Many companies struggle to make the decision on when to hire Information Security or Cybersecurity staff. This is a collection and benchmark from 250 different companies from different industry verticals on how they choose to staff security teams within their organization.
How many Information Security or Cybersecurity staff should I have?
The overwhelming answer is that it depends, and there is not any extensive research on the topic. Every company is different, and company needs for technology and security vary widely. From a sample of 250 companies in different industries, a general rule is your security staff should be between 5-10% of your IT staff. The actual percentage of security staffing is going vary. Sometimes you’ll be closer to 5% when growing the IT team, and closer to 10% when staffing security. Those are averages seem to be consistent bumpers in the security staffing bowling lane.
When should I staff a Chief Information Security Officer?
This also depends on the company and a variety of factors:
- Four or more security staff
You have a lot of cybersecurity staff, and need a people manager. This can be a solid trigger. In this case, shoot for staffing a CISO at 4+ cybersecurity analysts.
- Four thousand total employees
Once you hit 4,000-5,000 employees in the organization you should hire a CISO. If this is your hiring trigger, then commonly the CISO is a Security evangelist. They focus on getting your collective staff to self-select the correct behavior as it relates to security.
- Your business requires security chops to sell a product
We see companies hiring a CISO as soon as possible; especially if it’s tied to revenue. Between Vendor Assessment Questionnaires, client calls, or anything else to prove security and inspire consumer confidence, your CISO will need strong client-facing and maybe even some sales skills.
- All of the above
If your business meets all of the previous three security needs, then normally we see the CISO has some strong security lieutenants to support the varying and diverse security needs.
In 2019, many companies are still struggling to retain security talent. If you’re look for reasons why that it is, check out this podcast (full disclosure it’s my weekly Podcast): Pwned – The Cavalry Isn’t Coming
More companies are looking to managed services providers and flexible security resourcing options such as NuHarbor Security. Please contact us today to learn more about how we can help provide end-to-end security for your company.