Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This storyboard will help you to determine your security resourcing needs using a service-based approach.
Use this tool to build your security service portfolio and to determine resourcing needs to meet your service demand.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify the roles needed to implement and deliver your organization’s security services.
A security services portfolio allows you to assign job roles to each service, which is the first step towards determining resourcing needs. Improve employee engagement and satisfaction with clearly defined job roles, responsibilities, and service levels.
1.1 Assess security needs and business pressures.
1.2 Define security job roles.
1.3 Define security services and assign ownership.
Security Roles Definition
Security Services Portfolio
Estimate the actual demand for security resources and determine how to allocate resources accordingly.
Allocate resources more effectively across your Security and Risk teams.
Raise the profile of your security team by aligning security service offerings with the demands of the business.
2.1 Estimate current and future demand.
2.2 Review demand summary.
2.3 Allocate resources where they are needed the most.
Demand Estimates
Resourcing Plan
When defining roles, consider the competencies needed to deliver your security services. Make sure to account for this need in your resource planning.
Leverage the NCWF to establish the building blocks of a capable and ready cybersecurity workforce to effectively identify, recruit, develop and maintain cybersecurity talent.
3.1 Identify skills needed for planned initiatives.
3.2 Prioritize your skill requirements.
3.3 Assign work roles to the needs of your target environment.
3.4 Discuss the NICE cybersecurity workforce framework.
3.5 Develop technical skill requirements for current and future work roles.
Prioritized Skill Requirements and Associated Roles
Create a development plan to train and upskill your employees to address current and future service requirements.
Skill needs are based on the strategic requirements of a business-aligned security program.
4.1 Continue developing technical skill requirements for current and future work roles.
4.2 Conduct current workforce skills assessment.
4.3 Develop a plan to acquire skills.
4.4 Discuss training and certification opportunities for staff.
4.5 Discuss next steps for closing the skills gap.
4.6 Debrief.
Role-Based Skills Gaps
Workforce Development Plan
Organizations have a critical need for skilled cybersecurity resources as the cyberthreat landscape becomes more complex. This has put a strain on many security teams who must continue to meet demand for an increasing number of security services. To deliver services well, we first need to determine what are the organization’s key security requirements. While benchmarks can be useful for quick peer-to-peer comparisons to determine if we are within the average range, they tend to make all security programs seem the same. This can lead to misguided investments in security services and personnel that might be better used elsewhere. Security teams will be most successful when organizations take a personalized approach to security, considering what must be done to lower risk and operate more efficiently and effectively. |
||
Logan Rohde Senior Research Analyst, Security Info-Tech Research Group |
Isabelle Hertanto Principal Research Director, Security Info-Tech Research Group |
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
---|---|---|
|
|
|
Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.
Every organization is unique and will need different security research allocations aligned with their business needs.
“The number of priorities that CISOs have continues to grow, but if everything is a priority, nothing is. It’s important to focus on the ones that deliver the most value to your organization and that are synchronized with the overall business strategy.”
Paige H. Adams
Global CISO at Zurich
Insurance
59% of organizations report taking 3-6+ months to fill a vacant cybersecurity position.
30% report IT knowledge as the most prevalent skills gap in today’s cybersecurity professionals.
1. Determine Security Service Portfolio Offerings |
2. Plan for Mandatory Versus Discretionary Demand |
3. Define Your Resourcing Model |
|
---|---|---|---|
Phase Steps |
1 Gather Requirements and Define Roles 1.2 Choose Security Service Offerings |
2.1 Assess Demand |
3.1 Review Demand Summary 3.2 Develop an Action Plan |
Phase Outcomes |
Security requirements Security service portfolio |
Service demand estimates Service hour estimates |
Three-year resourcing plan |
Security programs should be designed to address unique business needs. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time. |
||
Watch out for role creep. It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time. |
Time estimates will improve with practice. It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally. |
Start recruiting well in advance of need. Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise. |
People and skills are both important. As the services in your portfolio mature and become more complex, remember to consider the skills you will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require. |
Make sure your portfolio reflects reality. There’s nothing wrong with planning for future state, but we should avoid using the portfolio as a list of goals. |
Use this tool to build your security services portfolio, estimate demand and hours needed, and determine FTE requirements.
