Information Security & Data Privacy Staffing Survey 2011information security and privacy functions?...

InformationSecurity & DataPrivacy StaffingSurvey 2011

About Information Shield

Information Shield is a global provider of security policy, dataprivacy and security awareness solutions that enableorganizations to effectively comply with international securityand privacy regulations. Information Shield products are usedby over 9000 customers in 60 countries worldwide.

Information Shield, Inc.

7549 Highmeadow Dr.Houston, TX 77063

[email protected]

P: 888.641.0505F: 866.304.6704

Benchmarking the InformationSecurity Function

January 2012

Information Shield P a g e | 2

Information Security andData Privacy Staffing LevelsEstablishing a Standard of Due-Care forModern Organizations

By Charles Cresson Wood, CISSP, CISM, CISA

Executive Summary

Is your information security group under-staffed? Can you prove it

with numbers? What is the standard of due care for staffing the

information security and privacy functions?

These are common questions that are often asked in budget

meetings. For decades, information security specialists have

been requesting ever larger budgets for their internal

information security efforts, with very little hard data to

support their requests.

To help answer these and other common staffing questions,

the author teamed up with Information Shield for the 2011

Information Security and Data Privacy Staffing Survey. The

survey was conducted in late 2011 and included responses

from over 150 organizations in 34 different countries. This

survey provides definitive quantitative reference points that

management can use to determine whether an organization is

falling behind, or whether it is out in front of the competition.

Table of ContentsExecutive Summary ....................................... 1

Introduction ................................................... 2

About the Staffing Survey ......................... 3

Respondent Profiles .................................. 4

Staffing Ratios by Industry ............................. 6

Staffing Trends ....................................... 10

Staffing Budgets ..................................... 15

Budget Trends … ..................................... 16

Budget Influences …................................ 18

Staffing Budget Calculations ........................ 25

Organizational Structure and Staffing ......... 27

Reporting Relationships …....................... 29

Staff Certifications … ............................... 31

Temporary Workers …............................. 32

Outsourcing Security … ........................... 33

Data Privacy Staffing ............................... 34

Conclusion.................................................... 34

Survey Methodology ................................... 36

About the Author ........................................ 40


Introduction: Information Security and DataPrivacy Staffing

How many people should we hire?

For decades, information security specialists have been repeatedly requesting

larger budgets for their internal information security efforts. In many cases, they

have staunchly maintained a position that not enough is being spent on

information security. In response, top management has

often responded with comments like, “Show me the

numbers – how do you know we aren’t spending

enough?”

This report provides those numbers - the numbers which

allow an organization to determine how it ranks with its

peers. Through a few simple calculations, readers can quickly determine whether

their organization is spending too little, or perhaps too much, on information

security staff. Comparable numbers are also provided for budget dollars. With

these numbers, specialists can once again approach top management with

substantiated budget requests for an expanded information security staff.

In addition to key staffing ratios, the survey asked detailed information about the

current state of the information security organization. For example, does the

organization have a formal department and/or senior executive devoted to

information security? Within these departments, how much of the work is done

in house and how much is outsourced? The results provide a snapshot of the

modern information security function.

“How do we know howmany people to hire forinformation security?”


About the Staffing Survey

The 2011 Information Security Staffing survey

was designed to measure how the information

security and data privacy functions are staffed

across a variety of organizations. In addition to

measuring key head-count ratios, we asked a

number of questions concerning the maturing of

formal information security function, including

the age of the program and how it reports within

the organization.

Defining “Information Security”

In all of the survey data, we defined the “information security function” as all activities that

protect either information and/or information systems. This included systems-related

contingency planning, archival records management, and information systems access control.

This definition of the information security function excluded information technology (IT),

systems auditing, risk management, legal, human resources, and physical security activities that

were not information security related. Only those staff members who perform information

security duties not expected of rank-and-file employees were counted in the information

security function. As might be expected, users who attend to their own information security

tasks would likewise be outside the scope of the information security function, as we defined it

here.

The calculations in all three surveys were all based on FTEs (full time equivalents). For example,

four half-time people would be equivalent to two full-time people. Outsourcing firm staff,

temporaries, consultants, and contractors who perform information security work were

included in the total FTE count.

History of the 2011 Survey

The 2011 Information Security StaffingSurvey was the third version of a series ofsimilar surveys spanning a 24 year period.The first survey was completed in 1989, anda follow-up survey was completed in 1997in conjunction with the Computer SecurityInstitute (CSI). This summary focusesprimarily to the results of the 2011 survey,but occasionally makes reference to theolder data to show the direction in whichthings are moving.


Organizational Profiles: Who Responded?

The 2011 survey had respondents from many different organization sizes, geographies and

business types. The average organization that responded to the 2011 survey had 14,000 full-

time employees across all locations. On average, the organizations had an information security

program in place for 5.5 years, even though the numbers varied from zero (no formal program)

to a very mature 22 years.

The 2011 survey had strong international participation compared to previous surveys. By far

most of the respondents came from the USA and the UK, but India, France, Canada, Australia,

and New Zealand were all well represented. This is quite different from the 1997 survey, which

involved 80% of the respondent firms hailing from the USA and Canada. The 2011 survey had

respondents from 34 different countries (see Figure A-1). By far the largest response rate was

from US-based organizations. However, other countries with developing IT industries made up

a healthy number of respondents.

Figure A-1: Geographic Breakdown of Respondents


The scope of information security activities has also gone global. For example, the average

number of countries in which this group of 2011 respondents had information systems activities

was 14.23. The wider geographical scope of respondent activities is consistent not only with the

dispersion of information technology around the globe, but also the increasingly international

business activities facilitated by the Internet (including this survey). Just how the increased

international focus of the respondents has changed the results of the survey is unknown, but

those using these numbers might want to take that significant change into consideration.

Information Security Staffing Levels by Industry

Information Security as a Percentage of Total Workers

For the 2011 survey as a whole, the total staff who

worked on information security tasks (including

contractors, consultants, temporaries, and outsourced

workers) made up 0.53% of total staff. This 2011 ratio

shows an order of magnitude increase from the 1997

survey, which produced an average ratio of 0.06%. And

that 1997 average ratio was likewise up substantially

from, and roughly a doubling of, the 1987 survey’s

average ratio of 0.03%. [See Chart A-1] Put another way, the average staffing for information

security across all organizations was one full-time security person for every 200 employees.

