IT Security Staff Levels Are Declining

August, 2008

Computer Economics research shows that security is a high priority for IT organizations today, and there is little doubt that security professionals remain in strong demand. Yet as this study on security staffing indicates, the percentage of IT employees dedicated to security in any given IT organization is relatively small–only about 1.5% of the typical IT staff–and has been declining, somewhat surprisingly, over the past three years.

The implication is that organizations have fewer security professionals today to maintain the integrity of their systems than they did a few years ago. Just how many security specialists do they need? This study helps IT executives assess their security staffing needs by providing benchmarks for security staffing levels.

This Research Byte is a summary of our full report, IT Security Staffing Ratios and Trends.

The ratios in this report are based a survey of about 200 IT organizations that provided detailed breakdowns of their staffing and spending plans for fiscal years ending in late 2008 or 2009. The sample is segmented across 11 major industry sectors and three size classifications. The sectors and size classifications are defined later in this article.

Our study limits the security staff category to security professionals dedicated to auditing, managing, developing, and implementing security policies, processes, and technologies. However, the functions that these security specialists perform can vary from organization to organization. In some companies, security professionals play a strategic role by managing and planning security programs, while other personnel such as network administrators and technical support staff handle daily operational tasks. Other companies apply the security staff in a tactical manner, using them in such areas as establishing passwords, monitoring access logs, and responding to security incidents. Each respondent in our study defined security personnel according to their own practices.

Three-Year Trend Shows Falling Ratio of Security Staff
Over the last three years, the personnel comprising this portion of the IT staff declined in the composite sample. Figure 1 shows security personnel as a percentage of IT staff at the median–the point at which half of the organizations fall below and half above–and shows that median security staffing declined from 2.0% in 2006 to 1.5% in 2008.

SecurityStaffRatio Fig1 - IT Security Staff Levels Are Declining

While a one-year dip might be a statistical aberration, the three-year trend indicates that this change is real. This decline also does not appear to be a result of staff growth in other areas. Respondents this year showed no change in median staff count over 2007.

The full version of this report provides three metrics for security staffing: security staff as percentage of total IT staff, number of users per security professional, and number of network support employees per security professional. The first part of this report examines the trend in security staffing by analyzing staffing ratios for the composite sample. The second part provides the three metrics by organization size. These are the key metrics that IT managers can use to assess their operations. In the third part, we see how these metrics vary by industry sector. Finally, we examine how outsourcing, network complexity, and the number of network sites can influence security staffing needs. We conclude with our assessment of current trends in security staffing.

Computer Economics Viewpoint
Answering the question of how many security professionals an organization needs is a complex discussion. Security begins at the top. A commitment from executive management is required to create a culture of security that ensures procedures are enforced, audits are taken seriously, and investments are made in personnel, training, services, and technology. That commitment undoubtedly has more bearing on security than staffing levels.

That said, organizations appear to need fewer security professionals today than they did a few years ago. One reason is that security professionals are not the only members of the IT staff engaged in security practices. It might be said that security is too important to leave to the security group. Auditors, network administrators, systems administrators, technical support staff, storage professionals, and other operational personnel are increasingly trained and engaged in the tactical execution of security policies and procedures and in the management of security devices. Operationally, security is becoming less of a specialty.

The full version of this report provides additional recommendations and observations based on the statistics developed by our analysis.

This Research Byte is a brief overview of our report on this subject, IT Security Staffing Ratios and Trends. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website at (click for pricing).

Do you also need staffing ratios for other IT job functions? Consider this collection of all of our staffing ratio reports, which bundles them all into a single report at a significant discount: IT Staffing Ratios–Special Report Bundle.