Information Security & Data Privacy Staffing Survey 2011information security and privacy functions?...
Transcript of Information Security & Data Privacy Staffing Survey 2011information security and privacy functions?...
InformationSecurity & DataPrivacy StaffingSurvey 2011
About Information Shield
Information Shield is a global provider of security policy, dataprivacy and security awareness solutions that enableorganizations to effectively comply with international securityand privacy regulations. Information Shield products are usedby over 9000 customers in 60 countries worldwide.
Information Shield, Inc.
7549 Highmeadow Dr.Houston, TX 77063
P: 888.641.0505F: 866.304.6704
Benchmarking the InformationSecurity Function
January 2012
Information Shield P a g e | 2
Information Security andData Privacy Staffing LevelsEstablishing a Standard of Due-Care forModern Organizations
By Charles Cresson Wood, CISSP, CISM, CISA
Executive Summary
Is your information security group under-staffed? Can you prove it
with numbers? What is the standard of due care for staffing the
information security and privacy functions?
These are common questions that are often asked in budget
meetings. For decades, information security specialists have
been requesting ever larger budgets for their internal
information security efforts, with very little hard data to
support their requests.
To help answer these and other common staffing questions,
the author teamed up with Information Shield for the 2011
Information Security and Data Privacy Staffing Survey. The
survey was conducted in late 2011 and included responses
from over 150 organizations in 34 different countries. This
survey provides definitive quantitative reference points that
management can use to determine whether an organization is
falling behind, or whether it is out in front of the competition.
Table of ContentsExecutive Summary ....................................... 1
Introduction ................................................... 2
About the Staffing Survey ......................... 3
Respondent Profiles .................................. 4
Staffing Ratios by Industry ............................. 6
Staffing Trends ....................................... 10
Staffing Budgets ..................................... 15
Budget Trends … ..................................... 16
Budget Influences …................................ 18
Staffing Budget Calculations ........................ 25
Organizational Structure and Staffing ......... 27
Reporting Relationships …....................... 29
Staff Certifications … ............................... 31
Temporary Workers …............................. 32
Outsourcing Security … ........................... 33
Data Privacy Staffing ............................... 34
Conclusion.................................................... 34
Survey Methodology ................................... 36
About the Author ........................................ 40
Information Shield P a g e | 3
Introduction: Information Security and DataPrivacy Staffing
How many people should we hire?
For decades, information security specialists have been repeatedly requesting
larger budgets for their internal information security efforts. In many cases, they
have staunchly maintained a position that not enough is being spent on
information security. In response, top management has
often responded with comments like, “Show me the
numbers – how do you know we aren’t spending
enough?”
This report provides those numbers - the numbers which
allow an organization to determine how it ranks with its
peers. Through a few simple calculations, readers can quickly determine whether
their organization is spending too little, or perhaps too much, on information
security staff. Comparable numbers are also provided for budget dollars. With
these numbers, specialists can once again approach top management with
substantiated budget requests for an expanded information security staff.
In addition to key staffing ratios, the survey asked detailed information about the
current state of the information security organization. For example, does the
organization have a formal department and/or senior executive devoted to
information security? Within these departments, how much of the work is done
in house and how much is outsourced? The results provide a snapshot of the
modern information security function.
“How do we know howmany people to hire forinformation security?”
Information Shield P a g e | 4
About the Staffing Survey
The 2011 Information Security Staffing survey
was designed to measure how the information
security and data privacy functions are staffed
across a variety of organizations. In addition to
measuring key head-count ratios, we asked a
number of questions concerning the maturing of
formal information security function, including
the age of the program and how it reports within
the organization.
Defining “Information Security”
In all of the survey data, we defined the “information security function” as all activities that
protect either information and/or information systems. This included systems-related
contingency planning, archival records management, and information systems access control.
This definition of the information security function excluded information technology (IT),
systems auditing, risk management, legal, human resources, and physical security activities that
were not information security related. Only those staff members who perform information
security duties not expected of rank-and-file employees were counted in the information
security function. As might be expected, users who attend to their own information security
tasks would likewise be outside the scope of the information security function, as we defined it
here.
The calculations in all three surveys were all based on FTEs (full time equivalents). For example,
four half-time people would be equivalent to two full-time people. Outsourcing firm staff,
temporaries, consultants, and contractors who perform information security work were
included in the total FTE count.
History of the 2011 Survey
The 2011 Information Security StaffingSurvey was the third version of a series ofsimilar surveys spanning a 24 year period.The first survey was completed in 1989, anda follow-up survey was completed in 1997in conjunction with the Computer SecurityInstitute (CSI). This summary focusesprimarily to the results of the 2011 survey,but occasionally makes reference to theolder data to show the direction in whichthings are moving.
Information Shield P a g e | 5
Organizational Profiles: Who Responded?
The 2011 survey had respondents from many different organization sizes, geographies and
business types. The average organization that responded to the 2011 survey had 14,000 full-
time employees across all locations. On average, the organizations had an information security
program in place for 5.5 years, even though the numbers varied from zero (no formal program)
to a very mature 22 years.
The 2011 survey had strong international participation compared to previous surveys. By far
most of the respondents came from the USA and the UK, but India, France, Canada, Australia,
and New Zealand were all well represented. This is quite different from the 1997 survey, which
involved 80% of the respondent firms hailing from the USA and Canada. The 2011 survey had
respondents from 34 different countries (see Figure A-1). By far the largest response rate was
from US-based organizations. However, other countries with developing IT industries made up
a healthy number of respondents.
Figure A-1: Geographic Breakdown of Respondents
Information Shield P a g e | 6
The scope of information security activities has also gone global. For example, the average
number of countries in which this group of 2011 respondents had information systems activities
was 14.23. The wider geographical scope of respondent activities is consistent not only with the
dispersion of information technology around the globe, but also the increasingly international
business activities facilitated by the Internet (including this survey). Just how the increased
international focus of the respondents has changed the results of the survey is unknown, but
those using these numbers might want to take that significant change into consideration.
Information Security Staffing Levels by Industry
Information Security as a Percentage of Total Workers
For the 2011 survey as a whole, the total staff who
worked on information security tasks (including
contractors, consultants, temporaries, and outsourced
workers) made up 0.53% of total staff. This 2011 ratio
shows an order of magnitude increase from the 1997
survey, which produced an average ratio of 0.06%. And
that 1997 average ratio was likewise up substantially
from, and roughly a doubling of, the 1987 survey’s
average ratio of 0.03%. [See Chart A-1] Put another way, the average staffing for information
security across all organizations was one full-time security person for every 200 employees.
