Cybersecurity feels budget pressures
Even as government budgets continue to get squeezed, agency officials hope to keep making much-needed investment in their cybersecurity efforts, according to a new survey.
The budget battles come at a time when information technology executives are anxious to expand their cybersecurity initiatives.
In the survey, conducted by the 1105 Government Information Group, 71 percent of respondents agreed that cybersecurity demands at their agencies were increasing even as their budgets were decreasing. Only 11 percent disagreed, with 18 percent being neutral. (See chart.)
Training is often one of the first places agencies look to slash spending. In this case, that could be especially troubling, because agencies are being told by their inspectors general, the Government Accountability Office and the White House that they need to strengthen their cybersecurity workforce.
But so far, the results are mixed. Forty-two percent of respondents said their training budgets have been reduced, 19 percent said their IT budgets have been reduced (training excluded) and 35 percent said they have seen minimal impact.
Still, the majority of respondents expect to maintain (49 percent) or even increase (31 percent) their cybersecurity investments in the next year. Only 20 percent said they expect their budgets to decrease.
In any case, ongoing budget pressures are likely to change how IT managers shop for cybersecurity products, said Jeff Wilson, principal analyst for security at Infonetics Research, a market research and consulting firm.
“Customers are tired of investing in solutions that don’t really improve their security posture and are looking to make changes,” said Wilson, in a recent report. Across the board, Infonetics anticipates an extreme focus on efficacy, with particular interest in products with unified threat management or next-generation firewall features.
To help agencies save money on cybersecurity technology, the Obama administration established a series of Situational Awareness and Incident Response blanket purchase agreements. They offer volume discounts off pricing available through General Services Administration schedules. The administration estimates that in fiscal 2012, agencies realized $14 million in cost avoidance.
That said, technology accounts for only 5 percent of cybersecurity budgeting, compared to 90 percent for personnel, according to the Obama administration’s fiscal 2012 report to Congress on the implementation of the Federal Information Security Management Act of 2002. Of the remaining cybersecurity money, 3 percent goes toward risk management activities and 1 percent each to testing and training.
Although the personnel costs are essentially fixed, administration officials believe that agencies can get more for the money they spend on staffing.
“Making the IT security workforce more productive, more capable and more collaborative offers one of the most significant opportunities for even more cost-effective IT security spending,” the FISMA report states. “This workforce-enabling strategy requires going beyond technical trainings to include process improvement, innovation encouragement, collaboration mechanisms and accountability structures.”
According to the report, the federal government has more than 90,000 full-time equivalent positions with major responsibilities in information security. However, a third of these are contractor positions. “IT security has consistently been a functional area that depends on talent and technical expertise from industry and commercial sources,” the report states.