State Cybersecurity Offices Need More Money and Staff, Report Finds

By: - October 23, 2018 12:00 am

A federal cybersecurity worker is surrounded by computer monitors at the Department of Homeland Security in Arlington, Virginia. A new study says state IT cybersecurity offices are lacking money and experienced staff. Cliff Owen/The Associated Press

State information technology officials have been making progress in beefing up cybersecurity, but a lack of funding and a serious workforce shortage remain significant barriers for many of them, a new report has found.

Nearly half of states don’t have a separate cybersecurity budget and more than a third have seen no growth or a reduction in those budgets, according to a survey of top IT security officers in 50 states.

State officials need to take “bold action” to address these longstanding problems, the report concluded. Among its recommendations: advocating for dedicated cyber funding on the state level, seeking money from federal agencies and teaming with the private sector and local colleges and universities to provide a pipeline of new talent.

The report by the National Association of State Chief Information Officers and Deloitte & Touche LLP was released today at the group’s national conference in San Diego.

Cybersecurity is a serious issue for states, as sophisticated hackers and cybercriminals increasingly take aim at government networks, which contain detailed information such as Social Security numbers, birth certificates, driver’s licenses and bank account and credit card numbers of millions of people and businesses.

Many states typically spend only 1 to 2 percent of their IT budget on cybersecurity, compared with federal agencies, which spend much more, according to the report. The U.S. Department of Transportation, for example, spent 5 percent of its IT budget on cybersecurity in 2018; the U.S. Treasury Department nearly 12 percent.

Staffing also continues to be a major problem for states, the report found. Among the obstacles: low salaries, competition from the private sector, where the pay often is much higher, and a lack of qualified candidates.

Most state IT security offices only have a small cyber team, the survey found. More than half employed 15 or fewer full-time professionals.

To address the workforce problem, the report recommended that more states outsource certain cyber functions, such as threat monitoring and risk assessments, and create internships and apprenticeship programs with colleges and universities.

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.

Jenni Bergal

Jenni Bergal covers transportation, infrastructure and cybersecurity for Stateline. She has been a reporter at Kaiser and the Center for Public Integrity.