In the survey the ratios were computed by comparing the number of full time equivalent staff
(FTE count) to the number of staff devoted to information security. The average ratio of
information security full time equivalent staff (FTEs) divided by total organizational FTEs,
across all industries, was 0.53%, while the median was 0.18%. (The difference between the mean
and the median reveals that the variability in the responses received was high. However, we do
“Average Informationsecurity staffing across allorganizations made up0.53% of total workers, upover 800% since 1997”
Information Shield P a g e | 7
not calculate standard deviations for reasons explained in the subsection below called
“Overview of the Survey Methodology”).
Please note that the decimal places used here, and elsewhere in this report, should not
communicate any particular level of precision -- only the relative position of information
security within organizations. The position of these decimal places also reveals how the
information security function continues to expand markedly over the 24 year period measured
by the three surveys mentioned above.
Table A-1 provides a break-down of this FTE ratio by industry. As a quick glance at the table
reveals, the staffing levels are markedly different from industry to industry. Properly speaking,
an average staffing level ratio should be industry-specific in order to mean anything in terms of
calculating a standard-of-due-care staffing budget, a headcount increase request, an objection to
a planned headcount reduction, and the like.
This large variation in headcount ratio was also observed in all previous surveys. For example,
prior surveys indicated the more information intensive the industry, the greater this headcount
percentage will be (Financial Services is a good example of a high information intensity
environment, while Retail is a good example of a low information intensity environment).
Likewise, all other things being held constant, the greater the number of information security
related laws and regulations that a firm needs to respond to, the higher will be the budget and
associated headcount of the information security function.
In both the 2011 and the 1997 surveys, we see that Retailing/Wholesaling had the least
information security staff as a percentage of total workers. Similarly, across multiple surveys,
those firms involved in the military, the federal government, and aerospace/defense had the
largest information security staff as a percentage of total workers. This is as might be expected,
given the nature of the life-and-death risks faced by people in the military, diplomatic agencies,
and related contractors. These risks are above and beyond the property protection risks faced by
firms not operating in these areas.
Information Shield P a g e | 8
Table A-1: Information Security as a Percentage of Total Workers (Staffing Ratio)
Business Activity Security FTE / Total FTEStaffing Ratio
Telecommunications 0.208%
Education 0.258%
Government (Federal) 1.680%
Government (State and Local) 0.289%
High Tech 0.551%
Manufacturing/Production 0.257%
Retailing/Wholesaling 0.087%
Transportation/Distribution 0.167%
Financial Services 0.522%
Health Care 1.299%
Utilities 0.373%
Services/Consulting 0.776%
Other 0.238%
Average 0.53%
To help observe some trends between surveys, Table A-2 contains the ratios (Information
Security FTEs divided by total organizational FTEs) shown respectively for the 2011 [left
column] and 1997 [right column] surveys. Note: Where an “X” appears in that table below, no data
was available from the survey involved. For example, the 1997 survey had an industry classification
Information Shield P a g e | 9
called Computers/Telecommunications, but the 2011 survey broke this grouping out into two
separate categories respectively called High-tech (Computers) and Telecommunications.
Similarly, the 1997 survey had a Government category, but this was broken out in the 2011
survey into Federal Government, and separately State or Local Government.
Table A-2: Information Security as a Percentage of Total Workers - Comparison
Business Activity 2011 FTE Ratio 1997 FTE Ratio
Computers/Telecommunications X 0.208%
Telecommunications 0.141% X
High Tech (Computers) 0.551% X
Education 0.258% 0.063%
Government X 0.161%
Government (Federal) 1.680% X
Government (State and Local) 0.289% X
Manufacturing 0.257% 0.035%
Retailing/Wholesaling 0.087% 0.020%
Transportation/Distribution 0.167% 0.037%
Financial Services 0.522% 0.138%
Health Care 1.299% 0.093%
Utilities 0.373% 0.092%
Services/Consulting 0.776% X
Aerospace/Defense X 0.047%
Information Shield P a g e | 10
Other 0.238% 0.229%
Average 0.53% 0.06%
The substantial difference between the two government categories appearing in the 2011 survey
is probably due to the military and diplomatic corps being a part of the first (Federal), but not
the second (State and Local), of these categories. Civilian agencies in the Federal Government
may accordingly wish to use the State & Local Government ratio. Likewise, no
Aerospace/Defense category appeared in the 2011 survey, but it did appear in the 1997 survey.
No Services/Consulting Category appeared in the 1997 survey, but it did appear in the 2011
survey. These category differences mean that, in some instances, a particular firm may have
moved from one category to another, as we move from the 1997 survey to the 2011 survey. Also
note that, as described in the subsection below entitled “Overview of the Survey Methodology,”
specialist information security firms, such as consulting outfits and managed security service
providers were intentionally excluded for these tabulations because they would otherwise
dramatically skew the results.
Staffing Trends by Industry
In the 14 years that elapsed between the two most recent staffing level surveys, certain
industries saw marked increases in the level of
information security staffing. For example, the
Utilities industry and the
Transportation/Distribution industry have both
increased the level of information security staff
dramatically. This may be in part due to increased
terrorist threats that directly apply to these
industries, more so than other industries. Similarly, the Financial Services industry saw
approximately a three-fold increase, while the Health Care industry saw more than a ten-fold
increase. The latter two increases are no doubt in part due to significantly more laws and
“On average, securitystaffing increased nearly400% since the 1997survey”
Information Shield P a g e | 11
regulations related to information security. The computed average for the Education industry
saw a four-fold increase in its staffing level over the last 14 years, and this was probably in part
due to increased laws and regulations, but also perhaps because a number of infamous attacks,
such as the Robert Morris worm, have been launched from educational institution computers. It
is interesting that the “Other” industry category saw only a marginal increase over this 14 year
period, and that is probably attributable to a significant change in the industries that were
lumped together into the “Other” category. Since the respondents did not specify what “Other”
meant to them, we cannot dissect this interesting result any further.