Security Resources Planning Workbook
The Security Resources Planning Workbook will be used to:
IT Benefits |
Business Benefits |
|
|
Metric |
Expected Improvement |
Level of business satisfaction with IT security |
You can expect to see a 20% improvement in your IT Security Business Satisfaction Diagnostic. |
Reports on key performance indicators and service level objectives |
Expect to see a 40% improvement in security service-related key performance indicators and service level objectives. |
Employee engagement scores |
You can expect to see approximately a 10% improvement in employee engagement scores. |
Changes in rates of voluntary turnover |
Anticipating demand and planning resources accordingly will help lower employee turnover rates due to burnout or stress leave by as much as 10%. |
47% of cybersecurity professionals said that stress and burnout has become a major issue due to overwork, with most working over 41 hours a week, and some working up to 90.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
Phase 1 | Phase 2 | Phase 3 |
Call #1: Scope requirements, objectives, and your specific drivers. |
Call #2: Discuss roles and duties. Call #3: Build service portfolio and assign ownership. |
Call #4: Estimate required service hours. Call #5: Review service demand and plan for future state. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 4 to 6 calls over the course of 2 to 3 months.
Contact your account representative for more information.
workshops@infotech.com1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Define Roles and Select Services |
Estimate Current and Future Demand |
Identify Required Skills |
Future Planning |
Next Steps and |
|
Activities |
1.1 Assess Security Needs and Business Pressures. 1.2 Define Security Job Roles. 1.3 Define Security Services and Assign Ownership. |
2.1 Estimate Current and Future Demand. 2.2 Review Demand Summary. 2.3 Allocate Resources Where They Are Needed the Most. |
3.1 Identify Skills Needed Skills for Planned Initiatives. 3.2 Prioritize Your Skill Requirements. 3.3 Assign Work Roles to the Needs of Your Target Environment. 3.4 Discuss the NICE Cybersecurity Workforce Framework. 3.5 Develop Technical Skill Requirements for Current and Future Work Roles. |
4.1 Continue Developing Technical Skill Requirements for Current and Future Work Roles. 4.2 Conduct Current Workforce Skills Assessment. 4.3 Develop a Plan to Acquire Skills. 4.4 Discuss Training and Certification Opportunities for Staff. 4.5 Discuss Next Steps for Closing the Skills Gap. 4.6 Debrief. |
5.1 Complete In-Progress Deliverables From Previous Four Days. 5.2 Set Up Review Time for Workshop Deliverables and to Discuss Next steps. |
Deliverables |
|
|
|
|
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
1.1 Gather Requirements and Define Roles 1.2 Choose Security Service Offerings | 2.1 Assess Demand | 3.1 Determine Resourcing Status |
This phase involves the following participants:
Activities
1.1.1 Assess Business Needs and Pressures
1.1.2 Define Security Roles
This step involves the following participants:
Outcomes of this step
1 hour
Input | Output |
|
|
Materials | Participants |
|
|
The security services you will provide to the organization should be based on its unique business requirements and pressures, which will make certain services more applicable than others. Use this exercise to get an idea of what those business drivers might be.
1-2 hours
Input | Output |
|
|
Materials | Participants |
|
|
Download the Security Resources Planning Workbook
Watch out for role creep. It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.
Cybersecurity is a rapidly evolving discipline and security teams from all over are reporting challenges related to training and upskilling needed to keep pace with the developments of the threat landscape.
95% Security leaders who agree the cybersecurity skills gap has not improved over the last few years.*
44% Security leaders who say the skills gap situation has only gotten worse.*
When defining roles, consider the competencies needed to deliver your security services. Use Info-Tech’s blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan to help you determine the required skillsets for each role.
As the services in your portfolio mature and become more complex, remember to consider the skills you need and will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require.
Download blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan
Activities
1.2.1 Define Security Services and Role Assignments
This step involves the following participants:
2-4 hours
Input | Output |
|
|
Materials | Participants |
|
|
Download the Security Resources Planning Workbook
Use Info-Tech's best-of-breed Security Framework to develop a comprehensive baseline set of security service areas.
Security Strategy and Governance Model
Compliance Obligations
CISO Accountabilities
Consider each of the requirement categories developed in Step 1.1.1 against the taxonomy and service domain here. If there is a clear need to add this service, use the drop-down list in the “Include in Catalog” column to indicate “Yes.” Mark un-needed services as “No.”
