Inside the 2026 NASCIO-Deloitte Cybersecurity Study with Meredith Ward Artwork

NASCIO Voices

A podcast from the National Association of State Chief Information Officers (NASCIO). Amy Glasscock and Alex Whitaker interview guests (state CIOs, NASCIO members, strategic partners and colleagues) to get their unique stories and perspectives on state information technology, leadership and lessons learned.

All Episodes

NASCIO Voices

Inside the 2026 NASCIO-Deloitte Cybersecurity Study with Meredith Ward

May 20, 2026 • Jp92NMZzH6q0DGJS6X3f • Episode 166

0:00 | 18:21

In this episode of NASCIO Voices, hosts Amy Glasscock and Alex Whitaker sit down with NASCIO Deputy Executive Director Meredith Ward to unpack the newly released 2026 NASCIO-Deloitte Cybersecurity Study. Meredith walks through key findings. The conversation explores the growing pressure on CISOs to do more with less amid flat or shrinking budgets, the urgent need for whole-of-state cybersecurity collaboration that extends beyond state government to local governments, K–12, higher ed and public health entities, and why measuring cybersecurity effectiveness has become a top priority. Meredith also makes a plug for reauthorizing the State and Local Cybersecurity Grant Program before the episode wraps up with a lightning round covering dream jobs, language-learning aspirations, and an enthusiastic endorsement of countertop composters.

Amy Glasscock 0:05

Hi, and welcome to Nassio Voices, where we talk all things state IT. I'm Amy Glasscock in Lexington, Kentucky.

Alex Whitaker 0:11

And I'm Alex Whittaker in Washington, D.C. Today we're joined by NASCIO's Deputy Executive Director and Cybersecurity Guru, Meredith Ward, to tell us about the newly released 2026 NASCIO Deloitte Cybersecurity Study.

Amy Glasscock 0:23

The biannual study was released just a couple of weeks ago at our mid-year conference, and we just weren't done talking about it. So, Meredith, welcome back to NASCIO Voices.

Meredith Ward 0:31

Hey y'all, thanks for having me. And I'll say for those of you who do not adjust your speakers, it is allergy season in Kentucky, and I sound a little different, but that's all right. Everything's blooming. That's all right. But thanks y'all for inviting me back. Yeah, happy to have you.

Amy Glasscock 0:45

And definitely understand your allergy woes. My my season's pretty much wrapped up now, but for others it's just getting started. So it depends on which trees are your enemies.

Alex Whitaker 0:55

Uh-huh.

Meredith Ward 0:56

Yes, although I do love trees and I refuse to not go outside. So I know. What are you gonna do? Pharmaceuticals for the win. I know.

Amy Glasscock 1:03

All right, so Meredith, first of all, tell us what the NASCIO-Deloitte Cybersecurity Study is and why it dropped in the spring instead of the fall.

Meredith Ward 1:12

So since 2010, NASCIO has partnered with Deloitte on doing a survey of state CISOs. We do it every other year. And so the point we're trying to understand the cyber landscape across state government, where CISOs are, what their priorities are, things like that. So this year we had all 50 states and two territories respond, which I'm pretty proud of. And yeah, Amy, you're right. We normally have debuted the study at NASCIO's annual conference, but it can get pretty busy. We also have the CIO survey every single year. So I wanted to change it to mid-year so it can get a little bit more starshine.

Alex Whitaker 1:49

So one of the biggest findings in this year's study was the sharp drop in CISO's confidence in their ability to protect state systems. What do you think is driving that change?

Meredith Ward 1:58

Oh, Alex, it seems like that's the only headline that I've read in the days since we've released the study. And I promise it's not all doom and gloom, but there is some doom, both doom and gloom. So a couple of things that come to mind, every state CISO, their job is like playing whack-a-mole. And if there's anyone else from the 1900s listening, you know what that is. If you played whack-a-mole back in the day, it can also be compared to Angry Dodgeball every single day. They're constantly, they have new things thrown at them. It's high stakes, it's high pressure. So with increasing AI-enabled threats, an increase in worries about critical infrastructure and what their role is, funding being reduced or staying the same, it's it's a lot, to put it mildly. Yeah.

Alex Whitaker 2:45

So AI does show up a lot throughout the report as both a threat and an opportunity. So I'm wondering how are state CIOs, sorry, state CISOs thinking differently about AI in 2026 compared to even two years ago, or maybe in our case, even two months ago. How's the how's how have things evolved?