Of course, as mentioned briefly above, headcount ratios also increased in those cases where
respondent firms were involved with military or diplomatic activities. If we change the sort,
such that we exclude all those firms with 20% or more of staff working on information security,
rather than 5% as described in the subsection entitled “Overview Of The Survey Methodology,”
then where respondents did have such an involvement, the 2011 information security staff FTEs
divided by total FTEs was a very healthy 1.760%. But where they did not have such
involvement, the same ratio was only 1.344%. As the difference between these two ratios and
the survey overall average headcount ratio shows, by far most (82%) of the 2011 survey
respondents hailed from non-military and non-diplomatic organizations. With the 5% cut-off
used elsewhere in the survey, we inadvertently removed too many of the military and
diplomatic organizations, and this caused there to be apparently no difference between these
two categories. Removal of respondents from the data set used to perform calculations, as
mentioned in note at the bottom of Table A-1, was intended to exclude those firms which were
in the business of information security.
Table A-3: Survey Respondent Breakdown by Industry Classification
Business Activity Percentage of Respondents
High Tech 12%
Information Shield P a g e | 12
Telecommunications 3%
Education 2%
Federal Government 3%
Government (State and Local) 3%
Manufacturing/Production 8%
Retailing/Wholesaling 3%
Transportation/Distribution 3%
Financial Services 28%
Health Care 6%
Utilities 5%
Services/Consulting 14%
Other 10%
Total 100%
Table A-3: 2011 Survey Respondent Breakdown By Industry Classification. The higher the
percentage in this table, the greater the confidence the reader can have that the industry specific
head-count ratio approximates the actual situation in a particular industry.
Note: There was no category for Aerospace/Defense in the 2011 survey but this category did appear in the
1997 survey. See the note in Table A-1 for more information about this comparability problem between
the last two surveys, and how to overcome it.
Information Shield P a g e | 13
Staffing and Security Program Maturity
It is interesting that the percentage of total headcount devoted to information security also
varies considerably based on the number of years that a formal information security function
exists. As might be expected, if an information security function was new, and for purposes of
the survey this was defined as less than a year old, then the ratio mentioned above was only
0.36%. For a number of firms, this low ratio was in part the result of no staff yet allocated to the
function. For those firms with a function in place for a year, the ratio quickly rose to 1.37%. This
relatively high percentage is consistent with the notion that a certain foundation for information
security must be created in the beginning of a formal information security function, and this
foundation takes considerable resources to establish. Some elements of this foundation include
job descriptions, performance reviews, budgets, policies, standards, guidelines, procedures,
training programs, contingency plans, and the like. Other elements of this foundation include a
data dictionary indicating, among other things, the data classification of different types of
information.
According the 2011 survey, after a formal information security function has been established,
fewer people are evidently needed to run things. Those firms with a two-year-old function had
an average of 0.25% of their total organizational staff devoted to information security. This is
not too far away from the average for all respondents, regardless of the duration that a formal
information security function has been in place. It seems that many organizations however have
cut-back too much at this point, because those firms with a three-year-old function devote an
average of 0.42% of their total staff to information security work. This cut-back-too-much, then
add-some-more-to-catch-up, approach apparently is found at many firms as they converge on
the right level of information security staffing for their particular situation.
Reflecting this back-and-forth convergence, we see that four-year-old functions had an average
of 0.36% of total staff devoted to information security. This significant cut-back may be a
reflection of the erroneous notion often held by top managers that information security is a
project rather than an on-going business function. While a good foundation for a successful
Information Shield P a g e | 14
information security program needs to be established, and fewer resources can then later be
devoted to information security in subsequent years, that does not mean that there won’t be a
significant need for staffing to support many on-going functions (access control administration,
contingency planning, awareness training, and intrusion detection and response, being just a
few of the activities that require on-going funding). Reflecting this back-and-forth convergence
pattern, those firms with five year old formal information security functions, saw this ratio go
back up significantly to 0.59%. This same yo-yo pattern (cut, then beef-it-back-up, then cut
again, then beef-it-back-up) prevails in later years as well. Readers going though such dramatic
ups-and-downs in the budget should therefore feel that their experience isn’t too far different
from the norm.
But the trend over time for this staffing ratio is slightly down as the information security
function becomes more established. This is consistent with the notion of economies of scale,
where an increasing number of information security activities are automated instead of handled
manually. The 2011 survey’s gradual reduction in staffing levels as the security function ages
compares favorably with numbers in the 1997 survey. According to these averages and this
author’s experience, in 1997, automation was not in use in the information security area
anywhere near as much as it is today.
Calculating Budgets: Changes and Influences
The 2011 survey included a number of questions regarding information security budgets,
including expected growth/decline and the common factors influencing budgets.
Expected Budget Changes
Another question asked in the 2011 survey was “what
do you expect in terms of the increase in information
security staff in the following year?” Note that this was
not a request for how much are you going to ask for in
“Budgets for informationsecurity staffing areexpected to increase 15%in the next year.”
Information Shield P a g e | 15
your budget. It was an assessment of what the actual increase will be. The 2011 average came in
13.58% -- a very impressive number indeed in this tough economy. The 1997 average was a not
that far away -- some 17.78%. Clearly information security is still a very important
organizational function, and it continues to be seen as such by top management, even in the
midst of the severe belt tightening now being suffered by many other departments.
Consistent with the yo-yo pattern mentioned above, the response to next year’s estimated
increases in the staffing for information security were all over the map, from -50% to +100%.
Fully 50.00% of the respondents indicated that they anticipated no change. Some 12.84% said
next year would probably bring a 10% increase in staffing levels. Some 11.49% indicated that
they expected a 25% increase, 8.78% expected a 50% increase, and 6.76% expected a 100%
increase.
Table A-4: Anticipated Increases in Next Year's Staffing Budget
Business Activity Percentage Increase Expected inStaffing Budget
Computers/High-Tech 22%
Telecommunications -2.5%
Education 0%
Federal Government 35%
State and Local Government 20%
Manufacturing 12.5%
Retailing/Wholesaling 5%
Transportation/Distribution -12%
Information Shield P a g e | 16
Financial Services 14%
Health Care 12%
Utilities 13%
Services/Consulting 23%
Other 5.7%
Average +13.58%
Table A-4: Estimated increase or decrease in next year’s staffing budget. While most categories
planned increases, there was high variation between the expected amounts.
Budgeting Influences
Let’s now turn to something that readers can do to increase funding for information security
staffing. One of the new additions to the 2011 survey was a number of questions regarding
trends and influences on the information security
budget. Each of the factors are discussed below.
