Are there best practices or staffing models available to assist with setting up a team specific to the management, tracking, compliance and reporting of identified risks and issues.  Ie What's the right ratio of people to identified issues to properly manage those items to completion?

Security & GRC
1.1k viewscircle icon2 Comments
Sort by:
CIO in IT Services2 years ago

Typically, I'll use a 10-15% ratio against revenue for staffing needs (overall team size). Depending on the size of the company, the number of staff will adjust from this starting point. The CISO also needs to consider the organization's cyber maturity score, the tools that have been implemented, their compliance needs and their incident response rates. There is no hard fast rule here - it's a combination of people-process-technology that lends itself to obtaining the right answer on how to staff.

Chief Information Security Officer in Healthcare and Biotech2 years ago

ratio of people to identified issues, depending on the size and complexity of the business, nature industry, and the level of risk appetite. Organizations should try to achieve a balance between resource requirements to attend the identified problems timely with efficiency and cost-effectiveness.

Content you might like

Our organization is subject to data retention requirements over very long periods (50 years or more). Do your organizations face similar constraints? If so, what long-term retention strategy have you implemented for these regulated data, and what technologies or solutions do you use to ensure their durability and compliance?

Do you have a lock out policy for system accounts? If so, how many attempts do you have it set too? 

Have you considered not having a lock out policy where accounts are vaulted / rotated & standing access is removed?

NortonLifeLock has acquired its rival Avast in the third-largest cybersecurity acquisition of all time. Do you currently use either product at your organization?

Yes, we use Avast.11%

Yes, we use Norton.35%

Yes, we use both Norton and Avast.4%

We don't use either product.48%

View Results

Which things will NEVER change in penetration testing?

The stages of an engagement21%

The hassle of writing a report50%

The value of the human expert53%

The need to get business buy-in27%

All of the above18%

None of the above

View Results

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?