Meredith Ward 3:01

Right. It's every single day. What's the new thing? So I will start with some good news since I talked about doom and gloom earlier. So good news is 94% of state CISOs are actively involved with the development of Gen AI security policies, 84% Gen AI strategy development, and 84% in use case review. So that's pretty good. And we also know CISOs have been using regular old AI, traditional AI, I think is what Amy calls it, for years in cyber operations. But we now know that nearly all are or they're planning to use Gen AI to enhance cyber operations. Obviously, that's been a big topic of discussion this week and last. And the other thing that we know, the majority of CISOs are responsible for protection from AI-based external threats, and they're also responsible for use by use of AI by public employees or state employees. So what that really tells me is that states know that CISOs need to be involved, they need to be at the table, which is good, but have to weigh that out with some bad news. And this is where a lot of the headlines have come from. Not just this, but a lot. But so when we asked CISOs about the confidence in dealing with AI-enabled threats, 49% said they are only somewhat confident, 33% said they're not very confident, and 8% said not confident at all. No dice. So we only had 10% that said they were very confident. And I think those that 10%, I think I can speak for the CISOs. Please share your secrets. Not publicly, but share it with your fellow CISOs. So I don't want to say the sky is falling, but I think there's so much apprehension because again, like we talked about earlier, nobody knows what new technology hell SISOs will face tomorrow. As soon as someone comes up with a tool intended to be used for good, somebody somewhere finds some way to use it for bad. And I think that's what they deal with every single day.

Amy Glasscock 5:03

We've been talking, you know, as you mentioned a lot about that, like around mythos, like great opportunity to find cybersecurity vulnerabilities, but that goes both ways. Exactly. It's a threat and an opportunity.

Meredith Ward 5:14

Yeah, exactly.

Amy Glasscock 5:16

So this idea of whole of state cybersecurity really stood out to me in the study. And first of all, can you please define the term for us? Because I feel like sometimes people are throwing it around, possibly inaccurately. But also, what does whole of state cybersecurity actually look like in practice and why are more states moving in that direction?

Meredith Ward 5:33

Yeah, absolutely. So basic, whole of state is a concept based on the idea that cyber is everyone's responsibility. And I know the two of you all have heard me say that when I'm out speaking and things like that. It's basically the states providing support to entities outside the government through information sharing, assistance. It's not always financial support. It is we're getting together and talking about these things. The other entities could include local governments, critical infrastructure. That would be like special water districts, power grid, things like that, K-12, higher ed, private entities, public health, like hospitals. We've heard a lot in the last little bit about hospitals being attacked. I promise I will not talk about the pit like I did at the session at Comfort. I love the show. See, I know. That's what I did. But anyway, so it's everybody is united to work together towards strengthening cyber, everybody within the state. So again, the bad actors, they don't care about state, county, city, jurisdiction borders. So we all have to work together. So what the survey found about a whole of state that states are in different places on this issue. And we all know NASCIO, we say all the time, if you've seen one state, you've seen one state. But there's a good portion of states are moving aggressively towards greater state support. Others are still focusing on state information assets and exploring and exploring possibilities. And this has been I get asked this question a lot, and it especially when we were talking years ago and we just called this state and local collaboration. Does the state have the funding to do this? Do they have the authority? Because as everybody knows, most states are home rule. The state can't come in and say, all right, we're taking over your infrastructure, local government. They just don't have the authority to do that. So, but I feel like a broken record, but I tell CISOs and states this all the time, and it's not really CISOs who need convincing, but you don't need authority to send a message, introduce yourself, build a relationship. That's the first step. So it's when something goes wrong that folks know who to reach out to and who they can ask for help. So I know the state and local cyber grant has greatly improved some whole estate capabilities. We obviously hope it continues. States have made some good progress with local government, but there's a lot of work to be done. So a plug for continuation of the grant.

Amy Glasscock 8:03

Yeah, absolutely.

Alex Whitaker 8:05

And that that plug was unscripted too for the record, but that was just organic.

Meredith Ward 8:10

I didn't ask her to do that. Yeah, she just he just Venmoed me 20 bucks for the grant program.

Amy Glasscock 8:15

Yeah, that's right. I'll have to pitch in. I guess it comes out of our taxes. But anyway, that's true. All right, so in in looking at the rapport, there seems to be a growing concern too about local governments and higher education becoming weak points in the broader cybersecurity ecosystem, which goes back to what you were just talking about. When it does come if we could just be a little more specific about local governments and higher ed, what are CISOs most worried about there?