Influence of Overall Business Climate
It was intriguing to note the extent to which
respondents considered the overall business climate
in their industry to be affecting the budget for
information security. Some 15.71% said the overall business climate had a “high influence,”
while some 19.29% indicated that the business climate had “more influence.” Some 17.86% said
that the business climate in their industry had “medium influence,” while 30.71% indicated that
it had “some influence.” Only 16.43% indicated that the business climate had “no influence.”
These results indicate that the budget for information security is highly dependent on available
funds, and the general level of success of the respondent’s industry. This does not bode well for
“Regulatory compliancewas the largest influenceon overall staffingbudgets.”
Information Shield P a g e | 17
the future because a certain level of essential information security services must be provided --
if serious business losses are to be prevented and properly dealt with -- no matter what the
prevailing business conditions are.
Influence of Firm Profitability
Respondents were additionally asked about the influence of their own firm’s profitability on the
budget for information security. Consistent with the answers mentioned in the prior paragraph,
some 20.71% said it had a “high influence,” 9.29% said it had “more influence,” 22.14% said it
had “medium influence,” 27.14% said it had “some influence,” and 20.72% said it had “no
influence.” Again, in these answers we see evidence of the pressing need to better separate the
story explaining why information security needs additional funding, from the story about the
financial success (or lack thereof) of the organization involved. In large measure, information
security is not a discretionary expenditure that can be expanded or contracted as top
management sees fit. There are instead basic minimums that must be in place (as expressed for
example in the Payment Card Industry Data Security Standard, alias PCI-DSS), and if these
minimum are not in place, then the organization can’t do business. This author submits that the
reality of this need for a foundation of information security is not sufficiently showing up in the
budgetary influences reported by the respondents.
Influence of Management Awareness
Top management awareness levels had an effect on information security budget levels, but not
in a simplistic or predictable manner. Even though it is somewhat counter-intuitive, the
respondents with the highest levels of management awareness did not have the highest levels of
staffing. This may be because many of these organizations were in an emergency catch-up
mode, perhaps responding to security incidents, a bad audit report, or something of that nature.
Those organizations with a significant but more moderate level of management awareness had
the highest staffing levels. Not all that surprisingly, those reporting no management awareness
impact on the budget had the lowest levels of staffing for information security. In terms of the
Information Shield P a g e | 18
actual numbers, the information security staff to total employment ratio was close to the
average across all industries, coming in at 0.42% for those reporting a “high influence” for
awareness on the budget for information security. Those reporting “more influence” had a more
impressive 0.64% ratio. Those reporting a “medium influence” had again close to an average
0.46% ratio, while those reporting “some influence” had a more impressive 0.66% ratio. Not
surprisingly, the worst FTE ratio, 0.39%, was reported for those firms indicating “no influence.”
How best to interpret this bimodal distribution is a good question. Perhaps on-going efforts to
raise the level of management awareness pay off, but the emergency catch-up approach, or
ignoring this type of awareness training -- both of which are represented by extremes in the
spectrum -- neither of those approaches work well. Perhaps the limited impact of awareness
raising efforts can also be attributed to the fact that management, at most firms, is already well
aware of the seriousness of information security. It appears as though additional investments of
time and money into raising management awareness are suffering some diminishing marginal
returns.
Influence of Security Incidents
The 2011 survey also asked respondents to indicate whether recent security incidents, at their
firm and others, have affected their information security budgets. Those firms reporting that
such incidents had a “high influence” had a most impressive staffing ratio on the average of
0.97%. Those firms reporting “more influence” had a close to average 0.45% ratio. Medium
influence had a close to average 0.56% ratio as well. Considerably lower staffing levels were
found for those reporting “some influence” (0.23%), and “no influence” (0.34%). Apparently
having security incidents be highly visible to management can increase staffing levels three-fold
or more. If one is looking to increase the staff budget, better incident reporting and analysis
appears to be a better investment than general management awareness training (the latter was
described in the prior paragraph). The fact that any respondents reported that incidents had “no
influence,” indicates to this author a missed opportunity. In this group, these frequently-
occurring malware incidents are not being publicized internally as they should be. Likewise, the
Information Shield P a g e | 19
many cases taking place outside the firm in question are not being communicated to top
management as well as they could be. Based on the answers to this question as well as a widely
acknowledged best practice, an internal database keeping track of in-house losses, sometimes
called a loss history, is a very good investment to make.
Influence of Customers and Partners
The 2011 survey additionally asked respondents about pressure to increase their information
security budgets coming from clients and business partners. The results to this question were
unexpected, and the reasons behind these results remain not fully revealed. Those firms
indicating that budgets were “highly influenced” by pressure coming from clients and business
partners had a high staffing ratio of 0.75%. As might be expected, those firms reporting “no
influence” had a considerably worse average staffing ratio of 0.16%. Firms reporting “more
influence” had a 0.56% average ratio, and those with “medium influence” had a comparable
average ratio of 0.58%. So far, all that is predictable. In other words, top management responds
significantly to pressure coming from clients and business partners. The unexpected part was
those with “some influence,” which had an unexpectedly high 0.70% average ratio. The lesson
here is that it is not sufficient to communicate the information security needs of clients and
business partners to top management. Some pressure actually needs to be exerted, and the more
pressure, the better will be the increase in the information security budget. In addition, those
firms indicating “no influence” may also be unduly and unrealistically isolating themselves
from the needs of clients and business partners, because we are now all connected through the
Internet and a variety of other structures supporting information flows.
Influence of Media and Competitors
On a similar note, in a single combined question, respondents were asked about pressure from
the media or competitors, and whether that pressure had an impact on the information security
budget. We can all imagine how the budgetary impact of a security incident at your firm being
described on the front page of The Wall Street Journal would be huge. Likewise, we can all
Information Shield P a g e | 20
imagine that, at some point in the future, how your firm will be forced to upgrade its
information security because such an improvement has become a competitive necessity.
Respondents reporting that this pressure was “highly influential” in terms of setting budgets,
had a considerably higher than average ratio of 0.64%. Staffing ratios spiked in the “more
influence” category with an average of 0.95%. The category of “medium influence” had a still
impressive 0.67% average staffing ratio, while the “some influence” category came in below the
cross-industry average with 0.46%. No influence had a still less desirable ratio of 0.41%. Just
why “more influence” was better than “highly influential” is not clear from the data obtained.
