Infosec Personnel Shortage? It's All RelativeFeds Employ Equivalent of 79K IT Security Professionals
Simply, fewer than 2 percent of government IT security personnel fall into a category labeled by SANS Institute Research Director Alan Paller as hunters and toolmakers: experts who have deep knowledge and can, for instance, look inside an iPhone and know where to find its vulnerabilities (see Hunters and Toolmakers: Seeking Infosec Wizards).
Here's how Paller breaks down the work performed by government IT pros:
- 60 percent conduct compliance, policy, strategy, incident management and security awareness tasks and security auditing using checklists. This group also includes intelligence and counter-intelligence analysts and a few prosecutors
40 percent perform security monitoring, security assessments with hands-on testing, penetration testing, network monitoring and intrusion detection, forensics, log analysis, inventory and configuration management, security architecture, secure application development, reverse engineering, vulnerability analysis, exploit development and threat analysis. The hunters and toolmakers are part of this group.
At a presentation he made last month at the RSA2011 IT security conference, Paller estimated that some 1 million people in the United States are employed in IT security, which would mean that fewer than 8 percent of them work for the federal government as employees or contractors. He characterized only 1,000 of them as hunters and toolmakers. "You have 999,000 people who can talk about it, and about a thousand who are extraordinarily skilled who may actually help us win the battle," Paller said.
According to OMB's annual report to Congress, 64 percent of those IT security pros working for the government in the fiscal year that ended Sept. 30 were federal employees and 36 percent were contractors. Those percentages are heavily influenced by Department of Defense's numbers. The ratio of government-to-contractor fulltime equivalent workers at DoD is 68 percent to 32 percent. Exclude DoD from the final calculus, only 46 percent of those working in civilian agencies are government employees. "IT security has consistently been a functional area that depends on talent and technical expertise from industry and commercial sources," the report said.
To be clear, the number of fulltime equivalents represent only those employed by the 24 major agencies identified in the Chief Financial Officers Act of 1990, which represent the vast majority of federal employees. Also, fulltime equivalents differ from actual people, though they provide an indication of the workplace environment. Fulltime equivalent is defined as the number of total hours worked divided by the maximum number of compensable hours in a work year as defined by law. For example, if the work year is defined as 2,080 hours, then one worker occupying a paid full-time job all year would consume one fulltime equivalent. Two persons working for 1,040 hours each would consume one equivalent between the two of them.
Because so many people are employed in IT security, OMB said civilian agencies earmarked, on average, 74.4 percent of their IT security budgets on personnel. Tools came next, at 8.4 percent; followed by the implementation of the National Institute of Standards and Technology's risk management framework (Special Publication 800-37), 7.4 percent; testing, 7.1 percent; and training, 2.7 percent.
"Making the IT security workforce more productive, more capable and more collaborative offers one of the most significant cost-effective strategies in IT security spending," the OMB report said. "This workforce-enabling strategy requires going beyond technical trainings to include process improvement, innovation encouragement, collaboration mechanisms and accountability structures."
In FY 2010, OMB said, the CFO Act agencies spent $12 billion on IT security, including nearly $9.5 billion by DoD alone.
The OMB reported said, on average, agencies earmarked 15.6 percent of their information technology spend on security, with DoD allotting 27 percent of its IT budget on security. Other agencies allocated as little as 3 percent to IT security.