Blog
How Small Businesses and Big Enterprises Structure Their Cybersecurity Teams
When it comes to cybersecurity, bigger may not always be the best indicator of effectiveness.
(ISC)2 research reveals organizations of all sizes have similar strategies when it comes to structuring their cybersecurity teams. Set aside bigger technology budgets for a moment and focus on people; Look at how small and midsized businesses (SMBs), and enterprises align their cybersecurity talent by functional roles within their organizations. What you’ll find are striking similarities.
These findings – based on the (ISC)2 2020 Cybersecurity Workforce Study – suggest size has little bearing on how organizations structure their cybersecurity operations. Furthermore, study participants by and large seem satisfied their organizations are doing a good job of matching their teams’ roles and capabilities to the needs of their organizations.
Are Small Businesses Less Prepared for Cyber Attacks?
It has generally been assumed enterprises are better equipped to fight cybercrime than smaller organizations, but findings indicate that SMBs may be working off the same playbook. This is consistent with a 2019 (ISC)2 study showing SMBs and enterprises hire proportionally similar numbers of cybersecurity staff and have similar priorities when it comes to securing their networks. It is reinforced again with findings from the latest Cybersecurity Workforce Study.
In order to uncover a clearer picture of how security teams are structured, we asked study participants to describe their roles. What we found was very little deviation across organizational size as to the functional security roles participants have.
Which the following best describes the primary functional
area in which you work within your organization?
Small < 1,000 employees |
Midsized |
Enterprise |
Total respondent mean |
|
DevOps |
7% |
8% |
6% |
7% |
Management & Leadership |
21% |
17% |
16% |
19% |
Policy & Compliance |
7% |
9% |
7% |
8% |
Risk Assessment & management |
11% |
11% |
15% |
12% |
Security administration |
20% |
21% |
19% |
20% |
Security consulting |
10% |
9% |
10% |
10% |
Security operations |
12% |
16% |
14% |
13% |
Specialized (e.g., forensics, penetration testing, malware research, etc.) |
5% |
5% |
4% |
5% |
We then asked respondents to approximate what percentage of their cybersecurity teams hold the following functional areas and how that compared to a theoretical ideal team structure.
Approximately what percentage of your CURRENT cybersecurity
team hold the following roles or responsibilities?
Small < 1,000 employees |
Midsized |
Enterprise |
Total respondent mean |
|
Security Operations |
20% |
21% |
25% |
21% |
Security Administration |
16% |
15% |
16% |
16% |
Risk Management |
14% |
13% |
14% |
13% |
Compliance |
13% |
12% |
13% |
13% |
Forensics |
7% |
7% |
5% |
7% |
Penetration Testing |
8% |
9% |
7% |
8% |
Secure Software Development |
11% |
11% |
9% |
11% |
Operational Technology Security (ICS) |
11% |
11% |
11% |
11% |
Approximately what percentage of your IDEAL cybersecurity
team would hold the following roles or responsibilities?
Small < 1,000 employees |
Midsized |
Enterprise |
Total respondent mean |
|
Security Operations |
20% |
21% |
23% |
20% |
Security Administration |
15% |
14% |
15% |
15% |
Risk Management |
14% |
13% |
14% |
13% |
Compliance |
12% |
11% |
11% |
11% |
Forensics |
8% |
8% |
7% |
8% |
Penetration Testing |
9% |
9% |
9% |
9% |
Secure Software Development |
12% |
12% |
11% |
12% |
Operational Technology Security (ICS) |
11% |
11% |
11% |
11% |
When comparing percentages of current teams with percentages of an ideal team, respondents seem mostly content with their current teams’ composition and alignment against key functional areas. This holds true across all organizational sizes, and it implies that cybersecurity professionals are relatively satisfied with how their teams are aligned.
Moreover, the 2020 findings echo similar results from our 2019 Cybersecurity Workforce Study .