Perhaps the “highly influential” category had a lower than expected staffing ratio because the
information security function at many of these firms was in trouble. In such a situation, the
function may be getting pushed from the outside to shape-up. Those that were not in an
emergency catch-up mode may find themselves choosing the “more influence” category, and
hence their ratios may therefore be higher.
Influence of Laws and Regulations
The impact of laws and regulations on the budget for information security was also explored in
the 2011 survey. Those firms reporting that laws and regulations had a “high influence” on their
budgets, which made up fully 38% of the respondents, had a very impressive staffing ratio of
0.71%. Those respondents reporting “more influence” had a quite respectable ratio of 0.64%.
Those with “medium influence” reported a worrisome low 0.18% staffing ratio. Those
respondents indicating “some influence” came in with 0.50%, while those with “no influence”
had a very low staffing ratio of 0.26%. With the exception of a blip in the data around the
“medium influence” category, there is a clear correlation between increased importance of laws
and regulations and increased information security budgets. This strong correlation is a
reminder to every reader to make sure top management appreciates all the laws and regulations
that define a minimum level of information security. This author believes that many of the 4%
of respondents who thought there was “no influence” have not yet sufficiently acquainted
themselves with all the relevant laws and regulations. For example, the requirements to notify
Information Shield P a g e | 21
data subjects in the event of a breach of personally identifiable information, or PII, apply to
nearly all organizations operating in the USA. Of all the budgetary influences investigated via this
survey, it was the legal and regulatory influence that had the strongest positive impact on budgets.
Figure A-2: Weighted table of budgetary influences
Figure A-2: Weighted table of budgetary influences by each category in the survey.
Respondents were asked to rate the influence of each item from 1-5 with “None” as (0) to “Very
High” as (5). The weighted average shown in this figure for each of these five possible
responses indicates the relative importance of these budgetary factors.
Information Security Staff and Total Budgets
Respondents to the 2011 survey were furthermore asked how much of their current information
security budget was devoted to staff. Some 36.28% of information security expenditures were
attributed to staff. The 1997 survey indicated this ratio was 36.92%. These numbers suggest
increased use of automated tools over the last decade or so. In the future, we can expect to see
the percentage of the information security budget devoted to staff continue to gradually come
Information Shield P a g e | 22
down. The 2011 number is actually quite impressive if one considers the numbers that
Information Technology Departments generally
encounter in terms of labor. According to Cynthia
Rettig at MIT, writing in a 2007 article entitled
“The Trouble With Enterprise Software,” some 70-
80% of information systems budgets are today
consumed by labor.
There are multiple possible interpretations of this average percentage of budgets assigned to
labor number from the 2011 survey. If we assume that a lot of the cost of information security is
inappropriately off-loaded to both user departments and Information Technology Departments,
then the numbers found in the 2011 survey may reflect misleadingly low staffing levels for the
information security function. If we assume that formal information security functions are still
nowhere near as common as they should be, given that information security is still a new
organizational function, then this low staffing level could simply be a reflection of the fact that
there has been an incomplete and insufficient recognition of the true costs of supporting
information security. Still another possible interpretation of the same data is that information
security budgets remain underfunded, and that organizations have generally been emphasizing
automated tools too much, and that they need more expertise in order to properly handle the
complexity that goes along with information security. This author thinks all three
interpretations are plausible and may all exist simultaneously.
Table A-5: Percentage of Budget Devoted to In-House Staff
Business Activity 2011 Survey
Computers/Telecommunications 44%
Education 65%
“37% of all securityexpenditures are devotedto personnel.”
Information Shield P a g e | 23
Government 64%
Government (State and Local) 35%
Manufacturing 37%
Retailing/Wholesaling 40%
Transportation/Distribution 7.5%
Financial Services 34%
Health Care 42%
Utilities 28%
Services/Consulting 24%
Telecommunications 35%
Other 32%
Average 36%
Budgets and Staffing: Putting the Pieces Together
Putting the pieces together, we can now perform a few quick calculations to estimate staffing
and budgets for each industry. First, a reader calculates the total full-time-equivalent staff
(FTEs) at the organization in question, including outsourcing firms, temporaries, consultants,
contractors, etc. This number should include all functions, and everything that the organization
does to meet its business objectives.
Information Shield P a g e | 24
As an example, let’s assume the organization has 10,000 FTEs. Then the reader multiplies that
total FTEs headcount by the industry percentage devoted to information security staff (see
Table A-1), and we get the approximate average headcount for information security.
Continuing with the example, let’s assume this firm is in the Health Care industry. From Table
A-1 we pick the number 1.299% [stay in the left column no matter what the industry] and
multiply that by 10,000, to come up with 130 FTEs devoted to information security. This 130
FTEs number includes all efforts devoted to information security, which is defined as protecting
information and/or information systems (see the subsection entitled “Overview of the Survey
Methodology” for a more precise description). Included in this 130 FTEs number would be the
information security work of systems administrators in user departments doing access control,
the work of outsourcing firms doing penetration tests, and the on-going network monitoring
provided by a managed security services firm. This number is not an absolute-must-have
number, it is simply the average indicated by our survey. It is not some minimum to which all
firms must subscribe; it is just an indicator of what other firms in the same industry are
spending on information security staff.
To take this example one step further, we can then calculate a quick-and-dirty average budget
for a firm of a certain size in any particular industry. The reader should next make a few
inquiries at the in-house Accounting Department, to get the fully-loaded burden of one average
staff member at the firm. By “fully-loaded” we mean not just salary, but all payroll taxes paid
by the employer, as well as benefits like health insurance. For this example, let’s assume the
fully-loaded average staff member at this firm costs US$45,250/year [this calculation has
nothing to do with US dollars, or currency conversion rates, and can just as easily be done in
any other country’s currency]. Now we have enough information to calculate a rough average
total budget for the information security function (note that this calculation will include all work
in the information security area, not just work which is done by the official group called
Information Security). Next, the reader will multiply this fully-loaded average cost per worker
by the number of workers calculated in the prior paragraph, to get the labor component of the
information security budget. So here we would multiply US$42,250 by 130, to get a rough total
Information Shield P a g e | 25
budget for information security labor of US$5,492,500. Now, if the reader divides this number
by the average percentage of the budget devoted to labor, we can get a rough indicator of the
total information security budget. Going back to the FTE budget ratios, we see that 36.28% of
information security budgets are devoted to staff these days, so if we divide US$5,492,500 by
36.28%, we get the total average budget for information security across all departments, in this
case US$15,139,195. Note that this number has been scaled for the size of the organization in
question. As an aside, note that some adjustments to this calculation will probably be necessary
to reflect the reader’s organization’s budgeting and charge-back processes.
