Does your business have enough onsite or outsourced I.T. staff?
Business owners have three choices when it comes to their technology and cybersecurity operations:
- Staff it in-house (“Internal I.T.”)
- Outsource it (“Managed I.T. Services”)
- Combine outsourcing with in-house staff (“Co-Managed I.T.”)
Most assume that these three options primarily address different budgets, and that managed I.T. services or co-managed I.T. are more expensive than internal I.T. In reality, the opposite is true. Not only is internal I.T. almost always the most expensive operations strategy, but it also introduces more cybersecurity risks. If this is true, then why does everyone think that internal I.T. is less expensive? Simple: They underestimate the amount of manpower required to manage today’s technology and cybersecurity.
In this article, we will explain the various responsibilities of I.T. and cybersecurity teams. We will also include time estimates for each task so that we can create a formula for calculating how many staff you would need should you decide to go with an internal I.T. operations approach.
1. Help Desk (Technical Support)
When anyone thinks about I.T. and what’s required of an in-house team, they almost always exclusively think about help desk support. This function of I.T. is what helps solve day-to-day technical problems, on-boards/off-boards staff from the computer systems, and sets up new equipment. Obviously, the amount of manpower required for help desk operations depends on how many issues the business encounters on a day-to-day basis, as well as how efficient the help desk team is. A typical organization with efficient operations, however, should expect to hire 1 full-time dedicated I.T. person for every 25 employees the organization has.
2. Patch Management (Security Updates)
A critical but often overlooked function of I.T. and cybersecurity teams is patch management. Contrary to popular belief, this is not entirely automatic. While other software and hardware platforms have more frequent release schedules, typical Microsoft Windows software updates and patches are released on the second Tuesday of every month. Critical security updates for zero-day exploits are often released much sooner. Given the various frequencies of updates, and many compliance regulations mandating that patches be installed within 2-weeks of release, it is a best practice to check for and install updates at least once per week.
Once a set of updates is released by the manufacturer, all the computers, servers, and other technology devices must download the updates. Once downloaded, the system asks the end-user if/when it can install the updates. Users are given the option to ignore the update or delay its installation. In the case of servers, updates can install automatically, but the server must be manually rebooted for them to take effect.
As you might imagine, there will inevitably be some systems that aren’t adequately patched. Some may fail the download because they were shut down in the middle of the process. Others will be months behind on updates because users continually postpone the update. And, of course, servers can go a year or more without updates since they require manual action to complete the process.
Since updates cause business interruption during their installation, most organizations have their internal I.T. teams install them after business hours. Auditing each system for missing updates and installing required security patches takes approximately 20 minutes per computer per week. Servers often take longer, but we will budget 20 minutes for the sake of simplicity.
3. System Cleanups (Routine Maintenance)
Did you know that you need to run a cleanup utility on your computer once per week to remove temporary files and other background information that slow down your system? No? Neither do your staff. Countless organizations see their productivity decline over time as computers inevitably slow down. Other organizations that value productivity will even replace computers after just a couple of years to avoid this slowdown. In most cases, though, a simple cleanup of the system is all that is needed to bring the computer back to its full performance.
While built-in utilities like the Microsoft Windows Disk Cleanup tool can clean up a lot of the system, more advanced utilities like BleachBit are needed to clean up user-specific files. This process, however, requires the cleanup to be done while the end-user is logged into their computer. Therefore, internal I.T. teams must briefly interrupt users during the day to clean up their systems. Using a utility like BleachBit, the cleanup process takes approximately 15 minutes per computer per week.
4. Endpoint Security Audits (Anti-Malware)
Fortunately, most organizations and business owners understand that having endpoint security (aka “anti-malware” or “anti-virus”) in place is essential. What they assume, though, is that these technologies are “set it and forget it.” Just like how security patches can easily be missed, though, endpoint security scans can as well. Not only that, but endpoint security can be completely missing or misconfigured on a system.
