IT Security Staffing Catching Up with Existential Threats

November, 2020

After years of remaining flat in the face of mounting security threats, IT security head count has finally risen as a percentage of the total IT staff. Until 2020, despite a growing array of threats and rising IT security budgets, IT organizations had not been increasing the size of their security teams and instead focused on technology to fight the problem. Or, even worse, many companies might have been neglecting the problem.

As shown in Figure 1 from our full report, IT Security Staffing Ratios, IT security professionals make up 3.4% of the total IT staff at the median in 2020, an increase from both 2019 and 2018 where the median percentage was 2.9%. Until this year, IT staffing had been essentially flat for four years running, with the median at 2.9% in 2016 as well with only a slight bump to 3.1% in 2017.

Fig1RBsecuritystaffingratios 1030x687 - IT Security Staffing Catching Up with Existential Threats

There have been several factors holding back IT security staffing increases, most of which are still in play. The biggest factor has been, and likely continues to be, a skills shortage. Security is a highly specialized field, and there are few shortcuts to gaining the type of experience required, especially in senior roles. However, despite these trends, the need for increased and improved security may eventually lead to more increases in IT security staffing on a percentage basis, especially as use of the cloud decreases the need for other types of in-house IT support personnel.

Another factor is the use of new technology in IT security, including  artificial intelligence and machine learning to track anomalies before humans can detect them. Other factors that are holding the security staffing numbers relatively steady include software-defined networking, better awareness around application development to ensure better security during requirements and design, and the reduction of in-house infrastructure due to software as a service (SaaS) and the public cloud.

“In the long run, we would expect this number to continue to rise,” said David Wagner, senior research director at Computer Economics, a service of Avasant Research, based in Los Angeles. “Enterprises face an existential threat not only from the lonely black hat hacker, but from organized crime, and even nation states. Technology is a necessary part of the security puzzle, but so are experienced security professionals to oversee the effort.”

In recent years, Atlanta and Baltimore had to shut down services because of ransomware attacks. In 2018, the data marketing firm Exactis erroneously exposed the data of 230 million Americans and 110 million businesses. These types of self-inflicted wounds of exposing databases to the public are increasingly common and also show the need for security oversight.

New threats also have emerged as millions of workers worldwide have been forced to work from home due to the global pandemic. This has vastly expanded the corporate network perimeter and left businesses scrambling to adopt new solutions. One of the highest-profiles breaches of the year occurred when hackers stole 500,000 passwords from Zoom, the well-known collaboration service, and placed them on the Dark Web.

In our full report, we present the five-year trend in IT security staffing and provide benchmarks for understanding IT security staff head count: as a percentage of the IT staff and as a percentage of the Network and Communications Group. We analyze IT security staffing in terms of the number of applications, users, and network devices. Our analysis also includes the influence of organization size and sector on staffing requirements. We conclude with recommendations for optimizing IT security staffing.

This Research Byte is a brief overview of our management advisory on this subject, IT Security Staffing Ratios. The full report is available at no charge for Avasant Research subscribers, or it may be purchased by non-subscribers directly from our website (click for pricing).