The reader can now compare this rough total calculated budget number to the current total
budget for information security across all departments (including outsourcing). If this
calculated number is considerably less than the current budget, the reader now has a good
starting point for requesting a budget increase. If the current budget is considerably more, then
the reader is doing a relatively good job, and this author hopes that he or she can now sleep
better at night. The latter case, the author suggests that the reader doesn’t bother mentioning
this study or the associated calculations to top management (unless the reader wants to show
that they are doing their due diligence in the information security area). Be sure to take this
total budget number with a “grain of salt.” The unique circumstances at the firm in question (as
should be reflected in a recent risk assessment) will mean that more or less will need to be
spent.
Information Security and the Organizational Structure
The 2011 survey also included a number of questions to determine how the information security
group reports within the organization, including whether or not the organization had actually
designated information security as a formally recognized business group.
Information Security as a Formal Group
Information Shield P a g e | 26
A new question appearing on the survey asked whether information security was a formally
named group. Some 31.42% of the respondents indicated that, in their organizations, it did not
yet have a specific name such as “group,” “unit,” “department,” or “division.” This is a bad
sign, indicating that the special needs of this unit are
still not being recognized by top management in about
one third of the respondent firms. In all but the smallest
of firms, Information Security should be recognized as
its own group, because it is distinctly different from the
departments into which it has traditionally reported
(such as Information Technology).
To best accomplish its assigned goals, the Information Security function needs to have its own
organizational infrastructure including: a budget, job descriptions, a mission statement, a
management reporting structure, a management oversight committee, and the like. That a “no”
answer to this question was indicative of a relatively immature information security function
was readily revealed because the “no” respondents had an information security function in
existence on the average for 2.93 years. This compares to respondents for the survey as a whole
which averaged 5.58 years, and those organizations that answered “yes,” which averaged 6.71
years.
Senior Management Designations
Respondents to the 2011 survey were additionally
asked whether they had a designated Chief
Information Security Officer (CISO). Some 49.32%
responded that they did not. While every information
security function needs to have a single manager who
acts as the conductor, who orchestrates activities across various different functional specialties,
departments, and organizations, that individual does not need to report directly to the CEO
(and thus be a C-Level manager, and be granted the coveted “chief” designation). Rather than
“74% of respondentshave an establishedfunction devoted toinformation security.”
“50% of respondentshave a designated ChiefInformation SecurityOfficer.”
Information Shield P a g e | 27
reporting to the CEO, reporting relationships at the respondent firms were all over the map
including reporting into Operations, Legal, Risk Management, Physical Security, and
Information Technology. The appointment of a CISO, if not specifically with this title (perhaps a
Vice President), does seem to nevertheless be a trend. This was evident because the more
mature information security functions included a CISO, while the less mature functions
marginally did not. The average age of the information security function for who said “no” to
this question was 4.58 years, while the average age for those who said “yes” was 6.57. This
trend is consistent with prior surveys. For example, www.infosecurity.com published an article
by Avtar Sehmbi in July 2010, describing survey results from Deloitte, which indicated that
fully 85% of large organizations worldwide had named a CISO.
Information Security Reporting Structure
Continuing with the discussion about where the information security function should report,
the 2011 survey noted that a disturbingly large 72.30% of the respondents had the function
within Information Technology or some similar
information services group. This traditional
arrangement is problematic because this reporting
relationship involves inherent conflicts of interest that
unfortunately, will often be resolved in a manner to the
detriment of information security (user friendliness
trumps security for example). Another reason why
Information Security should not report up through Information Technology is that often the IT
group looks at IT as a utility service, and information security will suffer severely if it is
approached as a commodity that can be engineered so as to minimize costs. Information
security instead needs to be customized to the needs of a particular organization, and to do this
well it needs to report to a middle manager who has a risk management perspective. The
72.30% of respondents is high compared to other polls that this author has seen. For example, at
the San Francisco ISACA Chapter’s 2011 Fall Conference, an informal poll of 275 people
“72% indicated that theInformation Securitygroup reported toInformation Technology”
Information Shield P a g e | 28
working in IT audit and information security revealed that about 30% had an information
security groups reporting up through IT organizations. The 72.30% figure is probably a
reflection of the large number of international respondents in this survey, while the ISACA poll
was almost entirely made up of domestic US respondents.
After IT, the next most prevalent places for the information security function to report were
Operations (5.41%), Legal (4.05%), Human Resources (3.38%), and Insurance & Risk
Management (2.70%). This author shuddered to note that one respondent reported through the
Internal Audit Department -- another strongly discouraged organizational structure, which
brings with it serious conflicts of interest. The author was also disappointed that only one
respondent reported up through a Project Management Office. The use of project management
tools and techniques to manage complex information security activities is expected to strongly
increase in the years ahead. Although many of the respondents listed their relevant professional
certifications, only three listed the PMP (Project Management Professional) designation [see
Table A-7].
Table A-6: Information Security Function Reporting
Department or Organizational Unit Percent of Respondents
Information Technology 72.30%
Operations 5.41%
Legal 4.05%
Human Resources 3.38%
Insurance and Risk Management 2.70%
Physical Security 0.67%
All Others 11.49%
Information Shield P a g e | 29
Professional Certifications
Another new question in the 2011 survey asked if the
respondents had one or more professional information
security certifications. This question was designed to
approximately measure the level of training and/or
experience within the information security functions.
Some 59.46% of the respondents indicated they had
one or more current professional certifications. Some of
those who said they had certifications did not provide the specific certifications that they held.
The noted designations are provided below, in the order of most to least frequency. The number
to the right shows the number of times each certification was listed by a respondent. Those
designations with only one respondent were not listed below. Readers might consider this
ranking to be a rough indicator of the relative value that people now place on these
certifications.