In the survey the ratios were computed by comparing the number of full time equivalent staff

(FTE count) to the number of staff devoted to information security. The average ratio of

information security full time equivalent staff (FTEs) divided by total organizational FTEs,

across all industries, was 0.53%, while the median was 0.18%. (The difference between the mean

and the median reveals that the variability in the responses received was high. However, we do

“Average Informationsecurity staffing across allorganizations made up0.53% of total workers, upover 800% since 1997”


not calculate standard deviations for reasons explained in the subsection below called

“Overview of the Survey Methodology”).

Please note that the decimal places used here, and elsewhere in this report, should not

communicate any particular level of precision -- only the relative position of information

security within organizations. The position of these decimal places also reveals how the

information security function continues to expand markedly over the 24 year period measured

by the three surveys mentioned above.

Table A-1 provides a break-down of this FTE ratio by industry. As a quick glance at the table

reveals, the staffing levels are markedly different from industry to industry. Properly speaking,

an average staffing level ratio should be industry-specific in order to mean anything in terms of

calculating a standard-of-due-care staffing budget, a headcount increase request, an objection to

a planned headcount reduction, and the like.

This large variation in headcount ratio was also observed in all previous surveys. For example,

prior surveys indicated the more information intensive the industry, the greater this headcount

percentage will be (Financial Services is a good example of a high information intensity

environment, while Retail is a good example of a low information intensity environment).

Likewise, all other things being held constant, the greater the number of information security

related laws and regulations that a firm needs to respond to, the higher will be the budget and

associated headcount of the information security function.

In both the 2011 and the 1997 surveys, we see that Retailing/Wholesaling had the least

information security staff as a percentage of total workers. Similarly, across multiple surveys,

those firms involved in the military, the federal government, and aerospace/defense had the

largest information security staff as a percentage of total workers. This is as might be expected,

given the nature of the life-and-death risks faced by people in the military, diplomatic agencies,

and related contractors. These risks are above and beyond the property protection risks faced by

firms not operating in these areas.


Table A-1: Information Security as a Percentage of Total Workers (Staffing Ratio)

Business Activity Security FTE / Total FTEStaffing Ratio

Telecommunications 0.208%

Education 0.258%

Government (Federal) 1.680%

Government (State and Local) 0.289%

High Tech 0.551%

Manufacturing/Production 0.257%

Retailing/Wholesaling 0.087%

Transportation/Distribution 0.167%

Financial Services 0.522%

Health Care 1.299%

Utilities 0.373%

Services/Consulting 0.776%

Other 0.238%

Average 0.53%

To help observe some trends between surveys, Table A-2 contains the ratios (Information

Security FTEs divided by total organizational FTEs) shown respectively for the 2011 [left

column] and 1997 [right column] surveys. Note: Where an “X” appears in that table below, no data

was available from the survey involved. For example, the 1997 survey had an industry classification


called Computers/Telecommunications, but the 2011 survey broke this grouping out into two

separate categories respectively called High-tech (Computers) and Telecommunications.

Similarly, the 1997 survey had a Government category, but this was broken out in the 2011

survey into Federal Government, and separately State or Local Government.

Table A-2: Information Security as a Percentage of Total Workers - Comparison

Business Activity 2011 FTE Ratio 1997 FTE Ratio

Computers/Telecommunications X 0.208%

Telecommunications 0.141% X

High Tech (Computers) 0.551% X

Education 0.258% 0.063%

Government X 0.161%

Government (Federal) 1.680% X

Government (State and Local) 0.289% X

Manufacturing 0.257% 0.035%

Retailing/Wholesaling 0.087% 0.020%

Transportation/Distribution 0.167% 0.037%

Financial Services 0.522% 0.138%

Health Care 1.299% 0.093%

Utilities 0.373% 0.092%

Services/Consulting 0.776% X

Aerospace/Defense X 0.047%


Other 0.238% 0.229%

Average 0.53% 0.06%

The substantial difference between the two government categories appearing in the 2011 survey

is probably due to the military and diplomatic corps being a part of the first (Federal), but not

the second (State and Local), of these categories. Civilian agencies in the Federal Government

may accordingly wish to use the State & Local Government ratio. Likewise, no

Aerospace/Defense category appeared in the 2011 survey, but it did appear in the 1997 survey.

No Services/Consulting Category appeared in the 1997 survey, but it did appear in the 2011

survey. These category differences mean that, in some instances, a particular firm may have

moved from one category to another, as we move from the 1997 survey to the 2011 survey. Also

note that, as described in the subsection below entitled “Overview of the Survey Methodology,”

specialist information security firms, such as consulting outfits and managed security service

providers were intentionally excluded for these tabulations because they would otherwise

dramatically skew the results.

Staffing Trends by Industry

In the 14 years that elapsed between the two most recent staffing level surveys, certain

industries saw marked increases in the level of

information security staffing. For example, the

Utilities industry and the

Transportation/Distribution industry have both

increased the level of information security staff

dramatically. This may be in part due to increased

terrorist threats that directly apply to these

industries, more so than other industries. Similarly, the Financial Services industry saw

approximately a three-fold increase, while the Health Care industry saw more than a ten-fold

increase. The latter two increases are no doubt in part due to significantly more laws and

“On average, securitystaffing increased nearly400% since the 1997survey”


regulations related to information security. The computed average for the Education industry

saw a four-fold increase in its staffing level over the last 14 years, and this was probably in part

due to increased laws and regulations, but also perhaps because a number of infamous attacks,

such as the Robert Morris worm, have been launched from educational institution computers. It

is interesting that the “Other” industry category saw only a marginal increase over this 14 year

period, and that is probably attributable to a significant change in the industries that were

lumped together into the “Other” category. Since the respondents did not specify what “Other”

meant to them, we cannot dissect this interesting result any further.

