The rising proportion of IT personnel dedicated to security highlights organizations’ growing commitment to safeguarding their digital assets. Companies are reacting to high-profile breaches and proactively planning for the increasing number and complexity of cyber threats. As cyberattacks become more sophisticated and frequent, businesses recognize that robust security is no longer a luxury but a fundamental requirement for operational continuity and customer trust.
As shown in Figure 1 from our full report, IT Security Staffing Ratios, IT security professionals made up 5.2% of the total IT staff at the median in 2024, an increase from 2023, when the median percentage was 4.2%. While the one percentage point increase from the previous year may seem modest, it reflects a recognition of the critical role of IT security within organizations and the ongoing need to invest in skilled security professionals to protect their valuable assets.
Several factors are driving the increasing percentage of IT security personnel:
-
- The increasing sophistication and complexity of cyber threats necessitate proactive measures against ransomware, phishing, and other security concerns.
- The expansion of attack surfaces due to interconnected IT environments.
- Stringent data privacy regulations necessitate specialized expertise.
- A strategic shift toward proactive security practices like threat intelligence and vulnerability assessments.
That said, rightsizing the IT security staff is vital to ensure an optimal balance between security coverage and resource allocation. Having too few security personnel can leave an organization vulnerable to threats and overwhelmed by security incidents, while overstaffing can lead to unnecessary operational costs and inefficiencies. IT executives must carefully consider what their organization needs.
“It is easy to throw bodies at a problem like security,” said Asif Cassim, principal analyst at Avasant Research, based in Los Angeles. “But throwing the amount of bodies with the right skills is more important.”
Our study limits the security staff member category to those whose primary responsibilities include developing, implementing, and managing security policies and procedures, evaluating and implementing security technologies, responding to and resolving security incidents, conducting security audits, and managing security service providers. Service desk, network administrators, or other personnel who administer network devices or set up passwords as part of their routine duties are not included in the IT security head count unless they are dedicated largely to the security function.
Our full report presents the five-year trend in IT security staffing and provides benchmarks for understanding IT security staff head count. We analyze IT security staffing in terms of the number of
applications, users, and network devices. Our analysis also includes the influence of organization size and sector on staffing requirements. We conclude with recommendations for optimizing IT security staffing.
This Research Byte is a brief overview of our report on this subject, IT Security Staffing Ratios. The full report is available at no charge for subscribers, or it may be purchased by non-clients directly from our website (click for pricing).