Table A-7: Most Popular Professional Certifications Listed by Respondents in DescendingOrder of Frequency
Professional Certification Number of Respondents
CISSP 33
CISM 25
CISA 21
CEH 12
“60% of the respondentshad some professionalcertification – most oftenthe CISSP”
Information Shield P a g e | 30
CRISC 9
ISO 27001 (Implementer and/or Auditor) 7
CGEIT 3
PMP 3
GSEC 3
ITIL 3
GSEC 3
GCIH 2
CISMP 2
Others 2
Outsourcing the Information Security Function
Respondents were also asked to indicate how much of the information security work at their
firm was outsourced. Some 60% of the respondents did some outsourcing. For those which did
some outsourcing, the average percentage of the work that was outsourced was 28.69%.
Intrusion detection monitoring services, penetration tests, risk assessments, filtering (web,
firewall, and email), and code reviews, were the most frequently cited activities to outsource. If
we looked at all respondents instead of simply those which did some outsourcing, we see that
on the average 17.64% of the budget is outsourced. This 2011 number reveals a very significant
increase over the 1997 average, which indicated that on the average only 7.44% of the budget
Information Shield P a g e | 31
was outsourced. The movement of so many activities to “the cloud,” and the increasing
sophistication of so many different information security related outsourcing outfits is consistent
this significant increase.
Table A-8: Percentage of Outsourced Information Security Work
Business Activity Percentage of WorkDone by Third Parties
Computers 7%
Telecommunications 50%
Education 20%
Government (Federal) 26%
Government 12%
Manufacturing 20%
Retailing/Wholesaling 26%
Transportation/Distribution 8%
Financial Services 18%
Health Care 9%
Utilities 18%
Services/Consulting 15%
Other 42%
Average (Across all respondents) 18%
Information Shield P a g e | 32
It was also interesting that some respondent organizations are outsourcing a very large portion
of their information security work. Specifically, some 4.67% of the survey respondents who are
outsourcing give 70% of their information security work to outsourcing firms. Similarly 5.95%
of this same group is outsourcing 80% of their work,
some 2.38% are outsourcing 90% of their work, and some
1.19% are outsourcing 100% of their work. The future
direction definitely is an increased use of outsourcing,
and that makes sense, especially in those circumstances
when specialized technical expertise is needed, but is not
supplied via in-house staff. There didn’t appear to be a
correlation between the use of outsourcing and the age of the information security function.
Among those firms using outsourcing for information security work, the average age of the
function was 5.74 years, and this was pretty much the same as the average age for all
respondents: 5.59 years.
Use of Temporary Staff
Respondents were also asked whether they used contractors or temporary staff for information
security matters. Some 52.86% of the respondents indicated that temporary workers performed
at least some of information security tasks. This relatively high percentage is of concern to this
author, given that a 2007 survey of UK firms by Websense indicated that fully 80% of temp
workers had much the same access privileges as permanent staff, yet most temps had
considerably less accountability, and most had not been adequately briefed about security
before their work began. Of course, the Websense survey was UK specific, but this is
unfortunately a common approach to the use of temporary and contractor workers worldwide.
Table A-9: Percentage of Work done by Temporary Information Security Workers
Business Activity Percentage of WorkDone by Temporary Staff
“Overall outsourcingincreased from 7% toover 17% over the last 15years.”
Information Shield P a g e | 33
Computers/High-Tech 16%
Telecommunications 45%
Education 20%
Government 18%
Government (State and Local) 26%
Manufacturing 15%
Retailing/Wholesaling 32%
Transportation/Distribution 7%
Financial Services 20%
Health Care 14%
Utilities 18%
Services/Consulting 15%
Other 38%
Average 19%
Within the survey, among those who used temporary workers, the average percentage of
information security work done by temps was a relatively high 37.03%. The use of temps
seemed also to be more prevalent at those firms which had more established information
security functions. While the average number of years that an information security functions
was in place was 5.59 for all survey respondents, for those who used temps, the function had
Information Shield P a g e | 34
been established on the average some 6.43 years. There was a difference but not all that much of
a difference.
Data Privacy Staffing and Ratios
The 2011 survey also included new questions regarding
the growing importance of the data privacy function.
One positive sign was that fully 29.05% of the
respondents did have a designated Chief Privacy Officer
(CPO). Depending on a respondent firm’s activities, the
establishment of a CPO is encouraged, if not explicitly
required, by recent legislation such as the US Gramm-Leach-Bliley Act of 1999. Among those
who answered this question with a “yes,” the average number of FTEs devoted to the privacy
function was 3.16. In some cases privacy work was a part-time function, and in the extreme
outlier response, there were some 30 people devoted to an internal privacy function. It was
interesting that a few people indicated that zero FTEs were devoted to the privacy function, so
in these cases the designation of a CPO was perhaps simply to satisfy a regulatory requirement
(a paper title rather than a functional title).
Conclusion
In summary, while substantial progress has been made, the progress has largely been driven by
pressure from outsiders, loss incidents, and efforts to comply with laws and regulations.
Fundamental structural problems, such as having information security report up through the
Information Technology Department, still hamper the effectiveness of many information
security efforts, and no doubt still keep the function’s budget lower than it would otherwise be.
In 31.42% of the respondent organizations, information security is still NOT recognized as a
unique function which warrants its own group, with its own budget, management reporting
chain, and organizational structure.
“30% of respondentshave a designatedprivacy officer.”
Information Shield P a g e | 35
The good news is that information security budgets are rapidly expanding, and they are
commanding a much larger share of organizational resources than they have in past years.
Nonetheless, it remains to be seen whether this expansion of activity will be enough to maintain
stable, reliable, and secure information systems. Anticipated budget increases for the following
year averaged 13.58%, which was down from the 1997 survey result of 17.78% but still very
healthy in this tough economy. The average ratio for information security workers divided by
total workers was 0.53%, up very substantially from the 1997 survey average of 0.06%. This
ratio was again shown to vary considerably by industry, and those industry-specific ratios are
provided in this report.
One approach that seems to be working, in terms of obtaining a larger information security
budget, is reporting actual security incidents experienced both in-house and in the same
industry. Another approach that seems quite influential is to communicate to top management
the implications of information security relevant laws and regulations. Those firms reporting
that laws and regulations had a “high influence” on their budgets, which made up fully 38% of
the respondents, had a very impressive staffing ratio of 0.71%.
