Security begins at the top. A commitment from executive management is required to create a culture of security that ensures procedures are enforced, audits are taken seriously, and investments are made in personnel, training, services, and technology. That commitment undoubtedly has more bearing on security than staffing levels.
That said, the question of how many security professionals an organization needs is a complex one. Despite the high priority placed on security today, organizations are employing about the same number of security professionals as they were a few years ago.
Our study, IT Security Staffing Ratios, shows that dedicated IT security staff make up about 2.0% of the IT staff on average, as shown in Figure 1. Over the past six years, the ratio has fluctuated from a high of 2.2% to a low of 1.8%.
One conclusion is that maintaining strong security does not necessarily require an expansion of IT staff. IT organizations are strengthening network and data security without expanding the number of IT security professionals on their staff.
Our study limits the security staff category to security professionals dedicated to auditing, managing, developing, and implementing security policies, processes, and technologies. However, the functions these security specialists perform and the definition of security staff vary among organizations. In some organizations, security professionals play a strategic role in designing security programs and monitoring compliance. In other organizations they may assume a more tactical roles as well.
In the full study, we help IT executives assess their security staffing needs by providing four benchmarks: IT security staff as a percentage of IT staff, IT security staff as a percentage of the infrastructure support group, users per IT security staff members, and network devices per IT security staff member. We also assess the influence of organization size and sector on staffing requirements.
While security remains a high priority for IT organizations, the percentage of total IT staff dedicated to the security function is relatively small and has remained stable over time.
This Research Byte is a brief overview of our report on this subject, IT Security Staffing Ratios. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).
Do you also need staffing ratios for other IT job functions? Consider this collection of all of our staffing ratio reports, which bundles them all into a single report at a significant discount:IT Staffing Ratios–Special Report Bundle.