Security remains a top priority for organizations in terms of new investment, according to our annual IT Spending and Staffing Benchmarks study, though not all of that spending is heading toward additional security headcount. After two years of increases, IT security personnel have declined slightly as a percentage of total IT staff.
As shown in Figure 1 from our full report, IT Security Staffing Ratios, IT security staff members declined to 2.9% of the total IT staff at the median in 2018, on par with the percentage in 2016, and down slightly from last year. Previously, the ratio was stable from 2013-2015 at 2.6%.
A net 75% of organizations that responded to our survey are increasing their spending in security. However, increases in spending do not necessarily lead to headcount growth, as improved technology continues to allow IT staff to be more productive. Major growth areas in IT security include using artificial intelligence (AI) and machine learning to track anomalies before humans can detect them. Software-defined networking, better awareness around application development to ensure better security from the start, and the reduction of in-house infrastructure due to software as a service (SaaS) and the public cloud also contribute to staff numbers holding steady. However, despite these trends, the need for increased and improved security may eventually lead to increases in security staffing, especially as cloud usage decreases the need for other types of in-house IT support personnel.
“I’d still expect to see slow and steady increases over the next few years,” said David Wagner, vice president of research at Irvine, Calif.-based Computer Economics. “But it is unlikely we will see major jumps. Beyond the efficiency aspects, it is still difficult to find skilled IT security personnel. We’ve seen it before that when a job requires skills that are difficult to find, technology is quickly built to fill in the gaps.”
In the face of these challenges, IT executives must ensure that their IT organizations have the appropriate skills to respond to the latest security threats. For instance, IT security experts are realizing that intrusion-prevention measures must be complemented by the ability to quickly detect an intrusion, stop it from spreading, and remediate it. Privacy must also be top of mind, in the wake of the European Union enacting the General Data Protection Regulation.
In our full report, we present the five-year trend in IT security staffing and provide benchmarks for understanding IT security staff headcount: as a percentage of the IT staff and as a percentage of the Network and Communications Group. We also analyze IT security staffing in terms of the number of applications, the number of users, and the number of network devices. Our analysis also includes the influence of organization size and sector on staffing requirements. We conclude with recommendations for optimizing IT security staffing.
This Research Byte is a brief overview of our management advisory on this subject, IT Security Staffing Ratios. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).