Another strategy that seems to be working well is outsourcing, and the percentage of
information security work that is outsourced has risen over the last 14 years from 7.44% to
17.46%. Automation of information security activities also seems to be continuing, and this fact
is reflected in the continuing decline in the percentage of total information security
expenditures devoted to labor (now 36.28% of the budget). Consistent with the outsourcing
numbers, some 52.86% of the respondents reported that they used temporaries to perform some
information security work. Looking only at those firms using temps, some 37.03% of the
information security budget went to temps. These and other numbers described in the body of
this report bode well for the outsourcing and temporary staffing firms operating in the
information security field.
Information Shield P a g e | 36
Overview of the Survey Methodology
History of the 2011 Staffing Survey
In 1987 and 1997, the Computer Security Institute (now part of TechWeb) sponsored two
surveys where this author compiled ratios indicating average information security staffing
levels. Back then, the surveys were handled via paper forms. A similar, updated survey was
undertaken via the Internet in 2011, thanks to sponsorship from Information Shield. This
summary report focuses primarily to the results of the 2011 survey, but occasionally makes
reference to the older data to show the direction in which things are moving.
Defining “Information Security”
We defined the “information security function” in all three of the above-mentioned surveys as
all activities that protect either information and/or information systems. This included systems-
related contingency planning, archival records management, and information systems access
control. This definition of the information security function excluded information technology
(IT), systems auditing, risk management, legal, human resources, and physical security
activities that were not information security related. Only those staff members who perform
information security duties not expected of rank-and-file employees were counted in the
information security function. As might be expected, users who attend to their own information
security tasks would likewise be outside the scope of the information security function, as we
defined it here.
The calculations in all three surveys were all based on FTEs (full time equivalents). So for
example, four half-time people would be equivalent to two full-time people. Outsourcing firm
staff, temporaries, consultants, and contractors who perform information security work were
included in the total FTE count. In prior surveys a variety of ratios were calculated, including
Information Shield P a g e | 37
information security FTEs divided by systems audit FTEs, and separately information security
FTEs divided by physical security FTEs. Since most of the readers of those past surveys were
interested primarily in information security FTEs divided by total organizational FTEs, in the
2011 survey we focused on that one ratio.
About the Survey Data
We should add a few caveats about the survey numbers described herein. First of all, these
numbers are only suggestive of the real world conditions, and should not be construed as
definitive. Respondents to the 2011 survey could remain anonymous, although some 57% chose
to provide identifying information. This author and David Lineman (who helped prepare the
survey and provided data analysis), did no vetting of the survey responses. Thus it could be
that more than one person from the same organization responded to the survey. (However, a
review of the organization names provided by respondents indicated no such problem).
Likewise, respondents could be mistaken about the numbers they provided, but nobody would
know this. Because responses were potentially anonymous, the survey tabulators and analysts
in many cases had no way of confirming that the numbers provided were in fact real-world
numbers. Thus, the 2011 survey should NOT be considered to be statistically valid (nor should
the prior surveys be so considered). Accordingly, statistical measures such as standard
deviations and error confidence levels will not be calculated. Thus the reader will find only
averages discussed in this report.
Possible Biases
In addition, there are undoubtedly several unexplored biases incorporated into the group who
responded to the 2011 survey. Aside from the fact that respondents would get a free copy of the
results, neither the author nor the sponsor knows why certain people responded, and why
certain other people did not. Perhaps those who did not respond are not as adept at navigating
the Internet, and thus were not aware that such a survey was being conducted. Perhaps those
who did not respond do not devote as much time to continuing professional education, and
Information Shield P a g e | 38
thus did not come across notices about the survey. Perhaps those who responded are more
stressed about budgetary matters, and more urgently in need of information of this nature.
Certainly there are other biases that were influential and that we have not had the resources or
the time to fully explore. Suffice it here to say that we did not, in any of these surveys, structure
the sample so that it would be truly representative of current real-world organizations.
In spite of these cautionary notices, this survey looks to be one of the most definitive sources, if
not absolutely the most definitive source, of information about the actual staffing levels
prevailing in the information security field. The 2011 survey, involving data gathering
conducted in the fall of 2011, produced 199 results and 148 usable responses. Incomplete
responses were used in those cases where data points were provided. Responses from
consulting and outsourcing firms specializing in information security were also thrown out of
the data set to be analyzed because they would otherwise unduly skew the results.
Computationally this was achieved by removing all input data from those firms which has an
information security staff divided by total staff ratio of over 5%. Those firms that specialize in
the information security field were asked not to respond, but the data received indicates that a
significant number of these firms, especially consulting firms, did in fact respond. This cut-off,
set at 5%, was our way of removing their data from the data set that we analyzed. We
appreciate their interest in the survey, but the results of this survey do not apply to their firms
(although the results do apply to their customers).
Several automated error checks were also employed to help assure that only legitimate
(reasonable) responses were entered. Due to the substantial number of respondents, this author
submits that the results are representative of real-world conditions. According to a rough
interpretation of the law of large numbers, the larger the number of respondents, the more
likely it will be that the results will converge on the true conditions.
Information Shield P a g e | 39
About the Author
Charles Cresson Wood, CISSP, CISM, CISAis an author, researcher, and management consultantbased in Mendocino, California. In the informationsecurity field on a full-time basis since 1979, he hasdone information security work with over 120organizations, many of them Fortune 500 companies,including a significant number of financial institutionsand high-tech companies. His consulting work hastaken him to over twenty different countries around theworld.
He has published over 375 technical articles and sixbooks in the information security field. In addition tovarious TV and radio appearances, he has been quotedas an expert in publications such as Business Week,Christian Science Monitor, Computerworld, IEEESpectrum, Infoworld, LA Times, Network Computing,Network World, PC Week, The Wall Street Journal, andTime. He has also presented cutting-edge informationsecurity ideas at over 100 technical and professionalconferences around the globe.
All Contents Copyright 2012, Information Shield, Inc.
All rights reserved. All trademarks cited herein are the property of their respective owners. No part of this publicationmay be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical,photocopying, recording, scanning, or otherwise, except as permitted under § 107 or 108 of the 1976 United StatesCopyright Act, without the prior written permission of the copyright holder.
Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers, and authors have used their bestefforts in preparing this work, they make no representations or warranties with respect to the accuracy or completenessof its contents and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. Theadvice and strategies contained herein are based on the author’s experience and may not be usable for your situation.You should consult with an information security professional where appropriate. Neither the publishers nor authors shallbe liable for any loss of profit or any other commercial damages, including, but not limited to, special, incidental,consequential, or other damages.