IT Security Spending Increases Not Going Toward More Security Personnel

October, 2019

According to our annual IT Spending and Staffing Benchmarks study, security is the budget category that companies are giving the highest priority. A net 78% of organizations that responded to our survey are increasing their spending on security. However, increases in spending do not necessarily lead to head count growth, as improved technology continues to allow IT personnel to be more productive. The continued skills shortage in IT security also no doubt contributes to the moderation in security staff hiring.

As shown in Figure 1 from our full report, IT Security Staffing Ratios, IT security staff members make up 2.9% of the total IT staff at the median in 2019, on par with the percentage in 2018 and down slightly from 2017. IT staffing has been essentially flat for four years running with the median at 2.9% in 2016 as well.

Secstaff fig 1 - IT Security Spending Increases Not Going Toward More Security Personnel

Major growth areas in IT security include using artificial intelligence and machine learning to track anomalies before humans can detect them. Other factors that are holding the staffing numbers steady include software-defined networking, better awareness around application development to ensure better security during requirements and design, and the reduction of in-house infrastructure due to software as a service (SaaS) and the public cloud.

However, despite these trends, the need for increased and improved security may eventually lead to increases in IT security staffing on a percentage basis, especially as cloud usage decreases the need for other types of in-house IT support personnel.

“Security is too important to ignore,” said David Wagner, vice president of research at Irvine, Calif.-based Computer Economics. “And while AI and automation can go a long way in filling the gaps, they can never replace well-trained professionals required to oversee security as a whole. Like with all things involving AI and automation, we’d expect skill sets to change, but not for security jobs to disappear.”

Particularly, high-profile privacy breaches and ransomware attacks in recent months might hasten both the training and hiring of more security personnel. This spring, breaches at Facebook, Instagram, and WhatsApp resulted in a total of over two billion users’ personal data being leaked. In recent years, Atlanta and Baltimore had to shut down services because of ransomware attacks. In 2018, the data marketing firm Exactis erroneously exposed the data of 230 million Americans and 110 million businesses. These self-inflicted wounds of exposing databases to the public are increasingly common and also show the need for security oversight.

In the face of these challenges, IT executives must ensure that their IT organizations have the appropriate skills to respond to the latest security threats. For instance, IT security experts are realizing that intrusion-prevention measures must be complemented by the ability to quickly detect an intrusion, stop it from spreading, and remediate it. Privacy also must be top of mind, in the wake of the European Union enacting the General Data Protection Regulation, a set of guidelines for the processing and collection of personal data for individuals in the European Union.

In our full report, we present the five-year trend in IT security staffing and provide benchmarks for understanding IT security staff head count: as a percentage of the IT staff and as a percentage of the Network and Communications Group. We also analyze IT security staffing in terms of the number of applications, the number of users, and the number of network devices. Our analysis also includes the influence of organization size and sector on staffing requirements. We conclude with recommendations for optimizing IT security staffing.

This Research Byte is a brief overview of our management advisory on this subject, IT Security Staffing Ratios. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).