Is There a Relationship Between Cyber Incidents and Security Spending?

Building on data released in February 2015 in OMB’s annual Federal Information Security Management Act (FISMA) report to Congress, the GAO released its own report: Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies.  

In the report, GAO highlights the continued increase in cybersecurity incidents reported by federal agencies to the US Computer Emergency Readiness Team (US-CERT). From FY 2006 to FY 2014 federal agencies reported an increased in information security incidents from 5,503 in FY 2006 to 67,168 in FY 2014, which is an increase of 1,121 percent. (See chart below.)

Among the fastest growing areas of concern that GAO highlighted is the number of reported security incidents involving Personally Identifiable Information (PII). According to GAO, PII-compromising incidents at federal agencies have more than doubled in the last six years, growing from 10,481 incidents in FY 2009 to 27,624 incidents in FY 2014. While the report mentions the recently publicized OPM data breaches it notes that those breaches are still under investigation.

Total IT and IT Security Spending

For comparison, I thought I would look at some data around total federal IT spending and total reported information security spending from OMB. The total IT budget spending is readily available in the annual IT budget requests over the last few years. Historically, federal IT security spending data has not been so transparent and it requires multiple sources to patch together a picture, including several recent FISMA reports as well as data from the IT Security Line of Business (LoB) when it was last released under the Bush Administration.

The resulting picture is one where actual IT budgets have increased slightly (and at a lower compound annual growth rate (CAGR) than the White House has requested) whereas IT security spending has grown much more rapidly. While total actual IT has grown over the six years from FY 2008 to FY 2014 at a CAGR of 2.1%, direct IT security spending has grown at a CAGR of 12.7%. (See chart below.)

What is interesting in this data is to look at the relative relationship between the total IT spend and the total cybersecurity spend, i.e. the percentage of Actual IT that is IT Security, or cybersecurity. Early in the period, in FY 2010, the relative proportion of cybersecurity spending jumped from 9% to nearly 15%, at the same time that total IT jumped from $73 billion to $80 billion. So they moved in tandem. Yet, as total IT softened in FY 2011 and FY 2012 the cyber proportion continued to grow, accounting for nearly 20% of total IT spending in FY 2012. That’s no small increase.

Since FY 2012, the relationship between the two has been a bit less consistent, but the relative proportion of cybersecurity has remained between 14% and 16% in FY 2013 and FY 2014 – right when we have seen a major uptick in the number of reported incidents at federal agencies. It seems reasonable to conclude that this uptick in reported incidents reflects an improvement among agencies at detecting cyber incidents. Yet, it is during this period when some of the most devastating breaches have come to light. Does this mean, for all the spending, that agencies can detect incidents better than they can prevent or mitigate them? If so, will continued strong spending on cyber capabilities produce marked improvements in prevention and mitigation resulting in a reduction in total incidents? Let’s hope so.

Either way, if a relative 14-16% of total IT is a stable benchmark for what federal agencies will continue to spend on their cybersecurity, then one thing is clear: cybersecurity will continue to be one of the few major growth areas in federal IT for years to come.