High-profile security attacks and the impact of remote work continue to put pressure on IT security staff. Although the use of IT security services remains a popular strategy, our research shows that over the past two years there has also been an increasing demand for in-house security personnel.
As shown in Figure 1 from our full report, IT Security Staffing Ratios, IT security professionals made up 4.2% of the total IT staff at the median in 2021, an increase from 2020 when the median percentage was 3.4%. It is possible that this function will continue to increase in the upcoming years, as companies place more focus on internal staffing to solve their unique challenges.
Prior to 2020, several factors were holding back IT security staffing increases. The most significant factor has been, and likely continues to be, a skills shortage. Security is a highly specialized field, and there are few shortcuts to gaining the type of experience required, especially in senior roles. Although the gap between demand and supply has begun to decrease, it continues to impact this function.
Another factor is the use of new technology in IT security, including using artificial intelligence and machine learning to track anomalies before humans can detect them. Other factors that limit additional increases in security staffing include software-defined networking, better awareness around application development to ensure better security during requirements and design, and the reduction of in-house infrastructure due to software as a service (SaaS) and the public cloud.
However, despite these factors limiting security staff increases, we expect this year is not a temporary jump. Over time, we expect increases in IT security staffing on a percentage basis, especially as cloud usage decreases the need for other types of in-house IT support personnel.
In the face of challenges, IT executives must ensure that they have the appropriate skills to respond to the latest security threats. For instance, IT security experts are realizing that intrusion prevention measures must be complemented by the ability to quickly detect an intrusion, stop it from spreading, and remediate it. Privacy also must be top of mind in the wake of the European Union enacting the General Data Protection Regulation.
“In the long run, we do expect security staffing to continue to rise,” said Reneece Sterling, research analyst at Computer Economics, a service of Avasant Research, based in Los Angeles. “Enterprises face an existential threat not only from the lonely black-hat hacker but from organized crime, and even nation-states. Technology is a necessary part of the security puzzle, but so are experienced security professionals to oversee the effort.”
In our full report, we present the five-year trend in IT security staffing and provide benchmarks for understanding IT security staff head count. We analyze IT security staffing in terms of the number of applications, users, and network devices. Our analysis also includes the influence of organization size and sector on staffing requirements. We conclude with recommendations for optimizing IT security staffing.
This Research Byte is a brief overview of our report on this subject, IT Security Staffing Ratios. The full report is available at no charge for subscribers, or it may be purchased by non-clients directly from our website (click for pricing).