How do you determine the number of Cyber Security persons an organization needs? What is the connection between the number of employees and the number of security systems?
Sort by:
Tough question- I would approach the number needed based on how many security related systems and tasks are needing to be managed on a daily/weekly/monthly/annual basis.
It purely depends on case to case basis and nature of the organization and category of the business which they operate. Ex. You will see more cyber security skilled staff needed in BFSI segment versus other segments including manufacturing, retail, ecommerce which are not highly regulated and in finance segment where there are lot of stringent regulations and compliance guidelines in terms of implementation of security controls, tools and technologies and regular reviews need to be conducted by security team hence you will require more resources in specialised security technology in order to ensure organisation meet those requirements. Also it depends on complexity of the organization network, more the complex technology specially infrastructure and hybrid setup including multi cloud and if there are huge information asset count, large employee base, hence more security tools needed to safeguard the data and hence you require good number of people in security team to manage those security systems. Normally the connection is between staff of security team versus the security technology rather than the normal employee in the organization as most of the implementation is common across the organization.
There is no easy answer to this. It depends on your organisation and the way you handle security. My view has always been that Security is EVERYONE'S responsibility and not just the IT Department or the security guards at the door. To this end, my IT Department is continuously informing/training users in cybersecurity etc. We also have some "security champions" in Departments who help us with this. This is embraced by the organisation. These "champions" actually help reduce the number of employees required for "security" because it reduces "security events". You may want to experiment with various options in your organisation and then determine how many staff are needed. However, I would let everyone know that security/cybersecurity is THEIR responsibility and not do whatever they wish and then phone the IT Department / Service Desk when they do something silly!
As i see others have said, I too don't see a direct link between them for this. It boils down to time management, and whether the resources you have allocated are able to safely complete all the required tasks asked of them? It then depends what they're being asked to do, if its manage a portal / service that automates the likes of pen-tests and vulnerability scans and acts on them, then it'll be relatively low but if you are trying to have a team perform these checks themselves then you adjust to cover for that.
It depends. I would not like to prescribe to a formula based determination of team size (say as a ratio of number of employees or even offices. Here are a few considerations in the org design
> 1) Key security objective for the short and long term of the company. What is the current stae of security maturity and where does the org want to go.
for instance if the short term objective is to build visibility environment and therefore management of exposure, then you may have a focus on SOC team. and maynot be as much on "risk assessments" as a function. and more importantly how does this focus tie with organizational objectives
> 2) What will you outsource or keep within the org - or even a hybrid approach. Again taking the SOC example, you may want L1 (eyes on glass to be a outsourced team that maybe able to deliver service to scale) but keep L2/L3 within.
> 3) Contractual and regulatory requirements may drive more work and thus larger team
> 4) Capability gaps: what skills the org needs but maybe does not have also plays into outsourcing. having said that Outsourcing cannot delegate accountability.
> 5) Funding available
In all of above the right scale and fitment is key. There will always be competing needs for funds and org priorities. the CxO layer needs to define and balance those. In the case of cyber, with the CISO/CIO/Chief Risk Officer