Is Government Paying Enough Attention To Application Security?
Even as a consistent number of system vulnerabilities blemish federal agencies and departments, focus on IT security remains somewhat feeble, with few initiatives yet under way, and an expected growth in spending of less than 20 percent by 2010. But VARs inclined to set the market on the back burner for now might want to think twice, as government looks to industry for some initial education and hand-holding.
Spending on IT security is expected to increase from $6.1 billion in 2005 to $7.3 billion in 2010, according to Input, a Reston, Va.-based research firm. Furthermore, spending on professional services associated with IT security -- the design, development and operation of security systems, as well as upgrades and maintenance -- is expected to grow from $3.7 billion in 2005 to $4.4 billion in 2010. While $1 billion increase in spending is nothing to sneeze at, it doesn't exactly present the goldmine right off the bat that some VARs might have expected.
Of course, security has been the buzzword on Capitol Hill for some time, but generally speaking, physical security took initial priority, followed by outer system protection through intrusion detection and patch management.
"That will take you only so far," says Chris Campbell, senior analyst at Input. "What happens when they get inside? Security at the application level hasn't happened yet and is really the most critical. Attacks are becoming more sophisticated than worms or even viruses, and can shut down entire systems."
That said, those able to offer up expertise now could be first in line for contracts later, Campbell says.
"Right now, it's an education process," he says. "Industry will need to communicate best practices and options to agencies that are right now trying to figure out what they need."
Specifically, a couple of factors could cause agencies to look to VARs as they up the ante in IT security. First, legislated requirements, such as IT system certification and accreditation, and implementation of IT security plans, fell short upon the 2003 deadline -- emphasizing a need for improvement. And second, the Office of Management and Budget recently decided to designate IT security as a sixth line of business; from that came a Request for Information (RFI), which called for help from the private sector in investigating governmentwide solutions to cybersecurity.
"It's finally getting recognized that agencies just haven't done enough," Campbell says. And it's up to the VARs, he says, to show them the way. "It's one thing to offer a solution; it's another step back to figure out how those solutions will fit into the overall objectives of the agencies. That's the challenge right now for those in industry."