Build a Service-Based Security Resourcing Plan
Every security program is unique; resourcing allocations should reflect this.
- IT and security leaders across all industries must determine what and how many resources are needed to support the information security program.
- Estimating current usage and future demand for security resources can be a difficult and time-consuming exercise.
Our Advice
Critical Insight
Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.
Impact and Result
- Info-Tech’s approach to resource planning focuses less on benchmarks and more on estimating actual demand for security services to ensure that there are enough resources to deliver them.
- A well-designed security services portfolio is the first step towards determining resourcing needs.
- When planning resource allocations, plan for both mandatory and discretionary demand to optimize utilization.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.3/10
Overall Impact
$53,710
Average $ Saved
20
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Maxion Wheels
Guided Implementation
8/10
N/A
N/A
We are in the middle of working, not finalized.
GENESIS CANCER CARE UK LIMITED
Guided Implementation
10/10
$85,500
20
Excellent experience for Justin to work with Jon on this project, great output too. Thank you.
Utah Transit Authority
Guided Implementation
10/10
$21,920
20
The guidance received from Isabelle Hertanto helped to guide us to see everywhere we were falling short and just how many resources we were short t... Read More
Build a Service-Based Security Resourcing Plan
Every security program is unique; resourcing allocations should reflect this.
Analyst Perspective
Start by looking inward.
 
|
Organizations have a critical need for skilled cybersecurity resources as the cyberthreat landscape becomes more complex. This has put a strain on many security teams who must continue to meet demand for an increasing number of security services. To deliver services well, we first need to determine what are the organization’s key security requirements. While benchmarks can be useful for quick peer-to-peer comparisons to determine if we are within the average range, they tend to make all security programs seem the same. This can lead to misguided investments in security services and personnel that might be better used elsewhere. Security teams will be most successful when organizations take a personalized approach to security, considering what must be done to lower risk and operate more efficiently and effectively. |
|
|
Logan Rohde Senior Research Analyst, Security Info-Tech Research Group |
Isabelle Hertanto Principal Research Director, Security Info-Tech Research Group |
|
Executive Summary
|
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
|
|
|
Info-Tech Insight
Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.
Your challenge
This research is designed to help organizations who are looking to:
- Determine what and how many resources are needed to support the information security program.
- Identify the organization's key service offerings and the required resourcing to support delivery of such services.
- Estimate current staff utilization and required allocations to satisfy future demand for services.
Every organization is unique and will need different security research allocations aligned with their business needs.
“The number of priorities that CISOs have continues to grow, but if everything is a priority, nothing is. It’s important to focus on the ones that deliver the most value to your organization and that are synchronized with the overall business strategy.”
Paige H. Adams
Global CISO at Zurich
Insurance
Source: Proofpoint, 2021
Common obstacles
These barriers make this challenge difficult to address for many organizations:
- Security leaders sometimes try to cut to the chase and lean on staffing benchmarks to justify their requests for resources. However, while staffing benchmarks are useful for quick peer-to-peer validation and decision making, they tend to reduce security programs down to a set of averages, which can be misleading when used out of context.
- A more effective approach is to determine what security services need to be provided, the level of demand, and what it will take to meet that demand currently and in the coming years.
- With these details available, it becomes much easier to predict what roles need to be hired, what skills need to be developed, and whether outsourcing is an option.
Hiring delays and skills gaps can fuel resourcing challenges
59% of organizations report taking 3-6+ months to fill a vacant cybersecurity position.
Source: ISACA, 2020
30% report IT knowledge as the most prevalent skills gap in today’s cybersecurity professionals.
