How many information security people does the US government really have?
I just started to look at the GAO's recent report "Cybersecurity Human Capital." (PDF) When I read reports on the information security industry there's always always something that makes me stop and wonder exactly what's going on. This report didn't change that.
My first Huh? moment was actually when I looked at the cover page of this report. It turns out that this report was actually prepared by the GAO for the Senate Subcommittee on Immigration, Refugees, and Border Security, which is part of the Senate's Judiciary Committee. Acccording to the Subcommittee's web site, it's responsible for:
(1) Immigration, citizenship, and refugee laws;
(2) Oversight of the immigration functions of the Department of Homeland Security, including U.S. Citizenship and Immigration Services, U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and Ombudsman Citizenship and Immigration Services;
(3) Oversight of the immigration-related functions of the Department of Justice, the Department of State, the Department of Health and Human Services Office of Refugee Resettlement, and the Department of Labor;
(4) Oversight of international migration, internally displaced persons, and refugee laws and policy; and
(5) Private immigration relief bills.
So my first thought was to wonder exactly this particular Subcommittee came to be interested in information security staffing within the government.
I couldn't think of a good reason, so I moved on the actual report. I had made it to page 13 of the roughly 80 page document when I came across Table 2: Comparison of Reported Number of Cybersecurity Workers from Multiple Sources. This was another Huh? moment, but using at least a 36-point font this time.
It turns out that the estimates of the number of information security workers can vary greatly: if you ask the same agency more than once you can get very different answers each time. Some examples:
- The number of information security workers at the Department of Defense is apparently somewhere between 18,955 and 88,159.
- The number of information security workers at the Department of Homeland Security is apparently somewhere between 1,361 and 12,500.
This suggests a very inexpensive way to increase the information security staffing at government agencies: just keep asking how many people they have until you get an answer that's big enough.