Third-party risk is now a business-critical priority for security and risk leaders. In GigaOm’s latest Radar report for Third-Party Risk Management, Bitsight was positioned as a Leader and Fast Mover for its externally sourced cyber risk ratings, continuous monitoring, API-first integrations, and vendor risk visibility.
How State Governments Can Navigate the Resource Crunch and Achieve Resiliency
The 2026 NASCIO-Deloitte Cybersecurity Study reveals a stark reality for CISOs in state governments: while cyber threats are growing in both sophistication and volume, the resources available to combat them are failing to keep pace. As foreign adversaries and cybercriminals weaponize AI to probe for vulnerabilities, state CISOs find themselves at a critical juncture, navigating expanding responsibilities amidst tightening budgets.
Confidence is collapsing
The data speaks for itself. In 2022, 48% of state CISOs reported feeling "extremely" or "very confident" they could protect public data. By 2026, that figure fell to just 22%. This erosion of confidence stems from an evolving threat landscape where attacks occur at a "blistering pace," driven by the rapid adoption of AI and agentic AI. Adversaries no longer need to launch sophisticated manual campaigns. They can automate vulnerability discovery, exploitation, and lateral movement at scale.
When CISOs can no longer rely on traditional defenses to maintain confidence, they must shift toward data-driven insights that prioritize the most critical vulnerabilities.
The budget paradox and metrics mandate
The study highlights a troubling resource crunch. For the first time in the survey's history, 16% of CISOs reported outright budget reductions, compared to none in 2024. In parallel, only 22% received budget increases of 6% or more. In 2024, that number was 40%.
CISOs are adapting in response to these shifts. Half of all state CISOs identified implementing security metrics as a top priority for 2025 and 2026. They understand that without quantifiable data on their program's effectiveness and impact, they cannot build a case for investment to state leadership or governors. This shift from fear-based narratives to business-oriented ones gets the attention of budget officials and elected leaders.
CISOs supporting this shift are turning to tools that measure security performance against industry peers, benchmarking their programs, and translating technical progress into business impact.
The “whole-of-state” challenge and third-party risk
The CISO’s purview is no longer confined to state agencies. There is a growing movement toward a "whole-of-state" approach, where state leadership supports the cybersecurity efforts of local governments, public education, and critical infrastructure. This concept has gained momentum as policymakers recognize that these systems depend on one another.
But there's a credibility gap. Sixty-three percent of CISOs are "not very confident" in the cybersecurity capabilities of local governments and public higher education institutions. This low confidence isn't about insulting local leaders. It's about recognizing that smaller jurisdictions often lack the staff, budget, and technical expertise to manage modern threats. One compromise at the local level can provide attackers a beachhead to move laterally into state systems.
Third-party risk compounds this problem. Only 2% of CISOs feel "very confident" in the cybersecurity practices of their contractors and business partners. This interconnectedness means a single breach in a local municipality or a third-party vendor can threaten the entire state ecosystem. Monitoring third-party risk and maintaining visibility into the digital supply chain is critical for any CISO managing a whole-of-state strategy.
AI as both accelerant and tool
AI is identified as both a primary threat and a powerful tool for defense. While CISOs worry about AI-enabled deepfakes and automated system probes, 94% are actively involved in developing generative AI (GenAI) security policies. CISOs are looking to AI to automate routine tasks, such as triaging security alerts and summarizing events, to help their under-staffed teams keep up.
However, the "talent gap" remains a significant barrier. Only 22% of CISOs believe their internal staff possesses the knowledge and skills required to handle current and foreseeable threats. As teams struggle to find and retain skilled professionals, they must rely on technology that augments their existing capabilities and automates complex risk assessments.
Moving toward a future-ready defense
The 2026 NASCIO-Deloitte study is a call to action for state leaders. To be "future-ready," CISOs must overcome the barriers of legacy infrastructure and insufficient funding by adopting frameworks like Zero Trust and prioritizing measurable results. That demands three concrete shifts:
- First, visibility has to become automated and continuous. Legacy point-in-time assessments don't work when threats move at AI speed. CISOs need real-time mapping of their own attack surface and their third-party ecosystem. Bitsight Security Posture Management does this, including continuous discovery and risk prioritization of internal assets. For the whole-of-state challenge, Bitsight Third-Party Risk Management provides continuous monitoring of vendors and local entities, replacing annual questionnaires with real-time threat intelligence and exposure data.
- Second, CISOs need to stop prioritizing everything and start prioritizing ruthlessly. Limited budgets mean trade-offs. The best CISOs rank vulnerabilities by business impact and real-world threat context. This is where risk intelligence—not just vulnerability counts—matters. Bitsight combines external asset discovery with threat context and supply chain intelligence to help CISOs answer the question that matters: "Which exposures will actually harm us?"
- Third, they need to speak in the language of business leaders. Board members and governors care about risk reduction and financial impact, not just security metrics. CISOs who can translate their work into measurable outcomes (e.g. fewer incidents, lower breach likelihood, stronger vendor security) get the resources they need. Bitsight's security ratings and benchmarking capabilities let CISOs show peer comparison and progress over time, making the case for investment in concrete terms.
As the CISO role evolves from a technical guardian to a strategic governor, the need for trusted, independent data has never been greater. By embracing a data-driven approach to risk management, states can build the resiliency needed to safeguard public data in an age of unprecedented threats.