Source: ISACA, 2020
Info-Tech’s methodology for Building a Service-Based Security Resourcing Plan
|
1. Determine Security Service Portfolio Offerings |
2. Plan for Mandatory Versus Discretionary Demand |
3. Define Your Resourcing Model |
|
|---|---|---|---|
|
Phase Steps |
1 Gather Requirements and Define Roles 1.2 Choose Security Service Offerings |
2.1 Assess Demand |
3.1 Review Demand Summary 3.2 Develop an Action Plan |
|
Phase Outcomes |
Security requirements Security service portfolio |
Service demand estimates Service hour estimates |
Three-year resourcing plan |
Stay on top of resourcing demands with a security service portfolio
|
Security programs should be designed to address unique business needs. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time. |
||
|
Watch out for role creep. It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time. |
Time estimates will improve with practice. It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally. |
Start recruiting well in advance of need. Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise. |
|
People and skills are both important. As the services in your portfolio mature and become more complex, remember to consider the skills you will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require. |
Make sure your portfolio reflects reality. There’s nothing wrong with planning for future state, but we should avoid using the portfolio as a list of goals. |
|
Blueprint deliverable
Use this tool to build your security services portfolio, estimate demand and hours needed, and determine FTE requirements.
Key deliverable:
Security Resources Planning Workbook
The Security Resources Planning Workbook will be used to:
- Build a security services portfolio.
- Estimate demand for security services and the efforts to deliver them.
- Determine full-time equivalent (FTE) requirements for each service.
Blueprint benefits
|
IT Benefits |
Business Benefits |
|
|
Measure the value of this blueprint
Use these metrics to realize the value of completing this blueprint.
|
Metric |
Expected Improvement |
|
Level of business satisfaction with IT security |
You can expect to see a 20% improvement in your IT Security Business Satisfaction Diagnostic. |
|
Reports on key performance indicators and service level objectives |
Expect to see a 40% improvement in security service-related key performance indicators and service level objectives. |
|
Employee engagement scores |
You can expect to see approximately a 10% improvement in employee engagement scores. |
|
Changes in rates of voluntary turnover |
Anticipating demand and planning resources accordingly will help lower employee turnover rates due to burnout or stress leave by as much as 10%. |
47% of cybersecurity professionals said that stress and burnout has become a major issue due to overwork, with most working over 41 hours a week, and some working up to 90.
Source: Security Boulevard, 2021
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
Diagnostics and consistent frameworks used throughout all four options
Guided Implementation
What does a typical GI on this topic look like?
| Phase 1 | Phase 2 | Phase 3 |
|
Call #1: Scope requirements, objectives, and your specific drivers. |
Call #2: Discuss roles and duties. Call #3: Build service portfolio and assign ownership. |
Call #4: Estimate required service hours. Call #5: Review service demand and plan for future state. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 4 to 6 calls over the course of 2 to 3 months.
Workshop Overview
Contact your account representative for more information.
workshops@infotech.com1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
|
Define Roles and Select Services |
Estimate Current and Future Demand |
Identify Required Skills |
Future Planning |
Next Steps and |
|
|
Activities |
1.1 Assess Security Needs and Business Pressures. 1.2 Define Security Job Roles. 1.3 Define Security Services and Assign Ownership. |
2.1 Estimate Current and Future Demand. 2.2 Review Demand Summary. 2.3 Allocate Resources Where They Are Needed the Most. |
3.1 Identify Skills Needed Skills for Planned Initiatives. 3.2 Prioritize Your Skill Requirements. 3.3 Assign Work Roles to the Needs of Your Target Environment. 3.4 Discuss the NICE Cybersecurity Workforce Framework. 3.5 Develop Technical Skill Requirements for Current and Future Work Roles. |
4.1 Continue Developing Technical Skill Requirements for Current and Future Work Roles. 4.2 Conduct Current Workforce Skills Assessment. 4.3 Develop a Plan to Acquire Skills. 4.4 Discuss Training and Certification Opportunities for Staff. 4.5 Discuss Next Steps for Closing the Skills Gap. 4.6 Debrief. |
5.1 Complete In-Progress Deliverables From Previous Four Days. 5.2 Set Up Review Time for Workshop Deliverables and to Discuss Next steps. |
| Deliverables |
|
|
|
|
Phase 1
Determine Security Service Portfolio Offerings
Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
1.1 Gather Requirements and Define Roles 1.2 Choose Security Service Offerings | 2.1 Assess Demand | 3.1 Determine Resourcing Status |
This phase involves the following participants:
- CISO
- Core Security Team
- Business Representative (optional)
Step 1.1
Gather Requirements and Define Roles
Activities
1.1.1 Assess Business Needs and Pressures
1.1.2 Define Security Roles
This step involves the following participants:
- CISO
- Core Security Team
- Business Representative (optional)
Outcomes of this step
- Security program requirements
- Security roles definitions
1.1.1 Assess security needs and pressures
1 hour
- As a group, brainstorm the security requirements for your organization and any business pressures that exist within your industry (e.g. compliance obligations).
