governance complement each other. We're also seeing CISOs explore practical uses of AI to strengthen day-to-day defense, while putting clearer guardrails around responsible uses.”
Provided by Cision on behalf of Deloitte España. Click to read original content.