Of course, as mentioned briefly above, headcount ratios also increased in those cases where

respondent firms were involved with military or diplomatic activities. If we change the sort,

such that we exclude all those firms with 20% or more of staff working on information security,

rather than 5% as described in the subsection entitled “Overview Of The Survey Methodology,”

then where respondents did have such an involvement, the 2011 information security staff FTEs

divided by total FTEs was a very healthy 1.760%. But where they did not have such

involvement, the same ratio was only 1.344%. As the difference between these two ratios and

the survey overall average headcount ratio shows, by far most (82%) of the 2011 survey

respondents hailed from non-military and non-diplomatic organizations. With the 5% cut-off

used elsewhere in the survey, we inadvertently removed too many of the military and

diplomatic organizations, and this caused there to be apparently no difference between these

two categories. Removal of respondents from the data set used to perform calculations, as

mentioned in note at the bottom of Table A-1, was intended to exclude those firms which were

in the business of information security.

Table A-3: Survey Respondent Breakdown by Industry Classification

Business Activity Percentage of Respondents

High Tech 12%


Telecommunications 3%

Education 2%

Federal Government 3%

Government (State and Local) 3%

Manufacturing/Production 8%

Retailing/Wholesaling 3%

Transportation/Distribution 3%

Financial Services 28%

Health Care 6%

Utilities 5%

Services/Consulting 14%

Other 10%

Total 100%

Table A-3: 2011 Survey Respondent Breakdown By Industry Classification. The higher the

percentage in this table, the greater the confidence the reader can have that the industry specific

head-count ratio approximates the actual situation in a particular industry.

Note: There was no category for Aerospace/Defense in the 2011 survey but this category did appear in the

1997 survey. See the note in Table A-1 for more information about this comparability problem between

the last two surveys, and how to overcome it.


Staffing and Security Program Maturity

It is interesting that the percentage of total headcount devoted to information security also

varies considerably based on the number of years that a formal information security function

exists. As might be expected, if an information security function was new, and for purposes of

the survey this was defined as less than a year old, then the ratio mentioned above was only

0.36%. For a number of firms, this low ratio was in part the result of no staff yet allocated to the

function. For those firms with a function in place for a year, the ratio quickly rose to 1.37%. This

relatively high percentage is consistent with the notion that a certain foundation for information

security must be created in the beginning of a formal information security function, and this

foundation takes considerable resources to establish. Some elements of this foundation include

job descriptions, performance reviews, budgets, policies, standards, guidelines, procedures,

training programs, contingency plans, and the like. Other elements of this foundation include a

data dictionary indicating, among other things, the data classification of different types of

information.

According the 2011 survey, after a formal information security function has been established,

fewer people are evidently needed to run things. Those firms with a two-year-old function had

an average of 0.25% of their total organizational staff devoted to information security. This is

not too far away from the average for all respondents, regardless of the duration that a formal

information security function has been in place. It seems that many organizations however have

cut-back too much at this point, because those firms with a three-year-old function devote an

average of 0.42% of their total staff to information security work. This cut-back-too-much, then

add-some-more-to-catch-up, approach apparently is found at many firms as they converge on

the right level of information security staffing for their particular situation.

Reflecting this back-and-forth convergence, we see that four-year-old functions had an average

of 0.36% of total staff devoted to information security. This significant cut-back may be a

reflection of the erroneous notion often held by top managers that information security is a

project rather than an on-going business function. While a good foundation for a successful


information security program needs to be established, and fewer resources can then later be

devoted to information security in subsequent years, that does not mean that there won’t be a

significant need for staffing to support many on-going functions (access control administration,

contingency planning, awareness training, and intrusion detection and response, being just a

few of the activities that require on-going funding). Reflecting this back-and-forth convergence

pattern, those firms with five year old formal information security functions, saw this ratio go

back up significantly to 0.59%. This same yo-yo pattern (cut, then beef-it-back-up, then cut

again, then beef-it-back-up) prevails in later years as well. Readers going though such dramatic

ups-and-downs in the budget should therefore feel that their experience isn’t too far different

from the norm.

But the trend over time for this staffing ratio is slightly down as the information security

function becomes more established. This is consistent with the notion of economies of scale,

where an increasing number of information security activities are automated instead of handled

manually. The 2011 survey’s gradual reduction in staffing levels as the security function ages

compares favorably with numbers in the 1997 survey. According to these averages and this

author’s experience, in 1997, automation was not in use in the information security area

anywhere near as much as it is today.

Calculating Budgets: Changes and Influences

The 2011 survey included a number of questions regarding information security budgets,

including expected growth/decline and the common factors influencing budgets.

Expected Budget Changes

Another question asked in the 2011 survey was “what

do you expect in terms of the increase in information

security staff in the following year?” Note that this was

not a request for how much are you going to ask for in

“Budgets for informationsecurity staffing areexpected to increase 15%in the next year.”


your budget. It was an assessment of what the actual increase will be. The 2011 average came in

13.58% -- a very impressive number indeed in this tough economy. The 1997 average was a not

that far away -- some 17.78%. Clearly information security is still a very important

organizational function, and it continues to be seen as such by top management, even in the

midst of the severe belt tightening now being suffered by many other departments.

Consistent with the yo-yo pattern mentioned above, the response to next year’s estimated

increases in the staffing for information security were all over the map, from -50% to +100%.

Fully 50.00% of the respondents indicated that they anticipated no change. Some 12.84% said

next year would probably bring a 10% increase in staffing levels. Some 11.49% indicated that

they expected a 25% increase, 8.78% expected a 50% increase, and 6.76% expected a 100%

increase.

Table A-4: Anticipated Increases in Next Year's Staffing Budget

Business Activity Percentage Increase Expected inStaffing Budget

Computers/High-Tech 22%

Telecommunications -2.5%

Education 0%

Federal Government 35%

State and Local Government 20%

Manufacturing 12.5%


Transportation/Distribution -12%



Health Care 12%

Utilities 13%


Other 5.7%

Average +13.58%

Table A-4: Estimated increase or decrease in next year’s staffing budget. While most categories

planned increases, there was high variation between the expected amounts.

Budgeting Influences

Let’s now turn to something that readers can do to increase funding for information security

staffing. One of the new additions to the 2011 survey was a number of questions regarding

trends and influences on the information security

budget. Each of the factors are discussed below.

