When a cyberattack hits a government agency or private organization, officials are quick to label it an emergency—especially when the damage is significant. These declarations often come with assurances that steps are being taken to contain the threat and prevent future incidents. However, a more pressing question lies beneath these reactions: what if the very officials responsible for defending against such attacks are not fully prepared?
This concern was highlighted in a recent survey conducted by the National Association of State Chief Information Officers (NASCIO) in collaboration with Deloitte. The findings revealed a troubling reality—only 26% of State Chief Information Security Officers (CISOs) reported that they felt confident in their ability to defend against cyber threats. In other words, nearly three-quarters of these key cybersecurity leaders admit they are not adequately prepared to handle modern digital attacks.
The growing sophistication of cyber threats is a major factor behind this lack of confidence. In particular, the emergence of generative artificial intelligence (Gen AI) has significantly altered the threat landscape. Cybercriminals are now leveraging AI tools to automate attacks, craft more convincing phishing campaigns, and exploit vulnerabilities at unprecedented speed. According to survey respondents, this rapid adoption of AI—both by organizations and malicious actors—has widened the gap between defense capabilities and offensive tactics.
Many participants also pointed out that threat actors, including those backed by foreign governments, are increasingly using AI to enhance their operations. This has made cyberattacks more targeted, stealthy, and difficult to detect. Speaking at NASCIO’s Mid-Year Conference in Philadelphia, Kansas CISO John Godfrey emphasized this shift, noting that AI-driven attacks operate at a speed and scale far beyond human capacity. As a result, the window for detecting and responding to threats has shrunk dramatically, leaving cybersecurity teams struggling to keep up pace.
Another critical issue contributing to this lack of preparedness is insufficient funding. For years, cybersecurity budgets at the state level have lagged behind the growing demands of digital defense. While senior leadership often acknowledges the importance of strengthening cybersecurity infrastructure, financial constraints continue to limit meaningful progress. Competing priorities within state budgets, such as healthcare, education, and public services, frequently take precedence.
The situation has been further complicated by the expiration of federal funding programs introduced during the COVID-19 pandemic. These funds had temporarily boosted cybersecurity initiatives, but their withdrawal has left many states struggling to maintain momentum. Additionally, ongoing global economic pressures—such as inflation and geopolitical tensions, including conflicts involving Israel and Iran—are placing further strain on government finances.
To make matters worse, the reauthorization of the State and Local Cybersecurity Grant Program remains uncertain. Delays and political challenges surrounding its renewal are creating additional obstacles for states seeking to enhance their cybersecurity capabilities.
In summary, while cyber threats continue to evolve at a rapid pace, the readiness of those tasked with defending against them is not keeping up. Without increased investment, stronger policy support, and faster adaptation to emerging technologies like AI, the gap between attackers and defenders is likely to widen—leaving critical systems increasingly vulnerable.
Join our LinkedIn group Information Security Community!
