Key Takeaways
- Confidence among state CISOs in stopping and recovering from cyber attacks has fallen sharply, with only 22 % feeling “extremely” or “very confident” in 2026 versus 48 % in 2022.
- Budget pressures are intensifying: just 22 % of CISOs reported a ≥6 % budget increase in 2026, down from 40 % in 2024, while 16 % faced cuts.
- Many states are moving toward a whole‑of‑state cybersecurity model to bolster local governments, public education, and critical infrastructure.
- AI initiatives are proliferating, but CISOs are simultaneously grappling with AI‑driven threats and the need to develop generative‑AI security policies (94 % are involved).
- Legacy infrastructure, threat sophistication, and insufficient funding remain the top three barriers to meeting cybersecurity goals.
Opening Quote and Context
The oft‑cited line from Charles Dickens—“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness”—aptly captures the contradictory mood surrounding state government technology and cybersecurity in mid‑2026. Attending the NASCIO Midyear Conference and networking with chief information officers (CIOs) and chief information security officers (CISOs) revealed a widening gap in optimism: some leaders feel empowered by new resources, while others wrestle with eroding confidence in their ability to thwart and recover from cyber incidents. This tension set the tone for the discussions that followed.
Observations from State CIO/CISO Meetings
Conversations with state technology leaders highlighted a common refrain: gubernatorial support remains strong, yet measuring cyber success proves elusive. Leaders cited ambitions to shrink incident‑response times from six days to mere ten minutes, a goal that underscores both aspiration and the pressure to demonstrate rapid improvement. Simultaneously, anxiety over a “double‑bubble” scenario—paying for legacy tools while adopting new ones—dominated budget talks. The desire to avoid duplicative spending forced many to weigh the merits of retiring outdated solutions against the risks of prematurely discarding investments that still provide value.
Cyber Command Funding and Budget Realities
Texas emerged as a standout example of proactive investment, having launched a well‑funded Cyber Command organization that centralizes threat intelligence, incident response, and workforce development. In stark contrast, numerous states reported sweeping budget cuts across the board, with agencies refraining from backfilling vacancies and tightening belts to showcase hard cost savings. The disparity between well‑resourced states and those facing austerity underscores a growing inequity in cyber readiness, prompting calls for more equitable funding mechanisms or shared‑service models.
SLCGP Grants, MS‑ISAC, and Whole‑of‑State Approaches
Leaders expressed hope that the State and Local Cybersecurity Grant Program (SLCGP) would be renewed, viewing it as a lifeline for shoring up defenses in under‑funded jurisdictions. Parallel discussions centered on the Multi‑State Information Sharing and Analysis Center (MS‑ISAC), with many anticipating a late‑June blog detailing next steps for the consortium. A notable trend emerged: roughly one‑fifth of CISOs indicated their states are pursuing a whole‑of‑state cybersecurity strategy, aiming to extend centralized support to local governments, public higher education, and critical infrastructure sectors that historically lag in security maturity.
Ransomware Incidents and Local Government Impact
The conference underscored the persistent menace of ransomware. One state disclosed having weathered three separate ransomware attacks affecting local entities within just a few months, highlighting the vulnerability of municipal networks that often lack mature patch‑management and backup regimes. These incidents reinforced the urgency of the whole‑of‑state push, as state CISOs recognize that strengthening local resilience is essential to protecting statewide data assets and maintaining public trust.
AI Projects, Outcome‑Focused Approach, and Governance
Artificial intelligence dominated the agenda, with nearly every state reporting active AI projects. Rather than pursuing technology for its own sake, CISOs described an outcome‑focused methodology: they seek measurable downstream impacts, such as improved threat detection, automated response, or enhanced citizen services, and rigorously evaluate how AI tools integrate with or replace existing systems. AI governance rose to the forefront of concerns, as leaders strive to balance innovation with risk management, ensuring that models are transparent, unbiased, and compliant with emerging regulatory frameworks.
Anthropic’s Project Glasswing and Claude Mythos Discussions
Specific AI developments sparked intense dialogue, notably Anthropic’s Project Glasswing and the Claude Mythos model. Participants debated how these advanced generative‑AI systems could serve as both potent defensive tools—offering sophisticated anomaly detection and automated policy generation—and novel threat vectors, capable of crafting convincing phishing lures or deep‑fake social‑engineering attacks. The dual nature of such technologies reinforced the consensus that CISOs must actively shape GenAI security policies, a task already underway in 94 % of states surveyed.
NASCIO‑Deloitte Cybersecurity Study – Themes and Findings
The 2026 NASCIO‑Deloitte Cybersecurity Study, drawing on input from all 50 states, the District of Columbia, and the U.S. Virgin Islands, distilled five major themes: (1) confronting an evolving threat landscape where AI is both a risk and a defense asset; (2) getting future‑ready through new tools and regulatory frameworks; (3) embracing whole‑of‑state cybersecurity to support locals and critical sectors; (4) the expanding CISO role driven by AI proliferation and data‑protection imperatives; and (5) grappling with a worsening resource crunch. These themes echoed the on‑ground observations and provided a data‑backed framework for understanding state‑level challenges.
Key Findings on Confidence and Budget
The study’s “bad and ugly” section revealed stark declines in confidence. Only 22 % of CISOs rated themselves as “extremely” or “very confident” in securing public data in 2026, down from 48 % in 2022. Confidence in local government and public higher education plummeted similarly, with “not very confident” responses rising from 35 % to 63 % over the same period. Financially, the picture darkened: just 22 % of CISOs reported a budget increase of six percent or more (versus 40 % in 2024), while 16 % faced budget reductions—an alarming shift from zero cuts two years prior.
Barriers to Progress
When asked about impediments, CISOs ranked legacy infrastructure, increasingly sophisticated threats, and insufficient funding as their top three barriers. Outdated systems hinder the adoption of modern security controls, while threat actors leverage AI‑enhanced tactics that outpace traditional defenses. Concurrently, constrained budgets limit investments in both technology and the skilled workforce needed to operate and manage complex security environments, creating a vicious cycle that erodes overall resilience.
Other Hot Topics at NASCIO Midyear and Closing Outlook
Beyond cybersecurity, the conference buzzed with discussions on cloud migration, digital identity frameworks, and workforce development programs aimed at bridging the cyber‑skills gap. A record‑high 280 corporate members now belong to NASCIO, reflecting broad industry interest in public‑sector solutions, though some warned that sheer volume could dilute focus. Closing on a hopeful note, the author invoked a C.S. Lewis reminder: “You can’t go back and change the beginning, but you can start where you are and change the ending.” This sentiment captured the conference’s dual reality—acknowledging grave challenges while affirming that collective action, informed leadership, and strategic investment can still reshape the trajectory of state government cybersecurity.