Influence of Overall Business Climate

It was intriguing to note the extent to which

respondents considered the overall business climate

in their industry to be affecting the budget for

information security. Some 15.71% said the overall business climate had a “high influence,”

while some 19.29% indicated that the business climate had “more influence.” Some 17.86% said

that the business climate in their industry had “medium influence,” while 30.71% indicated that

it had “some influence.” Only 16.43% indicated that the business climate had “no influence.”

These results indicate that the budget for information security is highly dependent on available

funds, and the general level of success of the respondent’s industry. This does not bode well for

“Regulatory compliancewas the largest influenceon overall staffingbudgets.”


the future because a certain level of essential information security services must be provided --

if serious business losses are to be prevented and properly dealt with -- no matter what the

prevailing business conditions are.

Influence of Firm Profitability

Respondents were additionally asked about the influence of their own firm’s profitability on the

budget for information security. Consistent with the answers mentioned in the prior paragraph,

some 20.71% said it had a “high influence,” 9.29% said it had “more influence,” 22.14% said it

had “medium influence,” 27.14% said it had “some influence,” and 20.72% said it had “no

influence.” Again, in these answers we see evidence of the pressing need to better separate the

story explaining why information security needs additional funding, from the story about the

financial success (or lack thereof) of the organization involved. In large measure, information

security is not a discretionary expenditure that can be expanded or contracted as top

management sees fit. There are instead basic minimums that must be in place (as expressed for

example in the Payment Card Industry Data Security Standard, alias PCI-DSS), and if these

minimum are not in place, then the organization can’t do business. This author submits that the

reality of this need for a foundation of information security is not sufficiently showing up in the

budgetary influences reported by the respondents.

Influence of Management Awareness

Top management awareness levels had an effect on information security budget levels, but not

in a simplistic or predictable manner. Even though it is somewhat counter-intuitive, the

respondents with the highest levels of management awareness did not have the highest levels of

staffing. This may be because many of these organizations were in an emergency catch-up

mode, perhaps responding to security incidents, a bad audit report, or something of that nature.

Those organizations with a significant but more moderate level of management awareness had

the highest staffing levels. Not all that surprisingly, those reporting no management awareness

impact on the budget had the lowest levels of staffing for information security. In terms of the


actual numbers, the information security staff to total employment ratio was close to the

average across all industries, coming in at 0.42% for those reporting a “high influence” for

awareness on the budget for information security. Those reporting “more influence” had a more

impressive 0.64% ratio. Those reporting a “medium influence” had again close to an average

0.46% ratio, while those reporting “some influence” had a more impressive 0.66% ratio. Not

surprisingly, the worst FTE ratio, 0.39%, was reported for those firms indicating “no influence.”

How best to interpret this bimodal distribution is a good question. Perhaps on-going efforts to

raise the level of management awareness pay off, but the emergency catch-up approach, or

ignoring this type of awareness training -- both of which are represented by extremes in the

spectrum -- neither of those approaches work well. Perhaps the limited impact of awareness

raising efforts can also be attributed to the fact that management, at most firms, is already well

aware of the seriousness of information security. It appears as though additional investments of

time and money into raising management awareness are suffering some diminishing marginal

returns.

Influence of Security Incidents

The 2011 survey also asked respondents to indicate whether recent security incidents, at their

firm and others, have affected their information security budgets. Those firms reporting that

such incidents had a “high influence” had a most impressive staffing ratio on the average of

0.97%. Those firms reporting “more influence” had a close to average 0.45% ratio. Medium

influence had a close to average 0.56% ratio as well. Considerably lower staffing levels were

found for those reporting “some influence” (0.23%), and “no influence” (0.34%). Apparently

having security incidents be highly visible to management can increase staffing levels three-fold

or more. If one is looking to increase the staff budget, better incident reporting and analysis

appears to be a better investment than general management awareness training (the latter was

described in the prior paragraph). The fact that any respondents reported that incidents had “no

influence,” indicates to this author a missed opportunity. In this group, these frequently-

occurring malware incidents are not being publicized internally as they should be. Likewise, the


many cases taking place outside the firm in question are not being communicated to top

management as well as they could be. Based on the answers to this question as well as a widely

acknowledged best practice, an internal database keeping track of in-house losses, sometimes

called a loss history, is a very good investment to make.

Influence of Customers and Partners

The 2011 survey additionally asked respondents about pressure to increase their information

security budgets coming from clients and business partners. The results to this question were

unexpected, and the reasons behind these results remain not fully revealed. Those firms

indicating that budgets were “highly influenced” by pressure coming from clients and business

partners had a high staffing ratio of 0.75%. As might be expected, those firms reporting “no

influence” had a considerably worse average staffing ratio of 0.16%. Firms reporting “more

influence” had a 0.56% average ratio, and those with “medium influence” had a comparable

average ratio of 0.58%. So far, all that is predictable. In other words, top management responds

significantly to pressure coming from clients and business partners. The unexpected part was

those with “some influence,” which had an unexpectedly high 0.70% average ratio. The lesson

here is that it is not sufficient to communicate the information security needs of clients and

business partners to top management. Some pressure actually needs to be exerted, and the more

pressure, the better will be the increase in the information security budget. In addition, those

firms indicating “no influence” may also be unduly and unrealistically isolating themselves

from the needs of clients and business partners, because we are now all connected through the

Internet and a variety of other structures supporting information flows.

Influence of Media and Competitors

On a similar note, in a single combined question, respondents were asked about pressure from

the media or competitors, and whether that pressure had an impact on the information security

budget. We can all imagine how the budgetary impact of a security incident at your firm being

described on the front page of The Wall Street Journal would be huge. Likewise, we can all


imagine that, at some point in the future, how your firm will be forced to upgrade its

information security because such an improvement has become a competitive necessity.

Respondents reporting that this pressure was “highly influential” in terms of setting budgets,

had a considerably higher than average ratio of 0.64%. Staffing ratios spiked in the “more

influence” category with an average of 0.95%. The category of “medium influence” had a still

impressive 0.67% average staffing ratio, while the “some influence” category came in below the

cross-industry average with 0.46%. No influence had a still less desirable ratio of 0.41%. Just

why “more influence” was better than “highly influential” is not clear from the data obtained.

