The CSI studies estimate the average information security staffing level at 3%-5% of overall IT staff. Tipton and Krause also cite unspecified “previous studies” by the Computer Security Institute (CSI) that attempt to derive information security staffing ratios from budget ratios.
%PARENTKEY ERROR PRODISCOVER BASIC PROFESSIONAL
According to Tipton and Krause, a 2003 Deloitte Touche Tohmatsu (DTT) study recommended one information security professional for every 1000 general users. The book does, however, quote two sources that do attempt to derive a single benchmark. Tipton and Krause offer some general principles but acknowledge that the question of information security staffing ratios is affected by a vast number of inputs. In their 2007 book Information Security Management, Harold Tipton and Micki Krause look at the issue of information security staffing ratios, but only briefly.Here are the most illuminating sources of information I found. Hopefully this article will also help spark more research into and analysis of this topic. Rather, my hope is that this article will be a useful resource for information security professionals looking for data to inform their staffing discussions. The intent is not to establish the “right” information security staffing ratio – that’s probably impossible. A number of data points are collected and described below. Asking “how many information security staff do we need?” results in a resounding “It depends.”įor this article, I gathered several pieces of publicly-available information into one location to sketch out a broad range of staffing benchmarks for the information security function. Perhaps because the “right” number of information security staff is highly sensitive to the nature of the business and the regulatory environment, or perhaps because the information security discipline is less mature than IT infrastructure or operations, there just aren’t very many good benchmarks out there. The task becomes a lot harder, however, when you want to find staffing ratios for information security staff. The “right” ratio of IT staff to users at large varies widely, depending on the type of business, the industry’s reliance on technology, etc., but for the most part, someone looking to find out how many IT staff overall a company needs can find some decent numbers to start with. Spend a few minutes online, and you will quickly turn up surveys, benchmarking studies, and lively discussions. It’s not difficult to find a lot of good information on general Information Technology staffing ratios.
0 kommentar(er)
