Build a Service-Based Security Resourcing Plan

Every security program is unique; resourcing allocations should reflect this.

Analyst Perspective

Start by looking inward.

		Organizations have a critical need for skilled cybersecurity resources as the cyberthreat landscape becomes more complex. This has put a strain on many security teams who must continue to meet demand for an increasing number of security services. To deliver services well, we first need to determine what are the organization’s key security requirements. While benchmarks can be useful for quick peer-to-peer comparisons to determine if we are within the average range, they tend to make all security programs seem the same. This can lead to misguided investments in security services and personnel that might be better used elsewhere. Security teams will be most successful when organizations take a personalized approach to security, considering what must be done to lower risk and operate more efficiently and effectively.
Logan Rohde Senior Research Analyst, Security Info-Tech Research Group	Isabelle Hertanto Principal Research Director, Security Info-Tech Research Group

Executive Summary

Info-Tech Insight

Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

Your challenge

This research is designed to help organizations who are looking to:

• Determine what and how many resources are needed to support the information security program.
• Identify the organization's key service offerings and the required resourcing to support delivery of such services.
• Estimate current staff utilization and required allocations to satisfy future demand for services.

Every organization is unique and will need different security research allocations aligned with their business needs.

“The number of priorities that CISOs have continues to grow, but if everything is a priority, nothing is. It’s important to focus on the ones that deliver the most value to your organization and that are synchronized with the overall business strategy.”

Paige H. Adams

Global CISO at Zurich

Insurance

Source: Proofpoint, 2021

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• Security leaders sometimes try to cut to the chase and lean on staffing benchmarks to justify their requests for resources. However, while staffing benchmarks are useful for quick peer-to-peer validation and decision making, they tend to reduce security programs down to a set of averages, which can be misleading when used out of context.
• A more effective approach is to determine what security services need to be provided, the level of demand, and what it will take to meet that demand currently and in the coming years.
• With these details available, it becomes much easier to predict what roles need to be hired, what skills need to be developed, and whether outsourcing is an option.

Hiring delays and skills gaps can fuel resourcing challenges

59% of organizations report taking 3-6+ months to fill a vacant cybersecurity position.

Source: ISACA, 2020

30% report IT knowledge as the most prevalent skills gap in today’s cybersecurity professionals.

Source: ISACA, 2020

Info-Tech’s methodology for Building a Service-Based Security Resourcing Plan

Stay on top of resourcing demands with a security service portfolio

Blueprint deliverable

Use this tool to build your security services portfolio, estimate demand and hours needed, and determine FTE requirements.

Key deliverable:

Security Resources Planning Workbook

The Security Resources Planning Workbook will be used to:

• Build a security services portfolio.
• Estimate demand for security services and the efforts to deliver them.
• Determine full-time equivalent (FTE) requirements for each service.

Blueprint benefits

Measure the value of this blueprint

Use these metrics to realize the value of completing this blueprint.

47% of cybersecurity professionals said that stress and burnout has become a major issue due to overwork, with most working over 41 hours a week, and some working up to 90.

Source: Security Boulevard, 2021

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 4 to 6 calls over the course of 2 to 3 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Phase 1

Determine Security Service Portfolio Offerings

This phase involves the following participants:

• CISO
• Core Security Team
• Business Representative (optional)

Step 1.1

Gather Requirements and Define Roles

Activities

1.1.1 Assess Business Needs and Pressures

1.1.2 Define Security Roles

This step involves the following participants:

• CISO
• Core Security Team
• Business Representative (optional)

Outcomes of this step

• Security program requirements
• Security roles definitions

1.1.1 Assess security needs and pressures

1 hour

1. As a group, brainstorm the security requirements for your organization and any business pressures that exist within your industry (e.g. compliance obligations).

• To get started, consider examples of typical business pressures on the next slides. Determine how your organization must respond to these points (note: this is not an exhaustive list).
• You will likely notice that these requirements have already influenced the direction of your security program and the kinds of services it needs to provide to the business side of the organization.

Typical business pressures examples

The security services you will provide to the organization should be based on its unique business requirements and pressures, which will make certain services more applicable than others. Use this exercise to get an idea of what those business drivers might be.