Perhaps the “highly influential” category had a lower than expected staffing ratio because the

information security function at many of these firms was in trouble. In such a situation, the

function may be getting pushed from the outside to shape-up. Those that were not in an

emergency catch-up mode may find themselves choosing the “more influence” category, and

hence their ratios may therefore be higher.

Influence of Laws and Regulations

The impact of laws and regulations on the budget for information security was also explored in

the 2011 survey. Those firms reporting that laws and regulations had a “high influence” on their

budgets, which made up fully 38% of the respondents, had a very impressive staffing ratio of

0.71%. Those respondents reporting “more influence” had a quite respectable ratio of 0.64%.

Those with “medium influence” reported a worrisome low 0.18% staffing ratio. Those

respondents indicating “some influence” came in with 0.50%, while those with “no influence”

had a very low staffing ratio of 0.26%. With the exception of a blip in the data around the

“medium influence” category, there is a clear correlation between increased importance of laws

and regulations and increased information security budgets. This strong correlation is a

reminder to every reader to make sure top management appreciates all the laws and regulations

that define a minimum level of information security. This author believes that many of the 4%

of respondents who thought there was “no influence” have not yet sufficiently acquainted

themselves with all the relevant laws and regulations. For example, the requirements to notify


data subjects in the event of a breach of personally identifiable information, or PII, apply to

nearly all organizations operating in the USA. Of all the budgetary influences investigated via this

survey, it was the legal and regulatory influence that had the strongest positive impact on budgets.

Figure A-2: Weighted table of budgetary influences

Figure A-2: Weighted table of budgetary influences by each category in the survey.

Respondents were asked to rate the influence of each item from 1-5 with “None” as (0) to “Very

High” as (5). The weighted average shown in this figure for each of these five possible

responses indicates the relative importance of these budgetary factors.

Information Security Staff and Total Budgets

Respondents to the 2011 survey were furthermore asked how much of their current information

security budget was devoted to staff. Some 36.28% of information security expenditures were

attributed to staff. The 1997 survey indicated this ratio was 36.92%. These numbers suggest

increased use of automated tools over the last decade or so. In the future, we can expect to see

the percentage of the information security budget devoted to staff continue to gradually come


down. The 2011 number is actually quite impressive if one considers the numbers that

Information Technology Departments generally

encounter in terms of labor. According to Cynthia

Rettig at MIT, writing in a 2007 article entitled

“The Trouble With Enterprise Software,” some 70-

80% of information systems budgets are today

consumed by labor.

There are multiple possible interpretations of this average percentage of budgets assigned to

labor number from the 2011 survey. If we assume that a lot of the cost of information security is

inappropriately off-loaded to both user departments and Information Technology Departments,

then the numbers found in the 2011 survey may reflect misleadingly low staffing levels for the

information security function. If we assume that formal information security functions are still

nowhere near as common as they should be, given that information security is still a new

organizational function, then this low staffing level could simply be a reflection of the fact that

there has been an incomplete and insufficient recognition of the true costs of supporting

information security. Still another possible interpretation of the same data is that information

security budgets remain underfunded, and that organizations have generally been emphasizing

automated tools too much, and that they need more expertise in order to properly handle the

complexity that goes along with information security. This author thinks all three

interpretations are plausible and may all exist simultaneously.

Table A-5: Percentage of Budget Devoted to In-House Staff

Business Activity 2011 Survey

Computers/Telecommunications 44%

Education 65%

“37% of all securityexpenditures are devotedto personnel.”


Government 64%


Manufacturing 37%


Transportation/Distribution 7.5%


Health Care 42%

Utilities 28%



Other 32%

Average 36%

Budgets and Staffing: Putting the Pieces Together

Putting the pieces together, we can now perform a few quick calculations to estimate staffing

and budgets for each industry. First, a reader calculates the total full-time-equivalent staff

(FTEs) at the organization in question, including outsourcing firms, temporaries, consultants,

contractors, etc. This number should include all functions, and everything that the organization

does to meet its business objectives.


As an example, let’s assume the organization has 10,000 FTEs. Then the reader multiplies that

total FTEs headcount by the industry percentage devoted to information security staff (see

Table A-1), and we get the approximate average headcount for information security.

Continuing with the example, let’s assume this firm is in the Health Care industry. From Table

A-1 we pick the number 1.299% [stay in the left column no matter what the industry] and

multiply that by 10,000, to come up with 130 FTEs devoted to information security. This 130

FTEs number includes all efforts devoted to information security, which is defined as protecting

information and/or information systems (see the subsection entitled “Overview of the Survey

Methodology” for a more precise description). Included in this 130 FTEs number would be the

information security work of systems administrators in user departments doing access control,

the work of outsourcing firms doing penetration tests, and the on-going network monitoring

provided by a managed security services firm. This number is not an absolute-must-have

number, it is simply the average indicated by our survey. It is not some minimum to which all

firms must subscribe; it is just an indicator of what other firms in the same industry are

spending on information security staff.

To take this example one step further, we can then calculate a quick-and-dirty average budget

for a firm of a certain size in any particular industry. The reader should next make a few

inquiries at the in-house Accounting Department, to get the fully-loaded burden of one average

staff member at the firm. By “fully-loaded” we mean not just salary, but all payroll taxes paid

by the employer, as well as benefits like health insurance. For this example, let’s assume the

fully-loaded average staff member at this firm costs US$45,250/year [this calculation has

nothing to do with US dollars, or currency conversion rates, and can just as easily be done in

any other country’s currency]. Now we have enough information to calculate a rough average

total budget for the information security function (note that this calculation will include all work

in the information security area, not just work which is done by the official group called

Information Security). Next, the reader will multiply this fully-loaded average cost per worker

by the number of workers calculated in the prior paragraph, to get the labor component of the

information security budget. So here we would multiply US$42,250 by 130, to get a rough total


budget for information security labor of US$5,492,500. Now, if the reader divides this number

by the average percentage of the budget devoted to labor, we can get a rough indicator of the

total information security budget. Going back to the FTE budget ratios, we see that 36.28% of

information security budgets are devoted to staff these days, so if we divide US$5,492,500 by

36.28%, we get the total average budget for information security across all departments, in this

case US$15,139,195. Note that this number has been scaled for the size of the organization in

question. As an aside, note that some adjustments to this calculation will probably be necessary

to reflect the reader’s organization’s budgeting and charge-back processes.