While most endpoint security solutions have built-in scheduled scans that run once per day, the scans will always fail to identify some known threats. For this reason, it’s a cybersecurity best practice to run a standalone scan with a separate malware scanning utility, such as Microsoft Safety Scanner, at least once per week. The combination of these two endpoint security solutions ensures a comprehensive scan of the system and proper removal of known threats.
To audit each system to make sure endpoint security is installed and configured correctly, and to run a second scan with a utility such as Microsoft Safety Scanner, it takes approximately 20 minutes per computer per week.
5. Cybersecurity Configuration Audits
Every organization should have a baseline configuration of computer settings and policies that are strictly followed to ensure there are no gaps in security. Some examples include Enabling BitLocker disk encryption, disabling SMBv1 file sharing, disabling macros in Microsoft Office, etc. While these configurations are typically turned on or off just once, they can be modified by end-users or changed following system updates.
To audit each system to make sure it complies with the organization’s baseline configuration, it takes approximately 20 minutes per computer per month. It doesn’t hurt to audit the systems more frequently. However, it isn’t absolutely necessary since the configurations are unlikely to change that often.
6. Other Cybersecurity Audits (Email, Users, Firewall, etc.)
There are various other technology platforms used in today’s businesses. From cloud-based email solutions such as Microsoft 365, to firewalls, and to email threat protection platforms, they each require routine audits to ensure that they are configured and working properly. Since most of these platforms don’t have to be audited on a per-user or per-computer basis, especially with many of the tools available today, we are grouping them all together as one. Most internal I.T. teams can conduct these audits once per month in a task that sweeps all the implemented technologies.
To audit Microsoft 365, email threat protection, DNS security, user accounts, and firewalls, it takes approximately 7.75 hours per month.
7. Backup Restore Tests and Audits (Disaster Recovery Drills)
Once again, most organizations make the mistake of assuming backups systems are “set it and forget it.” While they are set up to run on a specific schedule, it’s extremely common for backups to encounter errors due to unreadable files on the protected system, connectivity interruption, etc. Additionally, while most backup systems provide email alerts if a backup failed or could not back up certain files, they are unable to verify if specific backup files are actually recoverable.
For these reasons, it’s critical that organizations manually audit and test backups at least once per month to ensure that they will function as needed in a real recovery event. To run this test once per month, as well as respond to and fix backup errors throughout the month, it takes approximately 3.5 hours per month.
8. I.T. and Cybersecurity Management
To properly run I.T. and cybersecurity operations in-house, you don’t just have to manage the existing technology. Since technology and the cybersecurity threat landscape are changing every day, someone on the team must continuously review what is changing in the industry, direct fellow team members on the necessary changes that need to be implemented, and prepare recommendations for business decision-makers including lifecycle budgeting, cybersecurity vulnerability risk mitigation, etc.
For example: On Tuesday, October 4th 2022, the Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory (usually released at least once per week) regarding Russian state-sponsored malicious cyber activity. The advisory confirmed what tactics are being leveraged in this advanced persistent threat (“APT”), and what actions organizations should take to protect themselves. Not coincidentally, three of the four recommended actions (enforce MFA, install patches and security updates, and audit user accounts) are all routine actions we’ve identified so far in this article.
Reviewing these types of security advisories, designing risk mitigation strategies, and overseeing the implementation of the required changes is an ongoing role that requires dedication. If an organization attempts to add these responsibilities to a person who is also responsible for help desk support or some of the other functions we’ve identified in this article, the I.T. and cybersecurity management responsibilities will always be deprioritized. What business owner is going to say “Don’t worry about fixing my computer right now. Go read up on the latest advisory from CISA.”? They won’t. The day-to-day “firefighting” always takes priority.
Therefore, every organization must have 1 person dedicated strictly to I.T. and cybersecurity management. Larger organizations will even split these into two separate roles (the Chief Information Officer and the Chief Information Security Officer).