Make sure your portfolio reflects current state and approved plans. There’s nothing wrong with planning for the future, but we should avoid using the portfolio as a list of goals.
Phase 1 |
Phase 2 |
Phase 3 |
---|---|---|
1.1 Gather Requirements and Define Roles 1.2 Choose Security Service Offerings |
2.1 Assess Demand |
3.1 Determine Resourcing Status |
This phase involves the following participants:
Activities
2.1.1 Estimate Current and Future Demand
This step involves the following participants:
Outcomes of this step
2-4 hours
Note: For continuous services (i.e. 24/7 security log monitoring), use the length of the work shift for estimating the Hours to Complete and the corresponding number of shifts per year for Mandatory Demand estimates. Example: For an 8-hour shift, there are 3 shifts per day at 365 days/year, resulting in 1,095 total shifts per year.
Download the Security Resources Planning Workbook
Input | Output |
|
|
Materials | Participants |
|
|
Time estimates will improve over time. It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally.
Every service may have a mix of mandatory and discretionary demands. Understanding and differentiating between these types of demand is critical to developing an efficient resourcing plan.
Mandatory Demand Mandatory demand refers to the amount of work that your team must perform to meet compliance obligations and critical business and risk mitigation requirements. Failure to meet mandatory demand levels will have serious consequences, such as regulatory fines or the introduction of risks that far exceed risk tolerances. This is work you cannot refuse. |
Discretionary Demand Discretionary demand refers to the amount of work the security team is asked to perform that goes above and beyond your mandatory demand. Discretionary demand often comes in the form of ad hoc requests from business units or the IT department. Failure to meet discretionary demand levels usually has limited consequences, allowing you more flexibility to decide how much of this type of work you can accept. |
Service Name |
Mandatory Demand Example |
Discretionary Demand Example |
---|---|---|
Penetration Testing |
PCI compliance requires penetration testing against all systems within the cardholder data environment annually (currently 2 systems per year). |
Business units request ad hoc penetration testing against non-payment systems (expected 2-3 systems per year). |
Vendor Risk Assessments |
GDPR compliance requires vendor security assessments against all third parties that process personal information on our behalf (expected 1-2 per quarter). |
IT department has requested that the security team conduct vendor security assessments for all cloud services, regardless of whether they store personal information (expected 2-3 assessments per quarter). |
e-Discovery and Evidence Handling |
There is no mandatory demand for this service. |
The legal department occasionally asks the security team to assist with e-Discovery requests (expected demand 1-2 investigations per quarter). |
Phase 1 | Phase 2 | Phase 3 |
---|---|---|
1.1 Gather Requirements and Define Roles 1.2 Choose Security Service Offerings | 2.1 Assess Demand | 3.1 Determine Resourcing Status |
This phase involves the following participants:
Activities
3.1.1 Review Demand Summary
3.1.2 Fill Resource Gaps
This step involves the following participants:
Outcomes of this step
1-2 hours
Input | Output |
|
|
Materials | Participants |
|
|
Download the Security Resources Planning Workbook
Info-Tech Insight
Start recruiting well in advance of need. Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise.
2-4 hours
Outsourcing provides access to tools and talent that would otherwise be prohibitively expensive. Typical reasons for outsourcing security operations include:
Given the above, three different models have emerged for the operational security organization:
1. Outsourced SecOps A fully outsourced Security Operations Center, managed and governed by a smaller in-house team |
2. Balanced Hybrid In-house operational security staff with some reliance on managed services |
3. In-House SecOps A predominantly in-house security team, augmented by a small managed services contract |
Once you have determined that further outsourcing is needed, go back and adjust the status in your service portfolio. Use Info-Tech's blueprint Develop Your Security Outsourcing Strategy to determine the right approach for your business needs.
“The workforce of the future needs to be agile and adaptable, enabled by strong partnerships with third-party providers of managed security services. I believe these hybrid models really are the security workforce of the future.”
– Senior Manager, Cybersecurity at EY
Download blueprint Develop Your Security Outsourcing Strategy
Choose the right model for your organization’s size, risk tolerance, and process maturity level. For example, it might make more sense for larger enterprises with low risk tolerance to grow their internal teams and build in-house capability.