Meredith Ward 8:38

Yeah, and I apologize to everyone. This is a little bit more doom and gloom. But so the big sticking factor here, CISOs aren't very confident in the cyber practices of local governments. In fact, there was no CISO that said they are very confident in the practices of local governments. So this stems a lot from what we were talking about a bit ago with the whole of state. State CISOs know that local governments are struggling and they need assistance. If you think about it, I think there's about 20,000 cities, towns, villages, local governments in this country. The overwhelming majority, I think it's three-quarters, have a population of less than 5,000. So they may not have a CIO, definitely don't have a CISO, they don't have the funding to fight all of these threats and things that are being thrown at them on a daily basis. Something that I've said for years, it could be the same person who's out mowing the lawn is also setting up your laptop. That's just the nature of local government in these small places. So but again, like I said before, the bad actors don't care what city, town, village, state, hauler you're from. If any northerners need to know what a hauler is, by the way, just shoot me an email. But anyway, no bad actor says, Oh, well, this is the county line. I'll just I'll stop attacking right here. I'm done. Nobody says that. So the state sysos no, if one is attacked, others are likely to as well. The state is likely to get attacked. And again, it's that mentality of whole estate, we're all in this together. Yeah.

Alex Whitaker 10:06

Got it. So one thing that really surprised me was that measuring cybersecurity effectiveness became a top priority this year. So why are CISOs putting so much emphasis on metrics right now?

Meredith Ward 10:16

Well, Alex, I'm glad you asked because I think that can be tied back to the budget data. So in the report, we talk a little bit about budgets. Some have stayed the same, some have gone down. Very few have seen an increase, and that is cybersecurity budgets as part of overall IT budgets, is how we kind of measure that. So CISOs are really having to prove every dollar that they have has been allotted and that has been put to good use. This isn't just on their state legislature or administrators, whatever, it's for Congress. And I think now is a great time to restate how much we support reauthorizing the state and local cyber grant.

Alex Whitaker 10:56

Can never do it too many times.

Meredith Ward 10:58

You can never you can't ever. But I think it's also proving to local governments from the state and the private sector, this is what CISOs have been preaching. It's working. It's kind of like, all right, if we work together, we're gonna we're gonna make some things work. So I believe the proof, as they say, is in the pudding.

Alex Whitaker 11:16

Mm-hmm. Right. And the report paints a pretty tough picture around budgets and workforce challenges, and at the same time, though, threats are getting even more sophisticated, which is something we see really on a weekly basis. So are SISOs feeling like they're being asked to do more with less?

Meredith Ward 11:31

Oh, Alex, that's funny. I think that if you asked Gen AI program to create a picture of a state CISO, that saying might be what's on their t-shirts, doing more with less. I think that's how state governments operate, certainly how CISOs operate. They're not in public service for the fame and fortune. And like I said earlier, they're dedicated public service servants. So a big part of their mission, it's doing what's right. I've heard CISOs say that all the time when people say, Why is this our responsibility to do XYZ? And you'll hear state CISO go, because it's the right thing to do. But again, they can't do it alone. It's so incredibly important. They need support from elected and appointed officials and obviously funding to do their job effectively. As I said earlier, cyber is everyone's responsibility. We need all hands on deck. So that's the thing about cyber. Again, I get asked this anytime I brief or testify in a state legislature. It's like, when are we gonna be done funding cyber? And I say, like, never, you know? And that's daunting. Of course it is. I think that goes back to why it's so challenging to be a state CISO, because it's what are we gonna wake up to today? So cyber has to be, it's a toolbox. You don't just have one thing that's gonna solve all your problems. It's every single day trying to fight and be prepared for what's coming around the corner, even though sometimes it's absolutely impossible because folks aren't psychics. If you are a psychic and you're in cyber, let me know because I think that'd be an interesting interview to do. Yeah, that'd actually be really interesting. For this podcast. Yeah. So it could be it's a niche. Well, I think we know the answer to that, but it's a niche topic for the pod. Yeah.

Amy Glasscock 13:12

On the doing less, doing more with less, that was also a big theme that came out of the chief privacy officer survey this year, too. So, like you said, across government, that's a tough challenge right now, and probably has been for a while. Yeah. Yeah. So, Meredith, it's always so interesting to hear how things are shifting and changing every two years in the world of the state, CISO. So thank you so much for that overview. And I encourage everyone to go check it out on our website, nascio.org uh at the resource center. Very easy to find. But now, Meredith, the segment that everyone really wants to hear. The lightning round. Are you ready?

Meredith Ward 13:51

Oh, sound effect. There's just a really good sound effect. Yep, I love it.

Alex Whitaker 13:56

So if you were not deputy executive director of NASCIO, your actual dream job, what would your secret dream dream job be?

