Security is a high priority for most IT organizations and there is evidence that spending on IT security services and technology is rising. Yet staffing of the IT security function has remained remarkable steady over the past few years. The implication: having stronger security does not necessarily require expanding the number of often-in-demand professionals dedicated to the IT security function.
Figure 1 from our study, IT Security Staffing Ratios, shows that IT security staffing has remained at about 2.6% of the IT staff since at least 2011. That does not mean there was no hiring of IT security staff during the period. As IT headcount did rise modestly for many organizations, the finding indicates that IT security headcount rose in step with the IT staff as a whole. It neither shrank nor gained as a percentage of the whole.
The composite medians, shown in Figure 1, are based on our annual survey of approximately 200 IT organizations. Our study limits the security staff category to security professionals dedicated to auditing, managing, developing, and implementing security policies, processes, and technologies. Service desk, network administrators or other personnel who handle passwords or manage security devices along with other duties are not included in the IT security headcount unless they are dedicated to the security function.
Some organizations partially outsource this function to IT security consultants, managed security service firms, or solution providers. We adjusted for outsourcing by asking organizations to estimate how many additional IT security staff members they would require if they did no outsourcing.
As this benchmark varies by organization size and sector, we advise against using the composite median for benchmarking purposes. In the full study, we help IT executives assess their security staffing needs by providing four benchmarks: IT security staff as a percentage of the IT staff, IT security staff as a percentage of the Network and Communications Group, users per IT security staff member, and network devices per IT security staff member. We provide benchmarks by organization size and sector.
This Research Byte is a brief overview of our report on this subject, IT Security Staffing Ratios. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).
Do you also need staffing ratios for other IT job functions? Consider this collection of all of our staffing ratio reports, which bundles them all into a single report at a significant discount: IT Staffing Ratios–Special Report Bundle.
Avasant’s research and other publications are based on information from the best available sources and Avasant’s independent assessment and analysis at the time of publication. Avasant takes no responsibility and assumes no liability for any error/omission or the accuracy of information contained in its research publications. Avasant does not endorse any provider, product or service described in its RadarView™ publications or any other research publications that it makes available to its users, and does not advise users to select only those providers recognized in these publications. Avasant disclaims all warranties, expressed or implied, including any warranties of merchantability or fitness for a particular purpose. None of the graphics, descriptions, research, excerpts, samples or any other content provided in the report(s) or any of its research publications may be reprinted, reproduced, redistributed or used for any external commercial purpose without prior permission from Avasant, LLC. All rights are reserved by Avasant, LLC.
Login to get free content each month and build your personal library at Avasant.com
