State CISOs losing confidence in ability to manage cyber risks

Deloitte-NASCIO study shows AI, budget pressures are forcing states to make tough decisions.

The growing concerns about cyber risk come at a time of increased threats from state-sponsored hackers, rising use of AI and increased pressure on budgets.

State and local governments increasingly have become the targets of criminal ransomware groups and state-sponsored hackers. In addition, federal budget cuts under the Trump administration have shifted much of the cyber risk burden to state and local officials , who must increasingly take the lead for securing critical infrastructure.

“So, one of the big discussions with CISOs is how to articulate the business benefit of investment in cybersecurity,” Michael Wyatt, state, local and higher education cyber risk leader at Deloitte, told Cybersecurity Dive.

About half of all statewide CISOs said implementing effective metrics was their top priority, compared with only 15% in 2022. State CISOs have also been grappling with adoption of AI and managing those risks.

The report comes about six months after Nevada issued an after-action report on a 28-day ransomware attack it suffered in August 2025. Nevada’s cyberattack was linked to an accidental malware download by an employee . The state refused to pay an extortion demand, but incurred about $1.3 million in recovery expenses.

Meanwhile, the state of Rhode Island was impacted by a December 2024 attack against the RIBridges social services portal, which was managed by Deloitte. The company agreed to pay $5 million to cover those expenses.