1.1.2 Define security roles

1-2 hours

1. Using the link below, download the Security Resources Planning Workbook and review the examples provided on the next slide.
2. On tab 1 (Roles), review the example roles and identify which roles you have within your security team.

• If necessary, customize the roles and descriptions to match your security team’s current make up.
• If you have roles within your security team that do not appear in the examples, you can add them to the bottom of the table.

Download the Security Resources Planning Workbook

Calculating FTEs and defining security roles

1. Start by entering the current and planned headcount for each role
2. Then enter number of hours each role works per week
3. Estimate the number of administrative hours (e.g. team meetings, training) per week
4. Enter the average number of weeks per year that each role is available for service delivery
5. The tool uses the data from steps 2-4 to calculate the average number of hours each role has for service delivery per year (FTE)

Info-Tech Insight

Watch out for role creep. It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.

Other considerations

Address your skills gap.

Cybersecurity is a rapidly evolving discipline and security teams from all over are reporting challenges related to training and upskilling needed to keep pace with the developments of the threat landscape.

95% Security leaders who agree the cybersecurity skills gap has not improved over the last few years.*

44% Security leaders who say the skills gap situation has only gotten worse.*

When defining roles, consider the competencies needed to deliver your security services. Use Info-Tech’s blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan to help you determine the required skillsets for each role.

* Source: ISSA, 2021

Info-Tech Insight

As the services in your portfolio mature and become more complex, remember to consider the skills you need and will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require.

Download blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

Step 1.2

Choose Security Service Offerings

Activities

1.2.1 Define Security Services and Role Assignments

This step involves the following participants:

• CISO
• Core Security Team

Outcomes of this step

• Service portfolio
• Service pipeline status
• Service ownership

1.2.1 Define security services and role assignments

2-4 hours

1. As a group, review the outputs from Step 1.1.1. These requirements will serve as the basis to prioritize the service offerings of your security portfolio.
2. Take these outputs, as well as any additional notes you’ve made, and put them side by side with the example service offerings on tab 3 of the Security Resources Planning Workbook so each service can be considered alongside these requirements (i.e. to determine if that service should be included in the security service portfolio at this time).
3. Using the following slides as a guide, work your way down the list of example services and choose the services for your portfolio. For each service selected, be sure to customize the definition of the service and state its outcome (i.e. what time is spent when providing this service, indicate if it is outsourced, which role is responsible for delivering it, and the service pipeline status (in use, plan to use, plan to retire)).

Download the Security Resources Planning Workbook

Service needs aligned with your control framework

Use Info-Tech's best-of-breed Security Framework to develop a comprehensive baseline set of security service areas.

Prioritize your security services

Example of a custom security services portfolio definition

Security Strategy and Governance Model

• Aligned Business Goals
• Security Program Objectives
• Centralized vs. Decentralized Governance Model

Compliance Obligations

• Penetration testing
• Annual security audits
• Data privacy and protection laws

CISO Accountabilities

• Security Policy
• Risk Management
• Application & Infrastructure Security
• Program Metrics and Reporting

Consider each of the requirement categories developed in Step 1.1.1 against the taxonomy and service domain here. If there is a clear need to add this service, use the drop-down list in the “Include in Catalog” column to indicate “Yes.” Mark un-needed services as “No.”

Assigning roles to services

1. If the service is being outsourced, use the drop-down list to select “Yes.” This will cause the formatting to change in the neighboring cell (Role), as this cell does not need to be completed.
2. For all in-sourced services, indicate the role assigned to perform the service.
3. Indicate the service-pipeline status for each of the services you include. The selection you make will affect the conditional formatting on the next tab, similar to what is described in step 1.

Info-Tech Insight

Make sure your portfolio reflects current state and approved plans. There’s nothing wrong with planning for the future, but we should avoid using the portfolio as a list of goals.