- To get started, consider examples of typical business pressures on the next slides. Determine how your organization must respond to these points (note: this is not an exhaustive list).
- You will likely notice that these requirements have already influenced the direction of your security program and the kinds of services it needs to provide to the business side of the organization.
- There may be some that have not been well addressed by current service offerings (e.g. current service maturity, under/over definition of a service). Be sure to make a note of these areas and what the current challenge is and use these details in Step 1.2.
- Document the results for future use in Step 1.2.1.
| Input | Output |
|
|
| Materials | Participants |
|
|
Typical business pressures examples
The security services you will provide to the organization should be based on its unique business requirements and pressures, which will make certain services more applicable than others. Use this exercise to get an idea of what those business drivers might be.
1.1.2 Define security roles
1-2 hours
- Using the link below, download the Security Resources Planning Workbook and review the examples provided on the next slide.
- On tab 1 (Roles), review the example roles and identify which roles you have within your security team.
- If necessary, customize the roles and descriptions to match your security team’s current make up.
- If you have roles within your security team that do not appear in the examples, you can add them to the bottom of the table.
- For each role, use columns D-F to indicate how many people (headcount) you have, or plan to have, in that role.
- Use columns H-J to indicate how many hours per year each role has available to deliver the services within your service catalog.
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Security Resources Planning Workbook
Calculating FTEs and defining security roles
- Start by entering the current and planned headcount for each role
- Then enter number of hours each role works per week
- Estimate the number of administrative hours (e.g. team meetings, training) per week
- Enter the average number of weeks per year that each role is available for service delivery
- The tool uses the data from steps 2-4 to calculate the average number of hours each role has for service delivery per year (FTE)
Info-Tech Insight
Watch out for role creep. It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 3-phase advisory process. You'll receive 5 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Determine Security Service Portfolio Offerings
- Call 1: Scope requirements, objectives, and your specific drivers.
Guided Implementation 2: Plan for Mandatory Versus Discretionary Demand
- Call 1: Discuss roles and duties.
- Call 2: Build service portfolio and assign ownership.
Guided Implementation 3: Build Your Resourcing Plan
- Call 1: Estimate required service hours.
- Call 2: Review service demand and plan for future state.
Contributors
- George Al-Koura, CISO, Ruby Life
- Brian Barniner, Head of Decision Science and Analytics, ValueBridge Advisors
- Tracy Dallaire, CISO / Director of Information Security, McMaster University
- Ricardo Johnson, Chief Information Security Officer, Citrix
- Ryan Rodriguez, Senior Manager, Cyber Threat Management, EY
- Paul Townley, VP Information Security and Personal Technology, Owens Corning
- 13 Anonymous contributors
Build Your Security Operations Program From the Ground Up
Develop a Security Operations Strategy
Develop and Deploy Security Policies
Establish an Effective System of Internal IT Controls to Mitigate Risks
Select a Security Outsourcing Partner
Embed Security Into the DevOps Pipeline
Reinforce End-User Security Awareness During Your COVID-19 Response
Cybersecurity Priorities in Times of Pandemic
Build a Security Metrics Program to Drive Maturity
Build a Service-Based Security Resourcing Plan
Secure IT/OT Convergence
Integrate Physical Security and Information Security
Prepare for Post-Quantum Cryptography
Build an Automation Roadmap to Streamline Security Processes
Build an Autonomous Security Delivery Roadmap
