The State CISO Crisis: Why 78% of Government Security Leaders Don't Think Their Data Is Safe
The 2026 NASCIO-Deloitte survey asked every state CISO in America if they felt confident protecting public data. 78% said no. This week we dig into the three forces driving that collapse — and what it means for every security team, not just the public sector.
👋 Welcome to Unlocked
The 2026 NASCIO-Deloitte survey asked every state CISO in America whether they felt confident protecting public data. 78% said no.
These aren't junior analysts hedging their bets. These are the security leaders responsible for your tax records, your medical benefits, your kids' school data, your voting registration. And they don't think they can keep it safe.
This week we dig into why — and what it means for every security team, not just the public sector.
🔑 What the NASCIO-Deloitte Report Actually Says
The 2026 NASCIO-Deloitte Cybersecurity Study surveyed CISOs from all 50 states and two territories. The headline number — 22% confidence — is the sharpest single-survey drop in the study's 16-year history.
But the confidence collapse isn't the only alarming finding. Read the full dataset and a pattern emerges: state CISOs are losing ground on every front simultaneously.
On threats: the three biggest cyberthreats CISOs anticipate in the next year are third-party security breaches (cited by 78%), phishing (67%), and AI-enabled attacks (55%). All three have grown materially more dangerous in the past 24 months. All three are documented in the breach timelines we've covered in the past two editions.
On budgets: 16% of state CISOs reported budget cuts in 2026 — compared to zero who reported reductions in 2024. Only 22% saw budget increases of 6% or more, down from 40% two years ago. The Trump administration's decision to switch the Multi-State Information Sharing and Analysis Center to a fee-based model — previously federally funded — removed a critical coordination layer at exactly the wrong moment.
On the ecosystem: CISOs who describe themselves as "not very confident" in the ability of local governments and public universities to protect data jumped from 35% in 2022 to 63% in 2026. States share systems with counties, municipalities, school districts, and public colleges. A breach in any one of those connected entities can cascade directly into state infrastructure — and right now, most of those downstream entities have no dedicated security staff at all.
As Dataminr's Tim Miller put it plainly: "States are being asked to extend protection downward — to county governments, school districts, municipalities that have no dedicated security staff — with budgets that are, in many cases, flat or declining."
📉 The Numbers
- 22% of state CISOs are "extremely" or "very confident" their data is protected — down from 48% in 2022
- 78% cite third-party breaches as their top anticipated threat
- 63% are "not very confident" in local government and public higher education's ability to protect data
- 16% reported budget cuts in 2026 — up from 0% in 2024
- 3,600+ AI agent deployments across federal government agencies — most without formal security vetting
- 48% increase in cyberattacks on state and local governments between 2023 and 2024 alone
- $4.88M average cost of a data breach in 2024 — a number that has only moved in one direction
- 94% of state CISOs are now involved in developing GenAI security policies, despite shrinking resources
🔍 Three Things Are Happening At Once
The NASCIO report is a government study. But the forces it documents aren't unique to government — they're the same forces every security team is navigating. The public sector just happens to be the most transparent about the damage.
1. The AI acceleration gap.
Kansas CISO John Godfrey put it clearly at NASCIO's Mid-Year Conference: "The fundamentals of cyber have not changed. The issue is really just about the speed by which we need to take action."
AI has handed attackers the ability to operate at machine speed. It's generating exploit code overnight, automating phishing at industrial scale, and — as we covered last week — producing working zero-day exploits that bypass 2FA entirely. Germany's Federal Office for Information Security just warned lawmakers that China is close to deploying an AI "superhacker" model developed in secret — a capability that, if confirmed, would redefine the threat environment for every government and enterprise defender simultaneously.
Meanwhile, defenders are still operating largely at human speed. The tech gap Godfrey described isn't a gap in tools — it's a gap in velocity. Attackers iterate in hours. Procurement cycles take months. That asymmetry is baked into the 22% confidence number.
2. The third-party access problem at scale.
State government systems are deeply interconnected. A county benefits system feeds into a state benefits system. A public university's student data system connects to a state scholarship database. A local police department's records management system shares infrastructure with a state law enforcement network.
ShinyHunters understood this before most state CISOs had put it into a risk register. Their Instructure/Canvas campaign — which hit 9,000 educational institutions simultaneously — didn't breach each institution individually. It compromised the shared platform and let the cascade do the rest. The Anchorage Police Department was taken offline not because it was directly attacked, but because a third-party fax server was. The Illinois and Minnesota Departments of Human Services both experienced significant data exposures in January 2026 — not from sophisticated nation-state intrusions, but from misconfigured access controls and excessive internal permissions.
The attack surface isn't the perimeter anymore. It's every third-party integration, every shared platform, every connected downstream entity — and in state government, that number runs into the thousands.
