Stronger IT Security Not Same as Higher Staffing Levels

June, 2015

Security is a high priority for most IT organizations and there is evidence that spending on IT security services and technology is rising. Yet staffing of the IT security function has remained remarkable steady over the past few years. The implication: having stronger security does not necessarily require expanding the number of often-in-demand professionals dedicated to the IT security function.

Figure 1 from our study, IT Security Staffing Ratios, shows that IT security staffing has remained at about 2.6% of the IT staff since at least 2011. That does not mean there was no hiring of IT security staff during the period. As IT headcount did rise modestly for many organizations, the finding indicates that IT security headcount rose in step with the IT staff as a whole. It neither shrank nor gained as a percentage of the whole.

ITSecStaffFig1 - Stronger IT Security Not Same as Higher Staffing Levels

The composite medians, shown in Figure 1, are based on our annual survey of approximately 200 IT organizations. Our study limits the security staff category to security professionals dedicated to auditing, managing, developing, and implementing security policies, processes, and technologies. Service desk, network administrators or other personnel who handle passwords or manage security devices along with other duties are not included in the IT security headcount unless they are dedicated to the security function.

Some organizations partially outsource this function to IT security consultants, managed security service firms, or solution providers. We adjusted for outsourcing by asking organizations to estimate how many additional IT security staff members they would require if they did no outsourcing.

As this benchmark varies by organization size and sector, we advise against using the composite median for benchmarking purposes. In the full study, we help IT executives assess their security staffing needs by providing four benchmarks: IT security staff as a percentage of the IT staff, IT security staff as a percentage of the Network and Communications Group, users per IT security staff member, and network devices per IT security staff member. We provide benchmarks by organization size and sector.

This Research Byte is a brief overview of our report on this subject, IT Security Staffing Ratios. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).

Do you also need staffing ratios for other IT job functions? Consider this collection of all of our staffing ratio reports, which bundles them all into a single report at a significant discount: IT Staffing Ratios–Special Report Bundle.