High-profile security attacks have increased the importance of security among enterprises over recent years. With the transformation of the workspace to remote and hybrid work, more pressure has been placed on IT security staffing personnel. Despite these increased burdens, this staffing ratio has remained relatively stable over the past three years. This raises the question: Has the supply reached its cap?
As shown in Figure 1 from our full report, IT Security Staffing Ratios, IT security professionals made up 4.2% of the total IT staff at the median in 2023, a slight decrease from 2022, when the median percentage was 4.3%. We expect that this ratio will remain relatively flat or even decline. Our previous research has shown that when certain types of staffing become too rare or expensive, technology tends to find creative ways of filling the gap.
The most significant factor to impact this ratio continues to be a skills shortage. Security is a highly specialized field, and there are few shortcuts to gaining the type of experience required, especially in senior roles. Although the gap between demand and supply has begun to decrease, it continues to impact this function.
Another factor is the use of new technology in IT security, including using artificial intelligence and machine learning to track anomalies before humans can detect them. Other factors that limit additional increases in security staffing include software-defined networking, better awareness around application development to ensure better security during requirements and design, and the reduction of in-house infrastructure due to software as a service (SaaS) and the public cloud. However, despite these factors limiting security staff increases, we expect this year is not a temporary decline.
That said, the risk of growing security threats is not going anywhere. Right sizing the IT security staff is vital. IT executives must ensure that they have the appropriate skills to respond to the latest security threats. For instance, IT security experts are realizing that intrusion prevention measures must be complemented by the ability to quickly detect an intrusion, stop it from spreading, and remediate it. Privacy also must be top of mind in the wake of the European Union’s enactment of the General Data Protection Regulation, a set of guidelines for the processing and collection of personal data for individuals in the European Union.
“It’s no secret that there is a skills storage for security personnel,” said Reneece Sterling, senior research analyst at Avasant Research, based in Los Angeles. “But enterprises are now leveraging AI to fill the gap. Security products are now being built with AI capabilities that may allow organizations to operate with smaller security teams.”
In our full report, we present the five-year trend in IT security staffing and provide benchmarks for understanding IT security staff head count. We analyze IT security staffing in terms of the number of applications, users, and network devices. Our analysis also includes the influence of organization size and sector on staffing requirements. We conclude with recommendations for optimizing IT security staffing.
This Research Byte is a brief overview of our report on this subject, IT Security Staffing Ratios. The full report is available at no charge for subscribers, or it may be purchased by non-clients directly from our website (click for pricing).