The reader can now compare this rough total calculated budget number to the current total

budget for information security across all departments (including outsourcing). If this

calculated number is considerably less than the current budget, the reader now has a good

starting point for requesting a budget increase. If the current budget is considerably more, then

the reader is doing a relatively good job, and this author hopes that he or she can now sleep

better at night. The latter case, the author suggests that the reader doesn’t bother mentioning

this study or the associated calculations to top management (unless the reader wants to show

that they are doing their due diligence in the information security area). Be sure to take this

total budget number with a “grain of salt.” The unique circumstances at the firm in question (as

should be reflected in a recent risk assessment) will mean that more or less will need to be

spent.

Information Security and the Organizational Structure

The 2011 survey also included a number of questions to determine how the information security

group reports within the organization, including whether or not the organization had actually

designated information security as a formally recognized business group.

Information Security as a Formal Group


A new question appearing on the survey asked whether information security was a formally

named group. Some 31.42% of the respondents indicated that, in their organizations, it did not

yet have a specific name such as “group,” “unit,” “department,” or “division.” This is a bad

sign, indicating that the special needs of this unit are

still not being recognized by top management in about

one third of the respondent firms. In all but the smallest

of firms, Information Security should be recognized as

its own group, because it is distinctly different from the

departments into which it has traditionally reported

(such as Information Technology).

To best accomplish its assigned goals, the Information Security function needs to have its own

organizational infrastructure including: a budget, job descriptions, a mission statement, a

management reporting structure, a management oversight committee, and the like. That a “no”

answer to this question was indicative of a relatively immature information security function

was readily revealed because the “no” respondents had an information security function in

existence on the average for 2.93 years. This compares to respondents for the survey as a whole

which averaged 5.58 years, and those organizations that answered “yes,” which averaged 6.71

years.

Senior Management Designations

Respondents to the 2011 survey were additionally

asked whether they had a designated Chief

Information Security Officer (CISO). Some 49.32%

responded that they did not. While every information

security function needs to have a single manager who

acts as the conductor, who orchestrates activities across various different functional specialties,

departments, and organizations, that individual does not need to report directly to the CEO

(and thus be a C-Level manager, and be granted the coveted “chief” designation). Rather than

“74% of respondentshave an establishedfunction devoted toinformation security.”

“50% of respondentshave a designated ChiefInformation SecurityOfficer.”


reporting to the CEO, reporting relationships at the respondent firms were all over the map

including reporting into Operations, Legal, Risk Management, Physical Security, and

Information Technology. The appointment of a CISO, if not specifically with this title (perhaps a

Vice President), does seem to nevertheless be a trend. This was evident because the more

mature information security functions included a CISO, while the less mature functions

marginally did not. The average age of the information security function for who said “no” to

this question was 4.58 years, while the average age for those who said “yes” was 6.57. This

trend is consistent with prior surveys. For example, www.infosecurity.com published an article

by Avtar Sehmbi in July 2010, describing survey results from Deloitte, which indicated that

fully 85% of large organizations worldwide had named a CISO.

Information Security Reporting Structure

Continuing with the discussion about where the information security function should report,

the 2011 survey noted that a disturbingly large 72.30% of the respondents had the function

within Information Technology or some similar

information services group. This traditional

arrangement is problematic because this reporting

relationship involves inherent conflicts of interest that

unfortunately, will often be resolved in a manner to the

detriment of information security (user friendliness

trumps security for example). Another reason why

Information Security should not report up through Information Technology is that often the IT

group looks at IT as a utility service, and information security will suffer severely if it is

approached as a commodity that can be engineered so as to minimize costs. Information

security instead needs to be customized to the needs of a particular organization, and to do this

well it needs to report to a middle manager who has a risk management perspective. The

72.30% of respondents is high compared to other polls that this author has seen. For example, at

the San Francisco ISACA Chapter’s 2011 Fall Conference, an informal poll of 275 people

“72% indicated that theInformation Securitygroup reported toInformation Technology”


working in IT audit and information security revealed that about 30% had an information

security groups reporting up through IT organizations. The 72.30% figure is probably a

reflection of the large number of international respondents in this survey, while the ISACA poll

was almost entirely made up of domestic US respondents.

After IT, the next most prevalent places for the information security function to report were

Operations (5.41%), Legal (4.05%), Human Resources (3.38%), and Insurance & Risk

Management (2.70%). This author shuddered to note that one respondent reported through the

Internal Audit Department -- another strongly discouraged organizational structure, which

brings with it serious conflicts of interest. The author was also disappointed that only one

respondent reported up through a Project Management Office. The use of project management

tools and techniques to manage complex information security activities is expected to strongly

increase in the years ahead. Although many of the respondents listed their relevant professional

certifications, only three listed the PMP (Project Management Professional) designation [see

Table A-7].

Table A-6: Information Security Function Reporting

Department or Organizational Unit Percent of Respondents

Information Technology 72.30%

Operations 5.41%

Legal 4.05%

Human Resources 3.38%

Insurance and Risk Management 2.70%

Physical Security 0.67%

All Others 11.49%


Professional Certifications

Another new question in the 2011 survey asked if the

respondents had one or more professional information

security certifications. This question was designed to

approximately measure the level of training and/or

experience within the information security functions.

Some 59.46% of the respondents indicated they had

one or more current professional certifications. Some of

those who said they had certifications did not provide the specific certifications that they held.

The noted designations are provided below, in the order of most to least frequency. The number

to the right shows the number of times each certification was listed by a respondent. Those

designations with only one respondent were not listed below. Readers might consider this

ranking to be a rough indicator of the relative value that people now place on these

certifications.