Resourcing challenges are often addressed more directly by increased spending. However, for a lot of organizations, this just isn’t possible. While there is no magic solution to resolve resource constraints and small budgets, the following tactics should be considered as a means to reduce the hours required for the services your team provides.
Upskill Your Staff If full-scale training is not an option, see if there are individual skills that could be improved to help improve time to completion for your services. Use Info-Tech's blueprint Close the InfoSec Skills Gap to determine which skills are needed for your security team. |
Improve Process Familiarity In some organizations, especially low-maturity ones, problems can arise simply because there is a lack of familiarity with what needs to be done. Review the process, socialize it, and make sure your staff can execute in within the target time allotment. |
Add Technology Resourcing crunch or not, technology can help us do things better. Investigate whether automation software might help to shave a few hours off a given service. Use Info-Tech's blueprint Build a Winning Business Process Automation Playbook to optimize and automate your business processes with a user-centric approach. |
Download the blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan |
Download the blueprint Build a Winning Business Process Automation Playbook |
Every minute counts. While using these strategies may not solve every resourcing crunch you have, they can help put you in the best position possible to deliver on your commitments for each service.
Cybersecurity skills are in high demand; practitioners are few. The reality is that experienced security personnel have a lot of opportunities. While we cannot control for the personal reasons employees leave jobs, we can address the professional reasons that cause them to leave.
Fair wage |
Reasonable expectations |
Provide training |
Defined career path |
---|---|---|---|
It’s a sellers’ market for cybersecurity skills these days. Higher-paying offers are one of the major reasons security leaders leave their jobs (ISSA, 2021). |
Many teams lose out on good talent simply because they have unrealistic expectations, seeking 5+ years experience for an entry-level position, due to misalignment with HR (TECHNATION, 2021). |
Technology is changing (and being adopted) faster than security professionals can train on it. Ongoing training is needed to close these gaps (ISO, 2021). |
People want to see where they are now, visualize where they will be in the future, and understand what takes to get there. This helps to determine what types of training and specialization are necessary (DigitalGuardian, 2020). |
Use Info-Tech’s blueprint Build a Strategic IT Workforce Plan to help staff your security organization for success.
Download blueprint Build a Strategic IT Workforce Plan
You have now successfully identified your business and security drivers, determined what services your security program will provide, and determined your resourcing plan to meet these demands over the next three years.
As needs change at your organization, don’t forget to re-evaluate the decisions you’ve made. Don’t forget that outsourcing a service may be the most reliable way to provide and resource it. However, this is just one tool among many that should be considered, along with upskilling, process improvement/familiarity, and process automation.
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
George Al-Koura CISO Ruby Life |
Brian Barniner Head of Decision Science and Analytics ValueBridge Advisors |
||
Tracy Dallaire CISO / Director of Information Security McMaster University |
Ricardo Johnson Chief Information Security Officer Citrix |
Ryan Rodriguez Senior Manager, Cyber Threat Management EY |
Paul Townley VP Information Security and Personal Technology Owens Corning |
13 Anonymous Contributors
Cost-Optimize Your Security Budget
Develop Your Security Outsourcing Strategy
Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan
2021 Voice of the CISO Report.” Proofpoint, 2021. Web.
“2022 Voice of the CISO.” Proofpoint, 2022. Web.
Brook, Chris. “How to Find and Retain Skilled Cybersecurity Talent.” DigitalGuardian, 17 Sep. 2020. Web.
“Canadian Cybersecurity Skills Framework” TECHNATION Canada, April 2020. Web.
“Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment.” ISSA, 28 July 2021. Web.
“Cybersecurity Workforce, National Occupational Standard.” TECHNATION Canada, April 2020. Web.
Naden, Clare. “The Cybersecurity Skills Gap: Why Education Is Our Best Weapon against Cybercrime.” ISO, 15 April 2021. Web.
Purse, Randy. “Four Challenges in Finding Cybersecurity Talent And What Companies Can Do About It.” TECHNATION Canada, 29 March 2021. Web.
Social-Engineer. “Burnout in the Cybersecurity Community.” Security Boulevard, 8 Dec. 2021. Web.
“State of Cybersecurity 2020.” ISACA, 2020. Web.