Phase 2

Plan for Mandatory Versus Discretionary Demand

This phase involves the following participants:

• CISO
• Core Security Team

Step 2.1

Assess Demand

Activities

2.1.1 Estimate Current and Future Demand

This step involves the following participants:

• CISO
• Core Security Team

Outcomes of this step

• Service demand estimates
• Total service hours required
• FTEs required per service

2.1.1 Estimate current and future demand

2-4 hours

1. Estimate the number of hours required to complete each of the services in your portfolio and how frequently it is performed. Remember the service-hour estimates should be based on the outcome of the service (see examples on the next slide).

• To do this effectively, think back over the last quarter and count how many times the members of your team performed each service and how many hours it took to complete.
• Then, think back over the last year and consider if the last quarter represents typical demand (i.e. you may notice that certain services have a greater demand at different parts of the year, such as annual audit) and arrive at your best estimate for both service hours and demand.
• See examples on next slide.

Note: For continuous services (i.e. 24/7 security log monitoring), use the length of the work shift for estimating the Hours to Complete and the corresponding number of shifts per year for Mandatory Demand estimates. Example: For an 8-hour shift, there are 3 shifts per day at 365 days/year, resulting in 1,095 total shifts per year.

Download the Security Resources Planning Workbook

Info-Tech Insight

Time estimates will improve over time. It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally.

Understanding mandatory versus discretionary demand

Every service may have a mix of mandatory and discretionary demands. Understanding and differentiating between these types of demand is critical to developing an efficient resourcing plan.

Mandatory Demand Mandatory demand refers to the amount of work that your team must perform to meet compliance obligations and critical business and risk mitigation requirements. Failure to meet mandatory demand levels will have serious consequences, such as regulatory fines or the introduction of risks that far exceed risk tolerances. This is work you cannot refuse.

Discretionary Demand Discretionary demand refers to the amount of work the security team is asked to perform that goes above and beyond your mandatory demand. Discretionary demand often comes in the form of ad hoc requests from business units or the IT department. Failure to meet discretionary demand levels usually has limited consequences, allowing you more flexibility to decide how much of this type of work you can accept.

Mandatory versus discretionary demand examples

Example of service demand estimations

1. For each service, describe the specific outcome or deliverable that the service produces. Modify the example deliverables as required.
2. Enter the number of hours required to produce one instance of the service deliverable. For example, if the deliverable for your security training service is an awareness campaign, it may require 40 person hours to develop and deliver.
3. Enter the number of mandatory and discretionary demands expected for each service within a given year. For instance, if you are delivering quarterly security awareness campaigns, enter 4 as the demand.

Phase 3

Build Your Resourcing Plan

This phase involves the following participants:

• CISO
• Security Manager

Step 3.1

Determine Resourcing Status

Activities

3.1.1 Review Demand Summary

3.1.2 Fill Resource Gaps

This step involves the following participants:

• CISO
• Security Manager

Outcomes of this step

• The number of FTEs required to meet demand
• Resourcing gaps

3.1.1 Review demand summary

1-2 hours

1. On tab 5 of the Security Resourcing Planning Tool (Demand Summary), review the results. This tab will show you if you have enough FTE hours per role to meet the demand level for each service.

• Green indicates that there is a surplus of FTEs and the number displayed shows how many extra FTEs there are.
• Yellow text that you have adequate FTEs to meet all of your mandatory demand but may not have enough to meet all of your discretionary demand.
• Red text indicates that there are too few FTEs available, and the number displayed shows how many additional FTEs you will require.

Download the Security Resources Planning Workbook

Info-Tech Insight

Start recruiting well in advance of need. Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise.

Example of demand planning summary (1/2)

Example of demand planning summary (2/2)

3.1.2 Fill resource gaps

2-4 hours

1. Now that you have a resourcing model for your security services, you will need to plan to close the gaps between available FTEs and required service hours. For each role that has been under/over committed to service delivery, review the services assignments on tab 3 and determine the viability of the following gap closure actions:
1. Reassign service responsibility to another role with fewer commitments
2. Create efficiencies to reduce required hours
3. Hire to meet the service demand
4. Outsource the service
2. Your resourcing shortages may not all be apparent at once. Therefore, build a roadmap to determine which needs must be addressed immediately and which can be scheduled for years two and three.

