Many companies struggle with the decision of when to hire information security or cybersecurity staff. The following Q&A represents a benchmark derived from 250 companies across different industry verticals on how they choose to staff security teams within their organization.
How Many Information Security or Cybersecurity Staff Should I Have?
The overwhelming answer is that it depends, and there’s little research on the topic. Every company is different, and technology and security needs vary widely. A general rule is that your security staff should account for 5-10% of your IT staff. The actual percentage of security staffing will vary. Sometimes you’ll be closer to 5% when growing the IT team, and closer to 10% when staffing security. These averages seem to be consistent bumpers in the security staffing bowling lane.
When Should I Hire a Chief Information Security Officer (CISO)?
This also depends on the company and a variety of factors:
- Four or more security staff
You have a lot of cybersecurity staff and need a people manager. This can be a solid trigger. In this case, shoot for staffing a CISO at 4+ cybersecurity analysts.
- Four thousand total employees
Once your organization hits 4,000-5,000 employees, you should hire a CISO. If this is your trigger, then you’re hiring the CISO as a security evangelist. They should focus on priming your collective staff to self-select the correct behavior as it relates to security.
- Your business requires security chops to sell a product
In this case we see companies hiring a CISO as soon as possible, especially when it’s tied to revenue. Between vendor assessment questionnaires, client calls, and anything else meant to prove security and inspire consumer confidence, your CISO will need strong client-facing and maybe even sales skills.
- All of the above
If your business meets the previous three security needs, the CISO typically has strong security lieutenants to support varying and diverse security needs.
Many companies are still struggling to retain security talent. Check out these additional resources to support your cybersecurity hiring process:
More companies are looking to managed services providers and flexible security resourcing options like NuHarbor. Contact us today to learn more about how we can help provide comprehensive cybersecurity for your company.
