This article is an excerpt from GovLoop’s recent report, “Managing Cybersecurity Spend – Value & Outcomes.” Download the full report here.
Generally speaking, cybersecurity funding represents a small portion of an agency’s overall IT budget. To determine how well agencies are managing that spend, GovLoop partnered with Apptio to survey 113 public sector employees about the approach their agency is taking to track cybersecurity spend, the top challenges they are facing and their plans for future cybersecurity spending.
Eighty percent of those surveyed said they do not know what their agencies spend on IT today. “A lot of folks know their budget, but they don’t know their costs,” said Bob Carter, Vice President of Public Sector for Apptio, which provides a FedRAMP-certified, cloud-based software and an on-premises offering for managing the business of IT. “That’s part of the problem itself, getting their arms around the actual cost and where the money is going.”
According to the President’s Management Agenda, “The FY 2018 President’s Budget reported 84% of the total Federal IT budget categorized as ‘other,’ as opposed to being clearly tied to a specific IT category of spend. This lack of granularity makes it difficult to baseline federal investments and show the public whether [the] government is spending taxpayer dollars effectively in order to drive the large-scale change needed to improve business transformation and citizen services.”
As a subset of the federal government’s $90 billion IT budget, cybersecurity spending is often disjointed, Carter said, highlighting three key reasons why that’s the case.
1. Often, agencies don’t use a standard method like TBM to model or account for cybersecurity costs. For example, they may not track costs that come with securing an application, or those costs may get labeled as IT overhead.
2. Although agencies have been required to adopt the NIST Cybersecurity Framework (CSF), there is not clear guidance on how they should use the framework as a means to track spending.
3. As noted in the President’s Management Agenda, there are some gray areas where it isn’t clear how to categorize certain cybersecurity costs. This prevents agencies from having a transparent and accurate view of what they are spending.
For the other 20 percent who said they know what their agency spends on IT, we asked them to estimate how much of their IT budgets go toward cybersecurity, which includes tools, processes and personnel.
Roughly 18 to 22 percent of the federal IT budget is spent on cybersecurity, Carter said, with the caveat that some spending is classified and nearly impossible to track. That number aligns with what we heard from 32 percent of respondents, who said cybersecurity accounts for 10 to 25 percent of their agency’s IT budget. Another 41 percent said that cybersecurity is less than 10 percent of the IT budget.
The size of the agency and amount of the overall budget are factors that impact how much agencies spend on cybersecurity. But those aren’t the only factors to consider, Carter said. How agencies categorize spending also determines how they report it. For example, one agency may group all IT network costs together, but they don’t take into account what within the network could be considered cybersecurity spend. Likewise, for software application costs, agencies should determine what within the applications is considered cybersecurity spend.
To learn what steps agencies are taking to improve how they categorize and track IT spending, download the full report here.