Blog

How Small Businesses and Big Enterprises Structure Their Cybersecurity Teams

Feb 09, 2021

Team-Structure
When it comes to cybersecurity, bigger may not always be the best indicator of effectiveness.

(ISC)2 research reveals organizations of all sizes have similar strategies when it comes to structuring their cybersecurity teams. Set aside bigger technology budgets for a moment and focus on people; Look at how small and midsized businesses (SMBs), and enterprises align their cybersecurity talent by functional roles within their organizations. What you’ll find are striking similarities.

These findings – based on the (ISC)2 2020 Cybersecurity Workforce Study – suggest size has little bearing on how organizations structure their cybersecurity operations. Furthermore, study participants by and large seem satisfied their organizations are doing a good job of matching their teams’ roles and capabilities to the needs of their organizations.

Are Small Businesses Less Prepared for Cyber Attacks?

It has generally been assumed enterprises are better equipped to fight cybercrime than smaller organizations, but findings indicate that SMBs may be working off the same playbook. This is consistent with a 2019 (ISC)2 study showing SMBs and enterprises hire proportionally similar numbers of cybersecurity staff and have similar priorities when it comes to securing their networks. It is reinforced again with findings from the latest Cybersecurity Workforce Study.

In order to uncover a clearer picture of how security teams are structured, we asked study participants to describe their roles. What we found was very little deviation across organizational size as to the functional security roles participants have.

Which the following best describes the primary functional
area in which you work within your organization?

 

Small

< 1,000 employees

Midsized
1,000 – 9,999
employees

Enterprise
10,000+
employees

Total respondent mean

DevOps

7%

8%

6%

7%

Management & Leadership

21%

17%

16%

19%

Policy & Compliance

7%

9%

7%

8%

Risk Assessment & management

11%

11%

15%

12%

Security administration

20%

21%

19%

20%

Security consulting

10%

9%

10%

10%

Security operations

12%

16%

14%

13%

Specialized (e.g., forensics, penetration testing, malware research, etc.)

5%

5%

4%

5%

We then asked respondents to approximate what percentage of their cybersecurity teams hold the following functional areas and how that compared to a theoretical ideal team structure.

Approximately what percentage of your CURRENT cybersecurity
team hold the following roles or responsibilities?

 

Small

< 1,000 employees

Midsized
1,000 – 9,999
employees

Enterprise
10,000+
employees

Total respondent mean

Security Operations

20%

21%

25%

21%

Security Administration

16%

15%

16%

16%

Risk Management

14%

13%

14%

13%

Compliance

13%

12%

13%

13%

Forensics

7%

7%

5%

7%

Penetration Testing

8%

9%

7%

8%

Secure Software Development

11%

11%

9%

11%

Operational Technology Security (ICS) 

11%

11%

11%

11%

Approximately what percentage of your IDEAL cybersecurity
team would hold the following roles or responsibilities?

 

Small

< 1,000 employees

Midsized
1,000 – 9,999
employees

Enterprise
10,000+
employees

Total respondent mean

Security Operations

20%

21%

23%

20%

Security Administration

15%

14%

15%

15%

Risk Management

14%

13%

14%

13%

Compliance

12%

11%

11%

11%

Forensics

8%

8%

7%

8%

Penetration Testing

9%

9%

9%

9%

Secure Software Development

12%

12%

11%

12%

Operational Technology Security (ICS) 

11%

11%

11%

11%

When comparing percentages of current teams with percentages of an ideal team, respondents seem mostly content with their current teams’ composition and alignment against key functional areas. This holds true across all organizational sizes, and it implies that cybersecurity professionals are relatively satisfied with how their teams are aligned.

Moreover, the 2020 findings echo similar results from our 2019 Cybersecurity Workforce Study .

