This week at the 2026 NASCIO Midyear Conference, I had the opportunity to sit in the room when the 2026 NASCIO-Deloitte Cybersecurity Study dropped. The energy was palpable—not because the findings were surprising, but because they were validating in the most uncomfortable way possible.
State CISOs are under siege. And they know it.
The Confidence Crisis Nobody Wants to Talk About
The headline number from this year’s study should give everyone in this industry pause: only 22% of state CISOs described themselves as “extremely” or “very confident” that their state’s information assets are protected from cyber threats. In 2022, that number was 48%.
Let that sink in. Over four years, during which billions of dollars have been poured into cybersecurity tooling, workforce programs, and frameworks—confidence has been cut by more than half.
I spent time on the conference floor talking to CISOs about this. The conversation wasn’t doom and gloom—these are pragmatic, mission-driven people. But there was a consistent thread: “We have the tools. We have the frameworks. We just can’t connect them fast enough to matter.”
That’s not a procurement problem. That’s a systems problem.
Speed Has Changed. Our Defenses Haven’t Caught Up.
One of the most striking quotes in the report came from a CISO, who said, simply, that AI is accelerating attacks “at a blistering pace.” Multiple CISOs echoed this—adversaries are using AI to craft targeted phishing at scale, automate exploitation, and probe for weaknesses faster than manual processes can respond.
The scale is staggering. Dataminr’s 2026 Cyber Threat Landscape Report, released in February, quantified this acceleration: threat actor activity surged 225% in 2025, with average monthly alerts jumping from 1,490 to 4,840. We’re not just seeing more threats—we’re seeing a fundamentally different operating tempo.
Here’s what struck me: the same CISOs describing AI as their biggest threat were also describing AI as their most promising defense capability. Nearly every state is already using or planning to use generative AI in their security operations—in SIEM and SOAR programs, for automated alert triage and threat modeling. One CISO put it plainly: “We can no longer wait for approval from an entity to take action.”
That’s a fundamental shift in posture. It’s a recognition that human-speed response is no longer adequate in an AI-speed threat environment. The organizations that are figuring out how to automate early—not just respond automatically, but understand and contextualize threats automatically—are the ones who will keep pace. Everyone else is playing catch-up.
Third-Party Risk: The Attack Vector That Keeps Growing
One data point from the 2026 NASCIO-Deloitte Cybersecurity Study that deserves more attention: concern over third-party security breaches has jumped from 44% in 2022 to 78% in 2026. That’s the single largest increase of any threat vector tracked in the report.
This aligns with what we’re seeing in real-time intelligence. Dataminr tracked over 2 million domain impersonation incidents in 2025 alone—that’s not random opportunism, that’s industrial-scale targeting of trusted relationships. When one in four modern breaches now involves exploiting a third-party vulnerability, we’re not talking about edge cases anymore.
This makes sense. State government systems are deeply interconnected—a state benefits platform administered at the county level, a health system that touches both state agencies and local hospitals, critical infrastructure that crosses jurisdictional lines. When a vendor, contractor, or downstream partner is compromised, the blast radius extends in ways that are hard to anticipate and even harder to detect early.
The problem is that third-party risk, by definition, lives outside your perimeter. You can’t monitor what you don’t have visibility into. The signals that something is wrong often emerge in public channels—dark web forums, paste sites, underground chatter—well before a formal disclosure ever reaches your team. By the time an advisory lands in your inbox, the window to act proactively has often already closed.
And the attack methods are evolving rapidly. Nearly 30% of intrusions now involve valid credentials—attackers aren’t breaking in, they’re logging in. The Dataminr report tracked an 84% rise in infostealer malware in 2025, much of it delivered through AI-enhanced social engineering that’s increasingly difficult to distinguish from legitimate communications.
This is one of the places where early, broad-based threat intelligence—the kind that monitors external signals continuously and at scale—changes the equation. Not as a nice-to-have, but as a core operational necessity.
