DHS Cybersecurity Spending Trends Align with Personnel Challenges

Last week, I looked at the media reports of morale and personnel retention issues at DHS that impact their cybersecurity mission and some legislation that Congress has moved forward that may make it easier for DHS to hire cybersecurity staff in the future. This week I want to look at some of the IT security budget data that underscores the situation at the department – especially how much of DHS’s IT security spending goes toward security personnel verses security software and hardware solutions.

Hard data on what agencies spend on cybersecurity is not usually easy to find and it can vary in its completeness and granularity. However, over the last several years OMB has released varying amounts of IT security budget data as part of their annual Federal Information Security Management Act (FISMA) report submitted to Congress to update them on the progress and challenges agencies are facing. On a few occasions OMB has provided a breakdown of spending by personnel, security tools, training and other areas.

To be sure, the amount that a federal department spends on security personnel compared to their overall IT security spending varies agency by agency and the relative mix of government personnel to contracted personnel also varies. Observing an agency’s total IT security personnel spending vis-à-vis their overall security budget can give a sense of the security landscape at the department. The stability or movement often may be tied to specific priorities at the department. Even if it is not, the mix can give us a sense and hint at what opportunities may exist

DHS IT Security Spending

Based on the last several Federal Information Security Management Act (FISMA) reports released by OMB, DHS’s reported IT Security spend was stable from FY 2010 to FY 2011 and then saw significant yearly increases in FY 2012 and FY 2013. However, over the same period, the amount of money DHS spent on security personnel actually dropped. (See chart below.)  The result is that the relative percentage of total spending that was used for security personnel decreased at an accelerating rate over the period as the two categories moved in opposite directions – total spending increased while personnel spending decreased.

But the story gets even more stark. For FY 2012 DHS reported to OMB that they employed just under 400 IT security government personnel, compared to contracting more than 600 IT security personnel from industry. While this proportion of government-to-contractor personnel itself is not completely unheard of (Treasury, Energy, and NASA have even larger spreads) the fact remains that DHS holds the predominant role in government-wide IT security, consistently receives the largest IT security budget among the civilian agencies, and is one of the most dependent on a contracted workforce to achieve its cyber- mission.

Over the last several years various members of the DHS leadership have made well-publicized comments about the challenges of attracting and retaining cybersecurity personnel. Hence the legislative push in Congress to help them. Yet the spending data suggests that there is growing opportunity at DHS in areas that are not personnel-centric, like cybersecurity solutions that put tools in the hands of the skilled people they have now in order to make them more productive and effective. Evidence for this is that DHS’s spending on IT security tools increased from about $30 million in FY 2010 to nearly $300 million in FY 2012.

DHS will probably continue to struggle to build their cyber-workforce for some time – with or without help from Congress. Until then, they’ll continue to need skilled people from industry to fulfill the mission, but to reach long-term sustainability and ultimate success they will need to look to ever-advancing security tools to leverage their people to the maximum effect.