3. The budget-threat inversion.
Here's the dynamic that makes the NASCIO data genuinely alarming rather than just discouraging: threats are growing at the fastest rate ever documented, and budgets are shrinking for the first time in the study's history. That's not a temporary dip — it's a structural inversion of the resource model that the entire public sector cybersecurity posture was built on.
Only 2% of state CISOs are "very confident" they can protect against AI-enabled attacks. Not 22%. Two percent. That's the number when you narrow the confidence question specifically to AI. The CISOs who know the most about what's coming are the least confident about their ability to stop it.
🛡️ What This Means for Your Access Layer
The NASCIO report is a threat intelligence document as much as a policy one. The three threats state CISOs rank highest — third-party breaches, phishing, and AI-enabled attacks — map directly onto the access layer failures that have driven every major breach we've covered this year.
Third-party access governance isn't optional. 78% of state CISOs name third-party breaches as their top anticipated threat. In the private sector, that number would likely be similar. Every connected vendor, every OAuth token, every shared platform integration is a potential entry point — and most organizations have no real-time visibility into which of those connections are active, over-permissioned, or dormant. Auditing your third-party access footprint is the single highest-return security activity most teams aren't doing consistently.
Phishing-resistant authentication is the floor, not the ceiling. 67% of state CISOs cite phishing as a top threat. This tracks with everything we documented in the ShinyHunters playbook — vishing campaigns specifically engineered to defeat push-based MFA. Hardware-bound credentials don't just raise the bar on phishing resistance. They remove the attack surface entirely. There is no phone call that tricks a passkey. There is no crafted email that steals a FIDO2 hardware key.
AI threat readiness requires honest gap analysis. Only 2% of state CISOs feel confident against AI-enabled attacks — but 94% are involved in developing GenAI policies. That gap between policy involvement and defensive confidence is the most important number in the report. Writing governance frameworks for AI adoption while remaining almost entirely unconfident in your ability to defend against AI attacks is the defining tension of 2026 security leadership. The organizations that close that gap first — through identity controls that don't depend on human reaction speed, automated detection that operates at machine tempo, and access architectures that remove the credential as the primary attack surface — will be in a materially different position in two years.
📡 What's Actually Working
It would be easy to read the NASCIO data as pure doom. It isn't — and the report is honest about that too.
The CISOs who are making the case for sustained investment are doing it by speaking the language their legislatures understand. Not incidents blocked. Not vulnerabilities patched. Metrics tied to mission continuity and dollar-loss avoidance — the kind of numbers that answer the question every skeptical budget committee eventually asks: "What does a breach actually cost us?" The states getting funding are the ones that built a multi-year roadmap, report against it annually, and frame outcomes in terms a non-technical audience can act on.
The other bright spot is AI on defense. Nearly all state CISOs are now using or planning to use generative AI for cyber operations — triaging alerts, summarizing threat events, accelerating threat identification. The same technology widening the attack surface is also, carefully deployed, one of the few ways defenders can begin to close the velocity gap. The organizations winning that race aren't the ones that banned AI from their security stack. They're the ones that governed it fast enough to use it before the attackers did.
🔑 The Bottom Line
The NASCIO report doesn't read like a policy document. It reads like a warning.
When the people responsible for defending public infrastructure — with full visibility into the threat landscape, the budget reality, and the downstream exposure — tell you they're not confident, that's not a communications problem. That's a signal. The same signal that shows up in the ShinyHunters breach timeline, in the AI zero-day Google caught last week, in the Exchange zero-day that still has no permanent patch. The confidence collapse didn't come from nowhere. It came from watching the threat environment accelerate while the resource model stayed flat.
What makes this edition different from a standard threat briefing is the source. This isn't a vendor report with an agenda. It's 52 security leaders, surveyed anonymously, answering the same question they've been asked every two years since 2010. The trend line only goes one direction.
💡 Unlocked Tip of the Week
Ask your team this question: "If we mapped every third-party system that holds an active authenticated connection into our environment, how many would we find — and when did we last review the permissions on each one?"
For most organizations, the honest answer involves numbers that are larger than expected and review cycles that are longer than defensible. That's the same gap the NASCIO report is documenting at the state government level. The difference is that state CISOs are now saying out loud what most enterprise security teams quietly know: the third-party access footprint has outgrown the governance model built to manage it.
🔥 Final Takeaway
There's something worth sitting with at the end of this report.
The people who know the most about what's coming are the least confident about stopping it. That's not pessimism — that's pattern recognition. And if 78% of the country's state security leaders are flagging third-party access as their number one threat going into the next 12 months, it's probably worth asking whether your third-party access posture is one they'd recognizeStay ready. Stay resilient.
Until next time,