Meredith Ward 14:03

My dream job is getting to work with the two of you every single day. All right, just kidding. Um, I appreciate that. That's right. We do have an excellent NASCIO team, though, y'all. So if I didn't have to worry about money, I would play in the dirt and be a farmer. So it's like in share in clueless, you're like a farmer. No, wait, it wasn't her, it was the other one. I digress. Anyway. So you guys know, I think I come from a long line of farmers in my family, and it's tough work. It's hard to make ends meet. Ends meet, excuse me, but as my husband will tell you, working in the garden is one of my favorite things. I have some snazzy gardening overalls. So yeah, if you're lucky, I might take a picture and show you. But it's my favorite thing.

Alex Whitaker 14:47

My wife won't let me buy overalls. I really want to.

Amy Glasscock 14:50

Oh, I just got some for my birthday for my working around the house projects. So love it.

Meredith Ward 14:55

They're so good. Yeah. Yeah. My best friend tries to ban them, and I was like, nope, no, Amanda, I will wear these. Thank you.

Amy Glasscock 15:02

If you're working hard, ain't nobody got time for a waistband. Thank you.

Meredith Ward 15:06

Yeah. Also, Amy, will you please send this episode to Amanda and tell her she's now been put on notice that we can wear overballs. Okay.

Amy Glasscock 15:13

All right. Second question. If you could instantly master one skill, what would it be?

Meredith Ward 15:18

Well, I think since we're about to go on vacation next week, what's on my mind is learning another language really quickly. So it's so cool to me. There's so many people in this world who know more than one language. I can speak Spanish enough to get through a Spanish-speaking country, if that makes sense. But I'm not conversational. I miss a lot of stuff. It's literally where is bathroom? Yeah. And I can do that. But this is so random. So I don't know if y'all remember there was a 1990s movie called Phenomenon with John Travolta. So he gets struck by lightning, something like that, and he's a genius for four days. He learns these new languages, languages in a matter of hours. And it's super cool. And I remember seeing that when I was a kid, and I was like, oh man, that'd be so cool. Unfortunately, it turns out, spoiler alert, he had a brain tumor. Yeah, you get the point.

Alex Whitaker 16:08

Was wondering if you were gonna follow up with how that movie ended.

Meredith Ward 16:11

Yeah. So let's let's be realistic, but let's if we can dream. That's what she, you know. You asked me if I had magic, what would I do? Yeah. I like that language, yeah.

unknown 16:20

Yeah.

Alex Whitaker 16:21

I actually think about that movie a lot. I think it was one of the first movies I saw in theaters. So interesting.

Meredith Ward 16:26

And Forrest Whitaker's in it. You can't go wrong.

Alex Whitaker 16:28

Yeah. Alright, so is there an app, gadget, or tool that you've discovered recently that you're obsessed with?

Meredith Ward 16:34

So I recently got. If my husband can hear me, he's gonna roll his eyes. He's so over this, but I got a countertop automated electric composter. So as previously mentioned, I love to garden. And if anybody else out there gardens good compost is so good. I love going out to the garden, getting fresh veggies, blah, blah, blah. So I kind of said at the beginning of this year, I don't do resolutions because I think they're just kind of BS, but I did say I want to try and cut down on waste. So this is one way that we're doing this at my house. You just put your food waste in there and turn it on, and it's amazing. Then you have a couple hours later, you have compost. So I am available to come back on the pod to talk about composting, John Travolta 90s movies, and cybersecurity. Also procurement. Yeah. Any other topics that I missed? True crime. Didn't talk too much about it. I didn't mention it until now. Yeah. And I I deserve a six for that.

Amy Glasscock 17:31

So before we start a recording, we did talk about people stealing our identities. So that's some crime there.

Meredith Ward 17:36

Y'all, that is terrifying. I can't believe you can steal kids' identities. That's terrible. Yeah. Anyway.

Amy Glasscock 17:43

All right, Meredith. Well, that is our time. And I know you are busy and headed out on vacation soon. So we will let you go. But thanks so much for sharing the survey with us. And again, we'll put a link in the show notes and encourage everybody to read it.

Meredith Ward 17:55

Absolutely. And you did not want me to talk more about gardening or compost. That's okay.

Amy Glasscock 17:59

We're good.

Meredith Ward 18:00

Okay. All right.

Alex Whitaker 18:01

So that one that's behind the paywall. Thanks again for listening to NASCIO Voices. NASCIO Voices is a production of the National Association of State Chief Information Officers. Learn more at NASCIO.org.

Amy Glasscock 18:11

We'll be back in two weeks. Don't forget to check out the cyber study on the NASCIO Resource Center, along with lots of other great NASCIO reports.