The financial stakes make this crystal clear. While ransomware volumes stabilized in 2025, single-incident losses grew dramatically—we’re now seeing clusters of events in the $100 million to $1 billion range. These aren’t just “incidents” anymore; they’re events that change the financial trajectory of entire organizations.
The Whole-of-State Problem: Scale With No New Resources
The study showed that roughly one-fifth of states are actively advancing a whole-of-state cybersecurity approach—extending state SOC capabilities to local governments, K-12 systems, and critical infrastructure. Not a single CISO reported being “very confident” in local governments’ cyber practices.
This is where the resource crunch becomes most acute. States are being asked to extend protection downward—to county governments, school districts, and municipalities that have no dedicated security staff—with budgets that are, in many cases, flat or declining. Only 22% of CISOs reported budget increases of 6% or more, down from 40% in 2024. And for the first time in this study’s history, 16% reported outright budget reductions.
The math doesn’t work if you’re thinking about whole-of-state as a headcount problem. It only works if intelligence and operations scale in ways that don’t require linear investment—where early signals are detected, contextualized, and routed automatically to the right place, without requiring an analyst in every county seat. That’s not a futuristic vision. That’s what several forward-leaning states are beginning to build. And it requires thinking differently about what a SOC is and what it can automate.
What the Study Didn’t Say—But Should Have
The study’s five themes are well-framed: a more complex threat landscape, the need to modernize tools, the expansion of whole-of-state approaches, the evolving CISO role, and resource constraints. All accurate. But there’s a connective thread running through all five that the study doesn’t name directly: the gap between signal and decision.
My colleague Jerry Caponera, Dataminr SVP of Risk and Threat Exposure Management, recently captured this shift perfectly: “The future of cybersecurity will not be defined by how fast we respond to attacks, but by how effectively we prevent them from succeeding in the first place.” That’s exactly what state CISOs are grappling with—the transition from reactive response to predictive defense. I encourage those to read his blog post, Reframing Cyber Risk, Part 1: The Shift from Reactive Security to Predictive Defense.
State CISOs have access to threat feeds. They have SIEM platforms. They have frameworks like NIST and CIS. What they consistently lack is a system that takes early signals, contextualizes them against their specific environment, and surfaces decisions—not just alerts—in time to act.
Every CISO I spoke with at NASCIO could articulate this gap in their own words. The ones who are making progress are the ones who have started treating this not as a tooling gap, but as an architecture gap. The question isn’t “Do we have the right data?” It’s “Does our system translate that data into the right decisions, automatically, before the window closes?”
Why This Moment Matters
NASCIO releases this study every two years. This edition is notable not just for the numbers, but for its tone. There’s a clarity of urgency that didn’t exist in prior editions—a recognition that the old model of waiting for threats to announce themselves and then responding is no longer viable.
State CISOs are smart, mission-driven leaders operating under real constraints. They don’t need more dashboards or frameworks. They need systems that close the loop and connect the earliest available signal to contextual understanding to decisive action, faster than adversaries can move.
Here’s the question I’d leave every state CISO with after reading this report: When the next third-party breach surfaces, or the next AI-accelerated ransomware campaign begins forming in the chatter—will your program know about it while there’s still time to act? Or will you find out the same way 57% of organizations did in 2024—from a hacker or a researcher, after the fact?
The window is closing fast. Dataminr’s analysis of 43+ terabytes of daily data from over a million sources shows threats forming and evolving in real time—but only if you’re monitoring at that scale. Manual processes can’t keep pace with adversaries operating at machine speed.
That gap—between signal and decision—is exactly what Dataminr for Cyber Defense is designed to close. I’d welcome the conversation.
2026 Cyber Threat Landscape Report
This report equips cybersecurity leaders with the context and foresight needed to anticipate and prioritize threats, protect critical assets, and act decisively in high-stakes moments.
Download Report