Table A-7: Most Popular Professional Certifications Listed by Respondents in DescendingOrder of Frequency

Professional Certification Number of Respondents

CISSP 33

CISM 25

CISA 21

CEH 12

“60% of the respondentshad some professionalcertification – most oftenthe CISSP”


CRISC 9

ISO 27001 (Implementer and/or Auditor) 7

CGEIT 3

PMP 3

GSEC 3

ITIL 3

GSEC 3

GCIH 2

CISMP 2

Others 2

Outsourcing the Information Security Function

Respondents were also asked to indicate how much of the information security work at their

firm was outsourced. Some 60% of the respondents did some outsourcing. For those which did

some outsourcing, the average percentage of the work that was outsourced was 28.69%.

Intrusion detection monitoring services, penetration tests, risk assessments, filtering (web,

firewall, and email), and code reviews, were the most frequently cited activities to outsource. If

we looked at all respondents instead of simply those which did some outsourcing, we see that

on the average 17.64% of the budget is outsourced. This 2011 number reveals a very significant

increase over the 1997 average, which indicated that on the average only 7.44% of the budget


was outsourced. The movement of so many activities to “the cloud,” and the increasing

sophistication of so many different information security related outsourcing outfits is consistent

this significant increase.

Table A-8: Percentage of Outsourced Information Security Work

Business Activity Percentage of WorkDone by Third Parties

Computers 7%


Education 20%

Government (Federal) 26%

Government 12%

Manufacturing 20%




Health Care 9%

Utilities 18%


Other 42%

Average (Across all respondents) 18%


It was also interesting that some respondent organizations are outsourcing a very large portion

of their information security work. Specifically, some 4.67% of the survey respondents who are

outsourcing give 70% of their information security work to outsourcing firms. Similarly 5.95%

of this same group is outsourcing 80% of their work,

some 2.38% are outsourcing 90% of their work, and some

1.19% are outsourcing 100% of their work. The future

direction definitely is an increased use of outsourcing,

and that makes sense, especially in those circumstances

when specialized technical expertise is needed, but is not

supplied via in-house staff. There didn’t appear to be a

correlation between the use of outsourcing and the age of the information security function.

Among those firms using outsourcing for information security work, the average age of the

function was 5.74 years, and this was pretty much the same as the average age for all

respondents: 5.59 years.

Use of Temporary Staff

Respondents were also asked whether they used contractors or temporary staff for information

security matters. Some 52.86% of the respondents indicated that temporary workers performed

at least some of information security tasks. This relatively high percentage is of concern to this

author, given that a 2007 survey of UK firms by Websense indicated that fully 80% of temp

workers had much the same access privileges as permanent staff, yet most temps had

considerably less accountability, and most had not been adequately briefed about security

before their work began. Of course, the Websense survey was UK specific, but this is

unfortunately a common approach to the use of temporary and contractor workers worldwide.

Table A-9: Percentage of Work done by Temporary Information Security Workers

Business Activity Percentage of WorkDone by Temporary Staff

“Overall outsourcingincreased from 7% toover 17% over the last 15years.”


Computers/High-Tech 16%


Education 20%

Government 18%


Manufacturing 15%




Health Care 14%

Utilities 18%


Other 38%

Average 19%

Within the survey, among those who used temporary workers, the average percentage of

information security work done by temps was a relatively high 37.03%. The use of temps

seemed also to be more prevalent at those firms which had more established information

security functions. While the average number of years that an information security functions

was in place was 5.59 for all survey respondents, for those who used temps, the function had


been established on the average some 6.43 years. There was a difference but not all that much of

a difference.

Data Privacy Staffing and Ratios

The 2011 survey also included new questions regarding

the growing importance of the data privacy function.

One positive sign was that fully 29.05% of the

respondents did have a designated Chief Privacy Officer

(CPO). Depending on a respondent firm’s activities, the

establishment of a CPO is encouraged, if not explicitly

required, by recent legislation such as the US Gramm-Leach-Bliley Act of 1999. Among those

who answered this question with a “yes,” the average number of FTEs devoted to the privacy

function was 3.16. In some cases privacy work was a part-time function, and in the extreme

outlier response, there were some 30 people devoted to an internal privacy function. It was

interesting that a few people indicated that zero FTEs were devoted to the privacy function, so

in these cases the designation of a CPO was perhaps simply to satisfy a regulatory requirement

(a paper title rather than a functional title).

Conclusion

In summary, while substantial progress has been made, the progress has largely been driven by

pressure from outsiders, loss incidents, and efforts to comply with laws and regulations.

Fundamental structural problems, such as having information security report up through the

Information Technology Department, still hamper the effectiveness of many information

security efforts, and no doubt still keep the function’s budget lower than it would otherwise be.

In 31.42% of the respondent organizations, information security is still NOT recognized as a

unique function which warrants its own group, with its own budget, management reporting

chain, and organizational structure.

“30% of respondentshave a designatedprivacy officer.”


The good news is that information security budgets are rapidly expanding, and they are

commanding a much larger share of organizational resources than they have in past years.

Nonetheless, it remains to be seen whether this expansion of activity will be enough to maintain

stable, reliable, and secure information systems. Anticipated budget increases for the following

year averaged 13.58%, which was down from the 1997 survey result of 17.78% but still very

healthy in this tough economy. The average ratio for information security workers divided by

total workers was 0.53%, up very substantially from the 1997 survey average of 0.06%. This

ratio was again shown to vary considerably by industry, and those industry-specific ratios are

provided in this report.

One approach that seems to be working, in terms of obtaining a larger information security

budget, is reporting actual security incidents experienced both in-house and in the same

industry. Another approach that seems quite influential is to communicate to top management

the implications of information security relevant laws and regulations. Those firms reporting

that laws and regulations had a “high influence” on their budgets, which made up fully 38% of

the respondents, had a very impressive staffing ratio of 0.71%.

Another strategy that seems to be working well is outsourcing, and the percentage of

information security work that is outsourced has risen over the last 14 years from 7.44% to

17.46%. Automation of information security activities also seems to be continuing, and this fact

is reflected in the continuing decline in the percentage of total information security

expenditures devoted to labor (now 36.28% of the budget). Consistent with the outsourcing

numbers, some 52.86% of the respondents reported that they used temporaries to perform some

information security work. Looking only at those firms using temps, some 37.03% of the

information security budget went to temps. These and other numbers described in the body of

this report bode well for the outsourcing and temporary staffing firms operating in the

information security field.


