Cybersecurity is such a pressing issue that the U.S. government will be dedicating a good chunk of its annual information technology budget to protecting data systems from breaches, hackers and other threats. The number of cybersecurity incidents reported by federal agencies has increased from 5,503 in 2006 to 41,776 incidents in 2010, an increase of over 650 percent, according to a recent report from the General Accountability Office (GAO).
“Weaknesses in information security policies and practices at 24 major federal agencies continue to place the confidentiality, integrity, and availability of sensitive information and information systems at risk,” the GAO report states.
As a result of the urgency for protecting government information, federal agencies will have little choice about dedicating more funds to cybersecurity. The annual federal information security market is expected to grow from $9.2 billion in fiscal 2011 to $14.0 billion in fiscal 2016, reflecting a compound annual growth rate of 8.8 percent, according to a recent study from government IT consultant Deltek.
“Federal agencies still have a long way to go in providing adequate levels of security,” said John Slye, senior principal analyst at Deltek, the government IT consultancy.
Top spenders will be various defense agencies, where cybersecurity investments will grow from US$2.6 billion in 2011 to $4.1 billion in 2016, the Deltek study asserts. In addition, between 2011 and 2016, U.S. Army cybersecurity spending will grow from $399 million to $599 million, while Air Force investments will move from $892 million to $1.3 billion and Navy spending for IT security will grow from $395 million to $587 million.
Civilian agencies will also be devoting substantial funds to cybersecurity, with the Department of Homeland Security increasing its allocation from $497 million in 2011 to $762 million in 2016; the Department of Energy moving from $251 million to $390 million, and Health and Human Services from $244 million to $364 million.
The pace of growth is unlikely to be affected by tight federal budgets, according to the study. Unlike other areas of discretionary spending, cybersecurity remains somewhat immune to budget cuts for the time being, though this trend may soften as agencies achieve efficiencies and ROI on their cybersecurity spending and as downward budget pressures continue.
“We don’t see much crowding out of spending for other IT investments in order for the agencies to boost cybersecurity. The Office of Management and Budget (OMB) is really pushing agencies to invest in IT across the board and some of the efficiencies that generates will help fund security. They may postpone or drop some of the ‘nice to have’ IT components, but we don’t see cybersecurity affecting other IT spending categories,” Slye told CRM Buyer.
Security Funding Comparison
Currently, annual federal spending on cybersecurity amounts to about eight percent of all IT investment, according to a recent report from IDC Government Insights. Benchmarked against other industries, where cybersecurity accounts for 19 percent of IT spending, federal funding seems to be inadequate. While a direct comparison of simple percentages may not indicate weakness per se, given the different objectives of business and government, the difference still appears to be significant.
“Government IT workers often ask me what other agencies and other industries tend to dedicate to IT security. Every time I’ve been asked that question, it has been because the person asking the question had a gut feeling that they were not spending enough on security solutions,” Shawn McCarthy, director of research at IDC Government Insights, told CRM Buyer.
“Government agencies are the top targets for hackers and for general IT break-ins and tampering. Given that they are so highly targeted, their security needs tend to be higher than many other sectors. That’s why the 8 percent level seems low for government facilities,” he said.
On that basis, annual cybersecurity spending should already be about $14 billion, IDC said.
Vendor Approach Must Meet Need
While it is clear that federal spending for cybersecurity will be a strong component of the IT market, vendors should not be complacent about landing contracts. Agencies will be focusing not only on investing more funds in cybersecurity, but also on making sure those investments will work. Also, the security component of IT will move from a stand-alone capability to one which is built into the objective of the IT program.
“Agencies will be requesting a cybersecurity component in their RFP’s, even for routine IT services, and vendors will have to respond with comprehensive security capabilities. Security is no longer something vendors can bolt on to their offerings. Security will have to be integrated from the beginning,” Slye said.
For example, security considerations can filter well back into the supply chain, he noted. While security is often associated with software and programming, Slye said that it is also a key factor in hardware. An agency purchasing computers or other IT equipment may be concerned that the chips used in the hardware be made by U.S. providers to ensure quality and security.
Deltek recommends that vendors 1) proactively address embedded security concerns during solutions development and delivery processes; 2) address cyber forthrightly in bid proposals as procurement officials are looking for this element to be clearly defined; and 3) offer continuous, real-time monitoring tools to minimize certification and accreditation (C&A) issues.
“C&A should be made obsolete and irrelevant by achieving effective continuous, real-time monitoring of security,” Deltek said.
In the last year, federal agencies have been directed to increase IT efficiency through data center consolidation. This effort will not only involve efficiency, but also security, Deltek’s Slye noted.
“IT consolidation efforts are being viewed by agencies, in part, as an opportunity to improve the security posture of an agency’s IT infrastructure,” he said.
Security issues will continue to alter the contracting landscape according to the IDC benchmarking study.
“Government is looking for specific service level agreements (SLA’s) for things like cloud services and IT outsourcing. So being able to promise highly secure systems and specific response times for security breaches is a good start,” said McCarthy.
“The demand for reliable, secure cloud services is clear, so a top target should be cloud offerings that have a specific level of promised security. Beyond that, vendors should pay attention to reports coming out of the security committee of the Federal Chief Information Officers Council. These address general issues related to types of security products and federal IT needs,” he said.
The council serves as the clearinghouse for implementing various federal agency IT objectives. The council’s Information Security and Identity Management Committee is charged with facilitating the execution of the Comprehensive National Cybersecurity Initiative.
The GAO report on federal cybersecurity was submitted to several members of Congress who monitor federal information technology issues, including Senator Susan Collins (R-Maine). GAO’s findings “point out too many serious vulnerabilities,” Collins said. “We must fortify the government’s efforts to safeguard its own cyber networks from attack and build a public/private partnership to promote stronger national cybersecurity,” she added.