State chief information security officers (CISOs) are confronting a rapidly evolving cybersecurity landscape in which artificial intelligence (AI) technologies are being used both to launch more sophisticated cyberattacks – and to strengthen state defenses against them – according to a new report from the National Association of State Chief Information Officers (NASCIO) and Deloitte.
The 2026 NASCIO-Deloitte Cybersecurity Study, issued on April 27, also finds a declining level of confidence among state cyber defenders in their ability to secure public data due to funding and workforce shortages.
On the adversary front, the study says that foreign adversaries, cybercriminals, and sophisticated hackers are increasingly deploying AI-based tools to probe for vulnerabilities, forcing state cyber defenders to adopt similar technologies to detect and counter emerging threats.
At the same time, the role of state CISOs is expanding significantly, with leaders now responsible not only for traditional cybersecurity operations but also for guiding AI governance, developing security policies for generative AI tech, and safeguarding sensitive public data across complex digital ecosystems.
Along with these expanded responsibilities, CISOs report that resources are not keeping pace with demand, citing tightening budgets and ongoing workforce shortages as major constraints on their ability to respond effectively.
One of the most striking findings in the study is the sharp drop in confidence among state cybersecurity leaders in their ability to protect public data.
The percentage of CISOs who said they were “extremely” or “very confident” in securing public data fell from 48% in 2022 to just 22% in 2026.
Confidence in the cybersecurity capabilities of local governments and public higher education institutions has also eroded significantly, the report finds.
The share of CISOs who said they were “not very confident” in those entities rose from 35% in 2022 to 63% in 2026.
According to the study, the decline in confidence is driven by several factors, including the increasing sophistication of cyber threats, the growing use of AI by attackers, and the interconnected nature of government systems, where breaches at the local level can quickly spread to state systems.
CISOs also pointed to structural challenges such as legacy infrastructure, insufficient cybersecurity funding, and the complexity of defending against a widening range of attack vectors, including malicious code, web application attacks, financial fraud, phishing, and zero-day vulnerabilities.
In response, many states are adopting a “whole-of-state” cybersecurity approach, expanding support to local governments, public education systems, and critical infrastructure sectors that are frequent targets of cyberattacks.
AI tech is playing a central role in this strategy, with 94% of CISOs reporting involvement in developing generative AI security policies and using advanced tools to enhance threat detection and response capabilities.
However, budget pressures are intensifying, with only 22% of CISOs reporting budget increases of 6% or more in 2026, down from 40% in 2024, while 16% reported actual budget reductions.
The study concludes that while state CISOs are adapting to an increasingly complex and AI-driven threat environment, their ability to fully secure public data systems will depend on addressing resource gaps, modernizing infrastructure, and continuing to evolve cybersecurity strategies in step with rapidly advancing technologies.