Overview of the Survey Methodology

History of the 2011 Staffing Survey

In 1987 and 1997, the Computer Security Institute (now part of TechWeb) sponsored two

surveys where this author compiled ratios indicating average information security staffing

levels. Back then, the surveys were handled via paper forms. A similar, updated survey was

undertaken via the Internet in 2011, thanks to sponsorship from Information Shield. This

summary report focuses primarily to the results of the 2011 survey, but occasionally makes

reference to the older data to show the direction in which things are moving.

Defining “Information Security”

We defined the “information security function” in all three of the above-mentioned surveys as

all activities that protect either information and/or information systems. This included systems-

related contingency planning, archival records management, and information systems access

control. This definition of the information security function excluded information technology

(IT), systems auditing, risk management, legal, human resources, and physical security

activities that were not information security related. Only those staff members who perform

information security duties not expected of rank-and-file employees were counted in the

information security function. As might be expected, users who attend to their own information

security tasks would likewise be outside the scope of the information security function, as we

defined it here.

The calculations in all three surveys were all based on FTEs (full time equivalents). So for

example, four half-time people would be equivalent to two full-time people. Outsourcing firm

staff, temporaries, consultants, and contractors who perform information security work were

included in the total FTE count. In prior surveys a variety of ratios were calculated, including


information security FTEs divided by systems audit FTEs, and separately information security

FTEs divided by physical security FTEs. Since most of the readers of those past surveys were

interested primarily in information security FTEs divided by total organizational FTEs, in the

2011 survey we focused on that one ratio.

About the Survey Data

We should add a few caveats about the survey numbers described herein. First of all, these

numbers are only suggestive of the real world conditions, and should not be construed as

definitive. Respondents to the 2011 survey could remain anonymous, although some 57% chose

to provide identifying information. This author and David Lineman (who helped prepare the

survey and provided data analysis), did no vetting of the survey responses. Thus it could be

that more than one person from the same organization responded to the survey. (However, a

review of the organization names provided by respondents indicated no such problem).

Likewise, respondents could be mistaken about the numbers they provided, but nobody would

know this. Because responses were potentially anonymous, the survey tabulators and analysts

in many cases had no way of confirming that the numbers provided were in fact real-world

numbers. Thus, the 2011 survey should NOT be considered to be statistically valid (nor should

the prior surveys be so considered). Accordingly, statistical measures such as standard

deviations and error confidence levels will not be calculated. Thus the reader will find only

averages discussed in this report.

Possible Biases

In addition, there are undoubtedly several unexplored biases incorporated into the group who

responded to the 2011 survey. Aside from the fact that respondents would get a free copy of the

results, neither the author nor the sponsor knows why certain people responded, and why

certain other people did not. Perhaps those who did not respond are not as adept at navigating

the Internet, and thus were not aware that such a survey was being conducted. Perhaps those

who did not respond do not devote as much time to continuing professional education, and


thus did not come across notices about the survey. Perhaps those who responded are more

stressed about budgetary matters, and more urgently in need of information of this nature.

Certainly there are other biases that were influential and that we have not had the resources or

the time to fully explore. Suffice it here to say that we did not, in any of these surveys, structure

the sample so that it would be truly representative of current real-world organizations.

In spite of these cautionary notices, this survey looks to be one of the most definitive sources, if

not absolutely the most definitive source, of information about the actual staffing levels

prevailing in the information security field. The 2011 survey, involving data gathering

conducted in the fall of 2011, produced 199 results and 148 usable responses. Incomplete

responses were used in those cases where data points were provided. Responses from

consulting and outsourcing firms specializing in information security were also thrown out of

the data set to be analyzed because they would otherwise unduly skew the results.

Computationally this was achieved by removing all input data from those firms which has an

information security staff divided by total staff ratio of over 5%. Those firms that specialize in

the information security field were asked not to respond, but the data received indicates that a

significant number of these firms, especially consulting firms, did in fact respond. This cut-off,

set at 5%, was our way of removing their data from the data set that we analyzed. We

appreciate their interest in the survey, but the results of this survey do not apply to their firms

(although the results do apply to their customers).

Several automated error checks were also employed to help assure that only legitimate

(reasonable) responses were entered. Due to the substantial number of respondents, this author

submits that the results are representative of real-world conditions. According to a rough

interpretation of the law of large numbers, the larger the number of respondents, the more

likely it will be that the results will converge on the true conditions.


About the Author

Charles Cresson Wood, CISSP, CISM, CISAis an author, researcher, and management consultantbased in Mendocino, California. In the informationsecurity field on a full-time basis since 1979, he hasdone information security work with over 120organizations, many of them Fortune 500 companies,including a significant number of financial institutionsand high-tech companies. His consulting work hastaken him to over twenty different countries around theworld.

He has published over 375 technical articles and sixbooks in the information security field. In addition tovarious TV and radio appearances, he has been quotedas an expert in publications such as Business Week,Christian Science Monitor, Computerworld, IEEESpectrum, Infoworld, LA Times, Network Computing,Network World, PC Week, The Wall Street Journal, andTime. He has also presented cutting-edge informationsecurity ideas at over 100 technical and professionalconferences around the globe.

All Contents Copyright 2012, Information Shield, Inc.

All rights reserved. All trademarks cited herein are the property of their respective owners. No part of this publicationmay be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical,photocopying, recording, scanning, or otherwise, except as permitted under § 107 or 108 of the 1976 United StatesCopyright Act, without the prior written permission of the copyright holder.

Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers, and authors have used their bestefforts in preparing this work, they make no representations or warranties with respect to the accuracy or completenessof its contents and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. Theadvice and strategies contained herein are based on the author’s experience and may not be usable for your situation.You should consult with an information security professional where appropriate. Neither the publishers nor authors shallbe liable for any loss of profit or any other commercial damages, including, but not limited to, special, incidental,consequential, or other damages.

Information Security & Data Privacy Staffing Survey 2011information security and privacy functions?...

Documents

Transcript of Information Security & Data Privacy Staffing Survey 2011information security and privacy functions?...