This article in GSN caught my attention on the proposed IT budget numbers released by OMB (Office of Management and Budgets). The 10% spending on cyber-security may seem surprising to some, especially when compared to an average 8% of IT spend in the commercial sector across North America and Europe. As many of us have seen stagnation in our security budgets, the US government has increased its cyber-security budget by a whopping 73% since 2004. The media has picked up on things such as DOT (Department of Transportation) more than doubling its budget while DHS (Department of Homeland Security) had less than a 5% increase, they don’t have their priorities right or that we should fund federal agencies based on how well they do on FISMA. These numbers may seem a little out of whack, but here is why I think the US government is headed in the right direction.

1.  US government should be spending more than the commercial sector. The impact of a successful attack on US government infrastructure would entail much more than reputation damage. It would effect the morale of the people and ultimately effect the economy. We have already seen reports of government backed cyber-espionage and with time, it will only increase.

2.      Some government agencies need more budget than the others. Two-thirds of the increase in 2009 cyber-security budget can be attributed to the Department of Transportation. It more than doubled its IT security budget and is planning to spend almost a quarter of its IT budget on security in 2009. I would suspect that there will be more agencies in the coming years in a similar security catch-up phase will keep US government cyber-security spending high.

3.      Mature agencies do not require as much cyber-security spending. There was a lot of talk in the media about how all the increased spending is going to obscure agencies while budgets for DOD and DHS have increased nominally. I think, that makes sense. DOD and DHS have been spending on cyber-security before we even knew what it was. They have mature security postures and don’t need a lot of catching up.

4.      You have to ensure a healthy balance between new initiatives and maintaining existing ones. The government is spending more than the commercial sector on development/modernization/enhancement. The US government plans to spend 35% of its IT budget on “new” things. If this translates into a similar percentage for cyber-security, it puts the government well ahead of the commercial sector that stands at 25%.

5.      Compliance should not be a yardstick to measure security. There have also been rumblings in the press about how some agencies are not secure because they have not completely complied to FISMA, and some have even suggested tying the agency budgets to FISMA compliance. I think this would not be the right approach. FISMA compliance, like any other compliance mandate, can be achieved without any incremental improvement in security, as long as you know how to cross the t’s and dot the i’s.

The US government may be headed in the right direction with the spending, but the effectiveness of security will largely depend on where the money is spent.