Consider outsourcing

Outsourcing provides access to tools and talent that would otherwise be prohibitively expensive. Typical reasons for outsourcing security operations include:

• Difficulty finding or retaining security staff with advanced and often highly specialized skillsets.
• The desire to transfer liability for high-risk operational activities such as 24/7 security monitoring.
• Workforce scalability to accommodate irregular or infrequent events such as incident response and incident-related forensic investigations.

Given the above, three different models have emerged for the operational security organization:

Once you have determined that further outsourcing is needed, go back and adjust the status in your service portfolio. Use Info-Tech's blueprint Develop Your Security Outsourcing Strategy to determine the right approach for your business needs.

“The workforce of the future needs to be agile and adaptable, enabled by strong partnerships with third-party providers of managed security services. I believe these hybrid models really are the security workforce of the future.”

– Senior Manager, Cybersecurity at EY

Download blueprint Develop Your Security Outsourcing Strategy

Info-Tech Insight

Choose the right model for your organization’s size, risk tolerance, and process maturity level. For example, it might make more sense for larger enterprises with low risk tolerance to grow their internal teams and build in-house capability.

Create efficiencies

Resourcing challenges are often addressed more directly by increased spending. However, for a lot of organizations, this just isn’t possible. While there is no magic solution to resolve resource constraints and small budgets, the following tactics should be considered as a means to reduce the hours required for the services your team provides.

Info-Tech Insight

Every minute counts. While using these strategies may not solve every resourcing crunch you have, they can help put you in the best position possible to deliver on your commitments for each service.

Plan for employee turnover

Cybersecurity skills are in high demand; practitioners are few. The reality is that experienced security personnel have a lot of opportunities. While we cannot control for the personal reasons employees leave jobs, we can address the professional reasons that cause them to leave.

Use Info-Tech’s blueprint Build a Strategic IT Workforce Plan to help staff your security organization for success.

Download blueprint Build a Strategic IT Workforce Plan

Summary of Accomplishment

Problem Solved

You have now successfully identified your business and security drivers, determined what services your security program will provide, and determined your resourcing plan to meet these demands over the next three years.

As needs change at your organization, don’t forget to re-evaluate the decisions you’ve made. Don’t forget that outsourcing a service may be the most reliable way to provide and resource it. However, this is just one tool among many that should be considered, along with upskilling, process improvement/familiarity, and process automation.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Research Contributors and Experts

	George Al-Koura CISO Ruby Life		Brian Barniner Head of Decision Science and Analytics ValueBridge Advisors
	Tracy Dallaire CISO / Director of Information Security McMaster University		Ricardo Johnson Chief Information Security Officer Citrix

Research Contributors and Experts

Ryan Rodriguez Senior Manager, Cyber Threat Management EY

Paul Townley VP Information Security and Personal Technology Owens Corning

13 Anonymous Contributors

Related Info-Tech Research

Cost-Optimize Your Security Budget

Develop Your Security Outsourcing Strategy

Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

Bibliography

2021 Voice of the CISO Report.” Proofpoint, 2021. Web.

“2022 Voice of the CISO.” Proofpoint, 2022. Web.

Brook, Chris. “How to Find and Retain Skilled Cybersecurity Talent.” DigitalGuardian, 17 Sep. 2020. Web.

“Canadian Cybersecurity Skills Framework” TECHNATION Canada, April 2020. Web.

“Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment.” ISSA, 28 July 2021. Web.

“Cybersecurity Workforce, National Occupational Standard.” TECHNATION Canada, April 2020. Web.

Naden, Clare. “The Cybersecurity Skills Gap: Why Education Is Our Best Weapon against Cybercrime.” ISO, 15 April 2021. Web.

Purse, Randy. “Four Challenges in Finding Cybersecurity Talent And What Companies Can Do About It.” TECHNATION Canada, 29 March 2021. Web.

Social-Engineer. “Burnout in the Cybersecurity Community.” Security Boulevard, 8 Dec. 2021. Web.

“State of Cybersecurity 2020.” ISACA, 2020. Web.