Sunday, February 13, 2011

So, How Many Information Security People Do We Need?

Introduction

It’s not difficult to find a lot of good information on general Information Technology staffing ratios.  Spend a few minutes online, and you will quickly turn up surveys, benchmarking studies, and lively discussions.  The “right” ratio of IT staff to users at large varies widely, depending on the type of business, the industry’s reliance on technology, etc., but for the most part, someone looking to find out how many IT staff overall a company needs can find some decent numbers to start with.

The task becomes a lot harder, however, when you want to find staffing ratios for information security staff.  Perhaps because the “right” number of information security staff is highly sensitive to the nature of the business and the regulatory environment, or perhaps because the information security discipline is less mature than IT infrastructure or operations, there just aren’t very many good benchmarks out there.  Asking “how many information security staff do we need?” results in a resounding “It depends.”

For this article, I gathered several pieces of publicly-available information into one location to sketch out a broad range of staffing benchmarks for the information security function.  A number of data points are collected and described below.  The intent is not to establish the “right” information security staffing ratio – that’s probably impossible.  Rather, my hope is that this article will be a useful resource for information security professionals  looking for data to inform their staffing discussions.  Hopefully this article will also help spark more research into and analysis of this topic.

Data Points

Here are the most illuminating sources of information I found.


  • In their 2007 book Information Security Management, Harold Tipton and Micki Krause look at the issue of information security staffing ratios, but only briefly.  Tipton and Krause offer some general principles but acknowledge that the question of information security staffing ratios is affected by a vast number of inputs.  The book does, however, quote two sources that do attempt to derive a single benchmark.  According to Tipton and Krause, a 2003 Deloitte Touche Tohmatsu (DTT) study recommended one information security professional for every 1000 general users.  Tipton and Krause also cite unspecified “previous studies” by the Computer Security Institute (CSI) that attempt to derive information security staffing ratios from budget ratios.  The CSI studies estimate the average information security staffing level at 3%-5% of overall IT staff.  (http://books.google.com/books?id=B0Lwc6ZEQhcC&printsec=frontcover#v=onepage&q&f=false, pp 598-599). 

  • Although I did not find the specific CSI studies cited by Tipton and Krause, I did find a somewhat older CSI paper.  Based on the results of a 1990 survey of 302 organizations, CSI found that the average information security staff was 0.1% of the total staff of the organization (i.e., the 1-to-1000 ratio cited by Tipton and Krause).  The CSI study also compared the number of information security staff to the number of IT Audit staff, finding an average of “1.75 information security staff members for every single [IT Audit] staff member” (http://www.computer-security-institute.com/press/mangsumm.jhtml).

  • The 2009 study IT Spending and Staffing Benchmarks conducted by Computer Economics found that the ratio of information security staff to IT staff overall had declined over the years 2006-2008.  The report indicates that the ratio declined from 2% in 2006 to 1.5% in 2008 (http://www.computereconomics.com/article.cfm?id=1384).


  • In its 2003 report, Information Technology Security: Governance, Strategy, and Practice in Higher Education, Educause finds the question of information security staffing ratios to be too complex to answer with a single rule of thumb.  The report breaks colleges and universities into groups based on the level of degrees offered, and finds the total number of information security staff to range from 0.3 to 4.0 FTEs but provides no data on the size of the institutions within the groupings (http://www.educause.edu/ECAR/InformationTechnologySecurityG/155028).

    A 2004 Educause report, High Stakes, Strategies for Optimal IT Security Staffing, similarly avoids a single recommended ratio but notes that “5,000 [networked] devices seems to be a threshold that required more than one person to handle central IT security” (http://net.educause.edu/ir/library/pdf/ERB0406.pdf).

    Similarly, the 2003 report indicates that the number of information security staff required increases further in organizations with more than 10,000 networked devices.  By taking some liberties with those two studies, we can make a wild estimate of one information security staff member per every 5,000 networked devices.  Note that the definition of “devices” in the Educause reports seems to include not just user workstations, but also switches, firewalls, servers, etc.

  • Another way to approach the question is to look at information security budget as a proportion of overall IT budget, and then to infer staffing levels from that.  The problem with that, naturally, is that staffing levels are not necessarily proportional to budget levels.  For example, IT divisions that are hardware-intensive may absorb a larger chunk of the budget than the relatively hardware-light information security function.  Also, budget ratios are just as complicated and imprecise as staffing ratios.

