How do you determine the number of Cyber Security persons an organization needs? What is the connection between the number of employees and the number of security systems?

2.4k views13 Comments

VP of IT in Education, 501 - 1,000 employees
That’s a really tough question, I think the number of systems or log sources would be a better metric. If I had to pick a number I would probably say 1 for every 250 employees. But that also assumes you are using an EDR or XDR service to assist and probably outsource penetration testing, vulnerable management, and security/systems audits. If you’re developing external applications then I would at least double the number of security personnel.
VP of IT in Software, 5,001 - 10,000 employees
I have not really thought of this in terms of Cyber Security people to employees. I think of it in terms of security personnel to the number of applications that need to support and the complexity for these applications.
Director of Network Transformation, Self-employed
I think it "depends"...  What vertical are you in?  Are you subject to SOX, PCI, the new SEC rules and so on..  Are you regulated?  Do you have a significant number of 3rd party requirements.  This is a difficult question to answer.  
C-PIO in Software, 10,001+ employees
I don’t think you can really pin a number on it. Factors you have to consider our age of system, Legacy system, systems, number of users, both internal and X ternal’s. You have to do an assessment as to what you need and I know you’re looking for a number here but I find it’s far too difficult to give a hard number. The skill set of those security specialists is critical to solving your problem. An individual with the prescribed knowledge can handle a large volume of work, we’re as a poorly equipped or junior security specialist will struggle. This is also scale able in that you may need to throw more resources at the issue up front and then taper back once under control. Start with contractors and then migrate to in house is the best I can suggest.
Senior Director of Engineering in Software, 501 - 1,000 employees
I don't see an obvious correlation between them.

I think it depends on the size of your engineering team and the roadmap that you might have (e.g. DevX, SOC2).

I would start with a lower number, say 3, understand the capacity and then fine tune it to one's needs.
SVP - Software Engineering in Finance (non-banking), 201 - 500 employees
As others have said, there isn’t a one-size-fits-all answer to determine the number of cybersecurity personnel an organization needs. Some factors to consider are size and complexity of the org, industry, risk assessment, budget, tech stack, security maturity, openness to outsourcing, and training/skill of staff. 

In general, you should have at least one strong security leader (eg. CISO) who can both lead the strategy and approach but be able to delegate and staff up in areas he/she needs add’l support. Fundamentally, finding the right “who” first is critical as they can help the determine the “how” which includes answering “how many.”
VP in Software, 10,001+ employees
It's a planning exercise, first there needs to be a study about the current security posture of the organization, the nature of business and the areas of vulnerabilities that cybersecurity needs to cover. Present and future growth of business are considered. The regulatory bodies and compliance requirements are considered. Scenario based studies to mitigate risks are carried out, basically follow zero trust planning. Build practices, teams sizing them to the effort required for different activities. This also consider automation that can help. Accordingly the team size are mapped to the cybersecurity programs 
Director of IT in Manufacturing, 5,001 - 10,000 employees
We have security tools for help our personnel to handling Cyber Security, we only have 1 personnel, his daily job only monitoring security & report to management
Chief Technology Officer in Software, 51 - 200 employees
We generally hire one cyber security personnel per 75 end points exposed outside network. So overall 1 cyber sec personnel per 4 teams which expose end points outside org. 
Manager in Construction, 51 - 200 employees
As i see others have said, I too don't see a direct link between them for this. It boils down to time management, and whether the resources you have allocated are able to safely complete all the required tasks asked of them? It then depends what they're being asked to do, if its manage a portal / service that automates the likes of pen-tests and vulnerability scans and acts on them, then it'll be relatively low but if you are trying to have a team perform these checks themselves then you adjust to cover for that.

Content you might like

Important solution for today’s way of working52%

Interesting idea to explore for 202242%

Not necessary6%


970 views1 Upvote1 Comment

Slow recovery response times35%

Data availability is limited48%

Too expensive to scale effectively52%

Difficult to manage for widespread use38%

Prone to misconfiguration12%

No - There are no drawbacks7%


1.3k views3 Upvotes

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
39.8k views130 Upvotes318 Comments