Cyber security will require funding for creating the necessary capabilities that include tools and training for cyber security. However, cyber security must be “baked into” every project, program and management initiative – and not be an administrative afterthought. Cyber security must be understood as an inherent cost of doing business and must be a component of every budget.
A direct correlation can be seen between having an established strategy and obtaining more full-time equivalents (FTEs) dedicated to cybersecurity, as well as year-over-year budget increases (figure 7). For example, 11 out of 33 states that have an approved strategy reported they have more than 15 FTEs dedicated to cybersecurity, and 16 out of 33 states with an approved strategy reported they had an increase in budget. An approved and proactively communicated strategy can also help CISOs overcome another barrier: “lack of visibility and influence in the enterprise,” an ongoing challenge in the largely federated governance model in state government.