    Even with those cautions in mind, it may still be useful to consider a December, 2002 article appearing in CSO Online.  Imploring readers to “use these numbers at [their] own peril”, CSO Online reports on a survey of 276 CIOs and IT executives that found the average information security budget to be 7.2% of overall IT budget.  The article also cites a consultant with Booz, Allen & Hamilton, who suggests that the information security budget should be “between 5 percent and 8 percent of the IT budget” (http://www.csoonline.com/article/217728/security-budget-benchmarks-inside-the-sausage-factory?page=1). 

  • The security vendor Vostrom has published a slideshow titled “Staffing the Information Security Organization” from a 2009 presentation.  The presentation, unfortunately without any detail, indicates that a study conducted by Vostrom of organizations in Arizona found the average information security budget to be approximately 10% of the overall IT budget (http://vostrom.com/get/InfoSec_Staffing.pdf).

  • Having run out of studies to read, I turned my attention to the US government.  The US federal IT budget for 2011 is available online (http://www.whitehouse.gov/omb/e-gov/) in a convenient spreadsheet.  The spreadsheet gives a brief description of every line item in the IT budget for every agency in the federal government.  I looked over each entry in the budget and tried to determine if that line item could be classified as an information security expenditure.

    Some expenditures were obviously related to information security, such as a Health and Human Services item titled “CDC Enterprise Security”.  Some were less clear but still seemed at least partially security-related.  For example, the Department of Agriculture’s “DA-GSS” line item is described as “Consolidated investment consisting of hardware, DA software, security, facilities applications, & support staff.”  I divided the IT budget into three categories:  primarily security-related, secondarily security-related, and non-security related.

    I excluded some agencies from the analysis to avoid skewing the results too heavily in favor of security.  For example, I did not include the Department of Defense, NASA, the State Department, the Department of Energy, and other agencies with information security requirements that I would expect to be exceptionally stringent.

    Based on my admittedly subjective classifications, I found that somewhere between 3% and 11% of the US federal government’s IT budget is devoted to information security.

  • A few state and local governments post relevant budgeting and staffing data online as well.  Documents available through the website of the State of West Virginia Office of Technology (http://www.technology.wv.gov/Pages/default.aspx) show that out of approximately 100 information technology staff, 8.5 FTEs are in the information security function (including 2.5 FTEs assigned to audit).

  • And, finally, budget information posted by the City of Sacramento indicates that the city’s IT staff in 2007-2008 comprised 73 FTEs, of which 3 FTEs were in the information security function, for a ratio of 4.1% of the overall IT staffing level.  Due to budget cuts, the report projects the 2009-2010 staffing levels to be 54 FTEs overall, of which 2 will be in the information security function, for a ratio of 3.7% (http://www.cityofsacramento.org/finance/budget/documents/18-IT.PDF).

Summary of Data Points

The various data points above can be reduced to the following potential benchmarks:

  • 1 information security staff per 1000 users;
  • 3 - 5 information security staff per 100 IT staff;
  • 6 - 8.5 information security staff per 100 IT staff;
  • 1.5 - 2 information security staff per 100 IT staff;
  • 3 – 4 information security staff per 100 IT staff;
  • 1.75 information security staff per internal IT auditor;
  • 1 information security staff per 5000 networked devices;
  • 5% - 8% of overall IT budget allocated to information security;
  • 10% of overall IT budget allocated to information security;
  • 3% - 11% of overall IT budget allocated to information security;

Comments

Developing an information security staffing ratio based on a proportion of the general IT staff or budget would seem to be supported by the most available data.  The range of staffing ratios run from 1.5 per 100 to 8.5 per 100 IT staff.  Interestingly, the budget ratios cover a similar spread, just moved slightly higher: 3% to 11% of IT budget.

I think the Computer Economics study that found the average staffing ratio to be 1.5 information security staff for every 100 IT staff is an outlier.  That number doesn’t seem to be supported by the other staffing ratios or budget ratios I found.  Similarly, I think the 8.5 information security FTEs per 100 IT FTEs reported by the state of West Virginia is also an outlier.  I would argue that the inclusion of IT audit in the information security function is atypical.

Discounting those two data points suggests that the information security staffing level in a mythical “average” organization would be somewhere in the range of 3% - 6% of the general IT staff.
I started out this article saying that there is probably no “right” information security staffing ratio.  Certainly, my range of 3% - 6% is based on an ugly combination of data, anecdotes, and wild surmise.  However, I do think this is at least a starting point for discussion.  Hopefully, the data presented here is helpful to others in the information security profession as they attempt to answer the slippery question, “So, how many information security people do we really need?”