9. Proactive Monitoring
Businesses that take their internal I.T. operations to the next level of operational maturity will implement proactive monitoring tools that allow them to receive early detection warnings for technology and cybersecurity issues so they can proactively solve problems before they cause an unnecessary impact on operations and productivity. Of course, managing these tools and responding to alerts requires even more manpower. Since most organizations don’t operate at this higher level of maturity, we won’t factor those additional time requirements into the calculations.
Required Staff Calculation
Now, let’s take all the information presented above and compile it into a formula to help determine how many staff are required for internal I.T. and cybersecurity operations. In this example for XYZ Company, the organization has 50 total employees, and every employee only has 1 computer.
Help Desk: 1 I.T. per 25 employees (40 hours per week per 25 employees) = 80 hours per week required
Patch Management: 20 minutes per computer = 16.67 hours per week required
System Cleanups: 15 minutes per computer = 12.5 hours per week required
Endpoint Security Audits: 20 minutes per computer = 16.67 hours per week required
Cybersecurity Configuration Audits: 20 minutes per computer (per month) = 3.85 hours per week required
Other Cybersecurity Audits: 7.75 hours per month = 1.79 hours per week required
Backup Testing and Audits: 3.5 hours per month = 0.81 hours per week required
I.T. and Cybersecurity Management: 1 I.T. person per organization = 40 hours per week required
Total Required Hours: 172.29
Total Required Full-Time I.T. Staff: 4.3
So, an organization with 50 employees will need 4 full-time plus 1 part-time I.T. staff in order to keep up with the responsibilities necessary to manage the organization’s I.T. and cybersecurity. What if your business only has 20 employees, though? Surely, you’d only need one I.T. person, right?
Help Desk: 1 I.T. per 25 employees (40 hours per week per 25 employees) = 32 hours per week required
Patch Management: 20 minutes per computer = 6.67 hours per week required
System Cleanups: 15 minutes per computer = 5 hours per week required
Endpoint Security Audits: 20 minutes per computer = 6.67 hours per week required
Cybersecurity Configuration Audits: 20 minutes per computer (per month) = 1.54 hours per week required
Other Cybersecurity Audits: 7.75 hours per month = 1.79 hours per week required
Backup Testing and Audits: 3.5 hours per month = 0.81 hours per week required
I.T. and Cybersecurity Management: 1 I.T. person per organization = 40 hours per week required
Total Required Hours: 94.48
Total Required Full-Time I.T. Staff: 2.3
Even with only 20 employees, the business still needs 2 full-time plus 1 part-time I.T. staff.
Summary
Unfortunately, many businesses significantly underestimate how much time is involved in properly managing today’s technology and cybersecurity. One common reason for this underestimation is that business owners completely forget about all the time involved in routinely auditing and maintaining an organization’s cybersecurity. If you just think that your in-house I.T. operations are a help desk team, then having only 1 full-time I.T. person for a 20-employee business is appropriate. But that 1 person will not have the time bandwidth to manage the technology, audit and maintain proper cybersecurity, or even help the business plan for technology changes. Their entire day will be consumed by just keeping up with typical technical support needs. And if they don’t have the capacity to manage the technology, then that responsibility must fall on the shoulders of the company’s leadership. Will your business leaders dedicate the time to learning I.T. and cybersecurity, as well as remain up to date with everything that’s changing in the industry day-to-day? Not likely.
These numbers we have presented aren’t just arbitrary calculations either. In a recent blog post where we discussed new requirements for cyber liability insurance, we introduced the required ratio of 1 dedicated full-time I.T. person for every 10 employees. This is because cyber liability insurance providers do understand how much time is required to properly maintain a business’s I.T. and cybersecurity. They know this through extensive assessments of claims where businesses have fallen victim to costly cyber-attacks.
Conclusion
Does it make sense for businesses to staff their I.T. and cybersecurity operations entirely in-house? In most cases, no. Only once a business scales to over 500 employees will it see any potential cost benefit to staffing completely in-house. For most businesses, it makes most financial sense to either outsource their I.T. and cybersecurity completely or at the very least split the responsibilities in a co-managed I.T. partnership with a mature managed security services provider (“MSSP”), such as Digital Boardwalk.