Many companies struggle with the decision of when to hire information security or cybersecurity staff. The following Q&A represents a benchmark derived from 250 companies across different industry verticals on how they choose to staff security teams within their organization. The overwhelming answer is that it depends, and there’s little research on the topic. Every company is different, and technology and security needs vary widely. A general rule is that your security staff should account for 5-10% of your IT staff. The actual percentage of security staffing will vary. Sometimes you’ll be closer to 5% when growing the IT team, and closer to 10% when staffing security. These averages seem to be consistent bumpers in the security staffing bowling lane.How Many Information Security or Cybersecurity Staff Should I Have?
When Should I Hire a Chief Information Security Officer (CISO)?
This also depends on the company and a variety of factors:
- Four or more security staff
You have a lot of cybersecurity staff and need a people manager. This can be a solid trigger. In this case, shoot for staffing a CISO at 4+ cybersecurity analysts. - Four thousand total employees
Once your organization hits 4,000-5,000 employees, you should hire a CISO. If this is your trigger, then you’re hiring the CISO as a security evangelist. They should focus on priming your collective staff to self-select the correct behavior as it relates to security. - Your business requires security chops to sell a product
In this case we see companies hiring a CISO as soon as possible, especially when it’s tied to revenue. Between vendor assessment questionnaires, client calls, and anything else meant to prove security and inspire consumer confidence, your CISO will need strong client-facing and maybe even sales skills. - All of the above
If your business meets the previous three security needs, the CISO typically has strong security lieutenants to support varying and diverse security needs.
Many companies are still struggling to retain security talent. Check out these additional resources to support your cybersecurity hiring process:
- CISO Hiring Strategies: Tips for Ensuring a Strong and Secure Future
- Recruiting Your Best Security Partner
- Three Steps to Relieving the Cybersecurity Workforce Skills Gap
- Pwned Episode 144: Jury’s Out on Jumping Around
More companies are looking to managed services providers and flexible security resourcing options like NuHarbor. Contact ustoday to learn more about how we can help provide comprehensive cybersecurity for your company.
Included Topics
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.