Approximately what percentage of your CURRENT cybersecurity
team hold the following roles or responsibilities? (2019)

 

Small

< 1,000 employees

Midsized
1,000 – 9,999
employees

Enterprise
10,000+
employees

Total respondent mean

Security Operations

22%

23%

22%

22%

Security Administration

16%

15%

15%

15%

Risk Management

13%

13%

12%

13%

Compliance

12%

12%

12%

12%

Forensics

8%

8%

8%

8%

Penetration Testing

8%

9%

9%

8%

Secure Software Development

10%

10%

10%

10%

Operational Technology Security (ICS) 

11%

11%

12%

11%

Approximately what percentage of your IDEAL cybersecurity team
would hold the following roles or responsibilities? (2019)

 

Small

< 1,000 employees

Midsized
1,000 – 9,999
employees

Enterprise
10,000+
employees

Total respondent mean

Security Operations

22%

22%

22%

22%

Security Administration

15%

15%

15%

15%

Risk Management

12%

14%

12%

13%

Compliance

11%

10%

11%

11%

Forensics

9%

9%

8%

9%

Penetration Testing

9%

9%

9%

9%

Secure Software Development

10%

11%

12%

10%

Operational Technology Security (ICS) 

12%

10%

12%

11%

Spotting Differences

Data shows that a key difference when it comes to cybersecurity teams by organizational size can be found in job titles. Smaller organizations tend to have cybersecurity responsibilities held by higher percentages of individuals with IT-oriented job titles. Meanwhile, larger organizations tend to report higher percentages of professionals with security-specific titles. This may be attributable to larger enterprises having established cybersecurity groups alongside their IT teams, while SMBs continue to rely on IT personnel for their security. However, this may be offset by SMBs having the highest percentage of IT staff dedicated to cybersecurity (41% by SMBs vs. 36% within large enterprises).

Job Titles Most Commonly Held by Study Participants

·       Application Developer/Tester

·       CIO

·       CISO

·       CTO

·       Information System Security Manager

·       VP IT

·       IT Auditor

·       IT Director

·       IT Manager

·       IT Security Director

·       IT Security Manager

·       IT Specialist

·       Network/System Administrator

·       Security Administrator

·       Security Analyst

·       Security Architect/Engineer

·       Security/Compliance Officer

·       Security Consultant/Advisor

·       Security Specialist

·       Systems Architect

·       Systems Engineer

·       Technical Consultant

·       Help Desk Technician

Respondents’ Job Title Categorized into IT or Security

 

Small

< 1,000 employees

Midsized
1,000 – 9,999
employees

Enterprise
10,000+
employees

Total respondent mean

Security Title

25%

31%

56%

32%

IT Title

75%

69%

44%

68%

What percentage of your total staff is dedicated to IT vs. Cybersecurity?

 

Small

< 1,000 employees

Midsized
1,000 – 9,999
employees

Enterprise
10,000+
employees

Total respondent mean

IT Staff NOT Dedicated to Cybersecurity

59%

66%

64%

63%

IT Staff Dedicated to Cybersecurity

41%

34%

36%

37%

Certifications Strong at all Levels

Another area of common ground across organizational size is cybersecurity certification. We see professionals at SMBs and enterprises holding similar certifications and similar numbers of certifications (averaging between 3 and 4 certifications). Moreover, these individuals are also looking to earn certifications at similar rates.

Which of the following best describes your plans to
pursue any cybersecurity certifications in the future?

 

Small

< 1,000 employees

Midsized
1,000 – 9,999
employees

Enterprise
10,000+
employees

Total respondent mean

Currently pursuing

23%

24%

23%

23%

Planning to pursue within the next 6 months

20%

22%

17%

20%

Planning to pursue 6 – 12 months from now

20%

21%

18%

20%

Planning to pursue 1 – 2 years from now

12%

14%

8%

12%

Top 10 Certifications Held by Org Size

 

Small

< 1,000 employees

Midsized
1,000 – 9,999
employees

Enterprise
10,000+
employees

Total respondent mean

CISSP

44%

50%

63%

49%

CCNA Security (Cisco)

29%

28%

15%

26%

CISSP w/conc

26%

24%

15%

23%

CCNP Security (Cisco)

20%

20%

9%

18%

CCSP

18%

19%

14%

18%

CCNA Cyber Ops (Cisco)

14%

18%

8%

14%

Web Security Professional (CIW)

17%

15%

6%

14%

CISA (ISACA)

14%

13%

14%

14%

CASP (CompTIA)

14%

15%

5%

13%

CISM (ISACA)

11%

13%

13%

12%

Our findings indicate size alone cannot determine how effective an organization’s cybersecurity capabilities may be. This is important for organizations to be aware of as scrutiny of their supply chains and partners intensifies.

What Do You Think?

So, are the security capabilities of SMBs too quickly and unfairly dismissed? Do we automatically give enterprises more credit than we should just because they are big? How do you evaluate the security capabilities of your partners and potential vendors?

Join the conversation at the (ISC)2 Community .