Fundamental security practices, such as continuous monitoring of networks, do not exist “constantly between state and local governments,” Subramanian said. In the absence of such control, states often rely on private security companies and others to alert them to an ongoing violation or attack, he said.
One of the reasons for the disparity in security practices between state governments and private companies or federal agencies is the low spending of states on cybersecurity, Subramanian said.
The Deloitte-NASCIO report found that states spend an average of 3 percent of their budget on information technology in cybersecurity, compared to financial services companies, which spend about 11 percent, or the U.S. Treasury, which spends about 14 percent of its global technology budget. cyber security.
The report also found that in 10 percent of states, each agency in a state operated its own budget and cybersecurity strategy with only a rough guide from the head of state information. Another 40 percent of states followed a so-called federated model, with the state’s highest official policy setting the policy and providing some centralized services, while the rest are managed by individual agencies.
The Deloitte-NASCIO study, which surveyed information security officers in 51 states and territories, found that respondents preferred a centralized model, with the head of all cybersecurity services.