Management Summary of Information Security Staffing Levels:
Calculating the Standard of Due Care

by Charles Cresson Wood and the Computer Security Institute

To determine whether an organization has an adequate level of information security staff, we have compiled ratios reflecting the current practices of 302 anonymous organizations in the United States and Canada. These ratios allow organizations to expediently compute an appropriate number of information security staff, an appropriate budget for information security staff, and an appropriate budget for all information security activities.

This year's survey showed a surprising 64% increase in the percentage of total workers devoted to information security activities. This year's survey showed that this ratio had increased a whopping 300% since the 1989 survey. At the present time, on the average, information security makes up 0.100% of total staff. Like all of the ratios in the full report, this percentage varied by industry, organizational size, number of years since the information security function was established, and involvement in national defense activities.

Looking again at the percentage of total workers devoted to information security, it is interesting to see that small organizations are changing much faster than larger organizations. Smaller organizations are increasing headcount at a 68% annual rate, while medium sized organizations are increasing it at a 27% rate, and large organizations are increasing it at only a 24% rate. Smaller organizations seem to be involved in catch-up efforts to make up for lower investments in information security in years gone past.

Respondents separately indicated that EDP Audit as a percentage of total staff had increased some 49% over the prior year. On the average, some 0.058% of total staff is devoted to EDP Audit.

The ratio of information security headcount to EDP audit headcount was 1.75 this year. This means that there are 1.75 information security staff members for every single EDP audit staff member. This ratio advanced 10% over the last year. Information security continues to grow faster than EDP audit. Nine years ago, the ratio was just the opposite, where EDP audit commanded far more people than information security (with a ratio of 1.55 EDP auditors for every single information security person). The report also indicates the ratios for information security relative to both physical security and information services. The growth in information security continues to significantly outpace both of these areas as well.

This year's survey indicated that some 14.60% of the information security workforce was part-time. This represents a slight decline over the prior year's survey, which showed that 17.27% of the workers were part-time. The rapidly increasing demands on the time of information security specialists may be partially the cause of this change.

Outsourcing of information security is now used for some 7.44% of the work. This was a moderate increase over 5.83% reported last year. Like all of these ratios, considerable variability was seen on an industry basis. The Computers and Telecommunications industry saw a marked decrease in outsourcing, and a notable increase was seen in the Transportation and Distribution area.

On the average some 36.92% of the information security budget is used for in-house staff. This was a slight decrease over the prior year, which indicated that some 38.92% was devoted to in-house staff. The difference was attributable to increased outsourcing. The new security administration automation technologies don't appear to be making much of a dent in headcount.

Staffing for information security was anticipated to increase 14.86% in the coming year. This expansion in staff was lower than the prior year's expectation; at that time a 17.78% increase in staff was anticipated.

This year's survey also indicated that the annual budget for information security (not just staffing) was expected to increase 20.42% over the next year. The average budget dollars per information security staff member, across all industries was $88,424. The healthcare industry spent by far the most per information security worker, and education spent the least.

In spite of the trend towards the use of sophisticated technical tools rather than people to perform certain security functions, and in spite of the trend towards the empowerment of users and others to attend to their own information security needs, the relative number of staff with assigned information security duties is growing at a significant rate.

Additional details can be obtained in the full report, available from Baseline Software, Sausalito, California at 800-829-9955 (www.baselinesoft.com), or from the Computer Security Institute, San Francisco, California at 415-905-2626 (www.csi.com).