Many companies struggle with the decision of when to hire information security or cybersecurity staff. The following Q&A represents a benchmark derived from 250 companies across different industry verticals on how they choose to staff security teams within their organization.
How Many Information Security or Cybersecurity Staff Should I Have?
The overwhelming answer is that it depends, and there’s little research on the topic. Every company is different, and technology and security needs vary widely. A general rule is that your security staff should account for 5-10% of your IT staff. The actual percentage of security staffing will vary. Sometimes you’ll be closer to 5% when growing the IT team, and closer to 10% when staffing security. These averages seem to be consistent bumpers in the security staffing bowling lane.
When Should I Hire a Chief Information Security Officer (CISO)?
This also depends on the company and a variety of factors:
- Four or more security staff
You have a lot of cybersecurity staff and need a people manager. This can be a solid trigger. In this case, shoot for staffing a CISO at 4+ cybersecurity analysts. - Four thousand total employees
Once your organization hits 4,000-5,000 employees, you should hire a CISO. If this is your trigger, then you’re hiring the CISO as a security evangelist. They should focus on priming your collective staff to self-select the correct behavior as it relates to security. - Your business requires security chops to sell a product
In this case we see companies hiring a CISO as soon as possible, especially when it’s tied to revenue. Between vendor assessment questionnaires, client calls, and anything else meant to prove security and inspire consumer confidence, your CISO will need strong client-facing and maybe even sales skills. - All of the above
If your business meets the previous three security needs, the CISO typically has strong security lieutenants to support varying and diverse security needs.
Many companies are still struggling to retain security talent. Check out these additional resources to support your cybersecurity hiring process:
More companies are looking to managed services providers and flexible security resourcing options like NuHarbor. Contact ustoday to learn more about how we can help provide comprehensive cybersecurity for your company.
Justin Fimlaid
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.
FAQs
There is no one-size-fits-all approach to IT staffing ratios for cybersecurity, but there are some typical ratios that organizations can use as a starting point. According to data from Workforce, an organization with under 500 employees would want an IT professional for every 18 employees (a ratio of 1:18).
What are the five A's of information security? ›
This blog explains the five A's that form the foundation of Cloud Identity Management: authentication, authorization, account management, audit logging, and accountability.
What are the 3 pillars CIA of information security? ›
Standing for Confidentiality, Integrity, and Availability, the CIA triad comprises the three pillars of information security that experts use to identify and reduce vulnerabilities in security systems.
How do you build an information security team? ›
How to Build Your Security Team
- Security Officer. So this person will kind of be like the Tony Stark or Wonder Woman of your security team. ...
- Privacy Officer. ...
- Your Risk Committee. ...
- A Third-Party Vendor Assessment Team. ...
- Your Audit Committees. ...
- Incident Response Team.
In the staffing industry, most companies set a markup value of 50% for all products, but some experts recommend starting at 40% for startups. However, there is no “one size fits all” when it comes to markup percentages. Location and size will prove to be some of your main decisive factors.
What is the standard IT staff ratio? ›
Accounting for data from Workforce, they've found that for organizations with less than 500 employees, the average ratio is 1:18, IT staff to employees. This ratio tends to increase as the organization gets larger, with organizations between 5,000 and 10,000 employees having a ratio of 1:25 on average.
What are the 7 P's of information security? ›
We outline the anatomy of the AMBI-CYBER architecture adopting a balanced scorecard, multistage approach under a 7Ps stage gate model (Patient, Persistent, Persevering, Proactive, Predictive, Preventive, and Preemptive).
What are the 3 C's in security? ›
The 3 Cs of Enterprise Security: Communicate, Coordinate and Collaborate. As technology continues to evolve and become more interconnected, the line between cyber and physical security is increasingly blurred.
What are the 5 D's of security? ›
Deter, Detect, Deny, Delay, and Defend are the five crucial elements of an overall security system. The five Ds are often used to design a perimeter protection plan that can reduce the overall cost of a facility's security system and improve the effectiveness of the plan.
What is a CIA triangle? ›
The CIA Triad—Confidentiality, Integrity, and Availability—is a guiding model in information security.
The CIA triad represents the three pillars of information security: confidentiality, integrity, and availability, as follows. This series of practice guides focuses on data integrity: the property that data has not been altered in an unauthorized manner.
What is dad triad? ›
We adopt security policies in enterprises or individually model the CIA triad from a protection perspective. However, attackers have their own model too. This model consists of three pillars: disclosure, alteration, and denial (which is also abbreviated as the “DAD” triad).
What should a security team look like? ›
Having well-rounded security teams is essential for any organization that wants to ensure their digital assets are protected. This team should be comprised of network engineers, security architects, security analysts, security managers, and a chief information security officer (CISO).
How to structure a cybersecurity team? ›
Structure: How Is a Cyber Security Team Organized?
- Chief Information Security Officer (CISO): The executive in charge of the cybersecurity strategy and governance.
- Security Analyst: Focuses on analyzing vulnerabilities and risks.
- Security Engineer: Responsible for designing and implementing security solutions.
Security professionals/experts should lead the team. The approach to security should be more managerial because they can make and implement better decisions compared to technology.
What is a good staffing ratio? ›
Right now, California's ratios for various care units include: 1-to-1 in operating rooms. 1-to-2 in intensive care, labor and delivery, ICU patients in the ER, and neonatal care.
How many people work in information security? ›
The good news is that the number of people in cybersecurity jobs has reached its highest number ever: 5.5 million, according to the 2023 ISC2 Global Workforce Study.
What is the ideal information ratio? ›
A good information ratio for a mutual fund typically falls above 0.5, although this can vary based on factors such as the fund's investment strategy and prevailing market conditions.
How large should a cyber security team be? ›
The number of team members in each sub domain vary based on the size of the enterprise. In a medium to large-sized company, the cybersecurity team typically consists of anywhere between 10 to 50 members, or even more.
