The federal government budget for cybersecurity is much larger than usually reported, in part because so much of it is included in other IT projects and programs – good news for contractors looking to help the government improve its security posture.
This conclusion was presented by Christopher Wiedemann, consultant, Market Intelligence, of immixGroup, at a recent federal cybersecurity conference held by in Reston, Virginia.
“The civilian cyber budget for fiscal years 2016-2018 was $13.3 billion,” Wiedemann said, “but over the same three-year period, actual cyber obligations were $17.8 billion, with about $3.6 billion [of that] in product spend.” The Department of Defense budget on cyber during those three years was $1.1 billion, but it actually came to $5.9 billion in obligations, with $1.2 billion in product spend.
“The main point [is], the size of the cyber opportunity is not readily available just from looking at published budgets,” he said. “The legacy challenges are still there … but at the same time there are new challenges that agencies are just beginning to look at.”
Jonathan Nguyen-Duy, vice president for strategy and analytics, Fortinet, described the threat landscape that leads to this market growth.
In 2007, there were fewer than 50 threat actors; in 2017, there were more than a thousand, he said. In 2007, there were less than 50 types of threats; a decade later, that grew to more than a million. One last statistic: In 2007, there were less than a thousand security alerts/day, on average, per firm; by 2017, the average number of alerts rose to more than one million.
And the IT landscape keeps evolving. “The network today is borderless. Think of 5G as converting LAN/WAN into a virtual motherboard,” Nguyen-Duy said. “Today’s environment is so complex we’re getting major fails … If today’s IT team can’t keep pace with security threats already, how will it keep up” as networks get even more complex?
The advent of the Internet of Things (IoT) and Industrial Internet of Things (IIot) – operations technology (OT) that now also uses the web – increases the risk even more, he said
“The idea that you’re going to add more [security] devices isn’t going to solve the problem today,” Nguyen-Duy said. “Prevention is not going to work; why else have an incident response team?”
He suggested that agencies should look to distribute non-critical workloads into the cloud, which enables IT teams to concentrate on points of enforcement. Viewing devices as part of a security fabric, where agencies look for ways to consolidate information into dashboards that enable visibility across all these complex environments, is where agencies are heading, he suggested.
Later, during a lunchtime panel discussion, Nguyen-Duy credited the federal government for its cybersecurity efforts.
“There’s only one vertical that’s done progressively better in cyber [than the federal government], and that’s the financial [sector],” he said.