Approximately what percentage of your CURRENT cybersecurity
team hold the following roles or responsibilities? (2019)
Small < 1,000 employees |
Midsized |
Enterprise |
Total respondent mean |
|
Security Operations |
22% |
23% |
22% |
22% |
Security Administration |
16% |
15% |
15% |
15% |
Risk Management |
13% |
13% |
12% |
13% |
Compliance |
12% |
12% |
12% |
12% |
Forensics |
8% |
8% |
8% |
8% |
Penetration Testing |
8% |
9% |
9% |
8% |
Secure Software Development |
10% |
10% |
10% |
10% |
Operational Technology Security (ICS) |
11% |
11% |
12% |
11% |
Approximately what percentage of your IDEAL cybersecurity team
would hold the following roles or responsibilities? (2019)
Small < 1,000 employees |
Midsized |
Enterprise |
Total respondent mean |
|
Security Operations |
22% |
22% |
22% |
22% |
Security Administration |
15% |
15% |
15% |
15% |
Risk Management |
12% |
14% |
12% |
13% |
Compliance |
11% |
10% |
11% |
11% |
Forensics |
9% |
9% |
8% |
9% |
Penetration Testing |
9% |
9% |
9% |
9% |
Secure Software Development |
10% |
11% |
12% |
10% |
Operational Technology Security (ICS) |
12% |
10% |
12% |
11% |
Spotting Differences
Data shows that a key difference when it comes to cybersecurity teams by organizational size can be found in job titles. Smaller organizations tend to have cybersecurity responsibilities held by higher percentages of individuals with IT-oriented job titles. Meanwhile, larger organizations tend to report higher percentages of professionals with security-specific titles. This may be attributable to larger enterprises having established cybersecurity groups alongside their IT teams, while SMBs continue to rely on IT personnel for their security. However, this may be offset by SMBs having the highest percentage of IT staff dedicated to cybersecurity (41% by SMBs vs. 36% within large enterprises).
Job Titles Most Commonly Held by Study Participants
· Application Developer/Tester · CIO · CISO · CTO · Information System Security Manager · VP IT · IT Auditor · IT Director · IT Manager · IT Security Director · IT Security Manager · IT Specialist |
· Network/System Administrator · Security Administrator · Security Analyst · Security Architect/Engineer · Security/Compliance Officer · Security Consultant/Advisor · Security Specialist · Systems Architect · Systems Engineer · Technical Consultant · Help Desk Technician |
Respondents’ Job Title Categorized into IT or Security
Small < 1,000 employees |
Midsized |
Enterprise |
Total respondent mean |
|
Security Title |
25% |
31% |
56% |
32% |
IT Title |
75% |
69% |
44% |
68% |
What percentage of your total staff is dedicated to IT vs. Cybersecurity?
Small < 1,000 employees |
Midsized |
Enterprise |
Total respondent mean |
|
IT Staff NOT Dedicated to Cybersecurity |
59% |
66% |
64% |
63% |
IT Staff Dedicated to Cybersecurity |
41% |
34% |
36% |
37% |
Certifications Strong at all Levels
Another area of common ground across organizational size is cybersecurity certification. We see professionals at SMBs and enterprises holding similar certifications and similar numbers of certifications (averaging between 3 and 4 certifications). Moreover, these individuals are also looking to earn certifications at similar rates.
Which of the following best describes your plans to
pursue any cybersecurity certifications in the future?
Small < 1,000 employees |
Midsized |
Enterprise |
Total respondent mean |
|
Currently pursuing |
23% |
24% |
23% |
23% |
Planning to pursue within the next 6 months |
20% |
22% |
17% |
20% |
Planning to pursue 6 – 12 months from now |
20% |
21% |
18% |
20% |
Planning to pursue 1 – 2 years from now |
12% |
14% |
8% |
12% |
Top 10 Certifications Held by Org Size
Small < 1,000 employees |
Midsized |
Enterprise |
Total respondent mean |
|
CISSP |
44% |
50% |
63% |
49% |
CCNA Security (Cisco) |
29% |
28% |
15% |
26% |
CISSP w/conc |
26% |
24% |
15% |
23% |
CCNP Security (Cisco) |
20% |
20% |
9% |
18% |
CCSP |
18% |
19% |
14% |
18% |
CCNA Cyber Ops (Cisco) |
14% |
18% |
8% |
14% |
Web Security Professional (CIW) |
17% |
15% |
6% |
14% |
CISA (ISACA) |
14% |
13% |
14% |
14% |
CASP (CompTIA) |
14% |
15% |
5% |
13% |
CISM (ISACA) |
11% |
13% |
13% |
12% |
Our findings indicate size alone cannot determine how effective an organization’s cybersecurity capabilities may be. This is important for organizations to be aware of as scrutiny of their supply chains and partners intensifies.
What Do You Think?
So, are the security capabilities of SMBs too quickly and unfairly dismissed? Do we automatically give enterprises more credit than we should just because they are big? How do you evaluate the security capabilities of your partners and potential vendors?
Join the conversation at the (ISC)2 Community .