Get Instant Access
to This Blueprint

Security icon

Build a Service-Based Security Resourcing Plan

Every security program is unique; resourcing allocations should reflect this.

  • IT and security leaders across all industries must determine what and how many resources are needed to support the information security program.
  • Estimating current usage and future demand for security resources can be a difficult and time-consuming exercise.

Our Advice

Critical Insight

Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

Impact and Result

  • Info-Tech’s approach to resource planning focuses less on benchmarks and more on estimating actual demand for security services to ensure that there are enough resources to deliver them.
  • A well-designed security services portfolio is the first step towards determining resourcing needs.
  • When planning resource allocations, plan for both mandatory and discretionary demand to optimize utilization.

Build a Service-Based Security Resourcing Plan Research & Tools

1. Build a Service-Based Security Resourcing Plan – A blueprint to help you define security roles, build a service portfolio, estimate demand, and determine resourcing needs.

This storyboard will help you to determine your security resourcing needs using a service-based approach.

In this project you will assign security service ownership to your team and determine demand and resourcing needs of those services.

2. Security Resources Planning Workbook – This tool will result in a defined security service portfolio and a three-year resourcing plan.

Use this tool to build your security service portfolio and to determine resourcing needs to meet your service demand.


Workshop: Build a Service-Based Security Resourcing Plan

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Define Roles and Select Services

The Purpose

  • Identify the roles needed to implement and deliver your organization’s security services.

Key Benefits Achieved

  • A security services portfolio allows you to assign job roles to each service, which is the first step towards determining resourcing needs. Improve employee engagement and satisfaction with clearly defined job roles, responsibilities, and service levels.

Activities

Outputs

1.1

Assess security needs and business pressures.

  • Security Roles Definition
1.2

Define security job roles.

1.3

Define security services and assign ownership.

  • Security Services Portfolio

Module 2: Estimate Current and Future Demand

The Purpose

  • Estimate the actual demand for security resources and determine how to allocate resources accordingly.

Key Benefits Achieved

  • Allocate resources more effectively across your Security and Risk teams.
  • Raise the profile of your security team by aligning security service offerings with the demands of the business.

Activities

Outputs

2.1

Estimate current and future demand.

  • Demand Estimates
2.2

Review demand summary.

2.3

Allocate resources where they are needed the most.

  • Resourcing Plan

Module 3: Identify Required Skills

The Purpose

When defining roles, consider the competencies needed to deliver your security services. Make sure to account for this need in your resource planning.

Key Benefits Achieved

Leverage the NCWF to establish the building blocks of a capable and ready cybersecurity workforce to effectively identify, recruit, develop and maintain cybersecurity talent.

Activities

Outputs

3.1

Identify skills needed for planned initiatives.

  • Prioritized Skill Requirements and Associated Roles
3.2

Prioritize your skill requirements.

3.3

Assign work roles to the needs of your target environment.

3.4

Discuss the NICE cybersecurity workforce framework.

3.5

Develop technical skill requirements for current and future work roles.

Module 4: Future Planning

The Purpose

Create a development plan to train and upskill your employees to address current and future service requirements.

Key Benefits Achieved

  • Skill needs are based on the strategic requirements of a business-aligned security program.

Activities

Outputs

4.1

Continue developing technical skill requirements for current and future work roles.

  • Role-Based Skills Gaps
4.2

Conduct current workforce skills assessment.

4.3

Develop a plan to acquire skills.

  • Workforce Development Plan
4.4

Discuss training and certification opportunities for staff.

4.5

Discuss next steps for closing the skills gap.

4.6

Debrief.


Build a Service-Based Security Resourcing Plan

Every security program is unique; resourcing allocations should reflect this.

Analyst Perspective

Start by looking inward.

The image is a picture of Logan Rohde.The image is a picture of Isabelle Hertanto.

Organizations have a critical need for skilled cybersecurity resources as the cyberthreat landscape becomes more complex. This has put a strain on many security teams who must continue to meet demand for an increasing number of security services. To deliver services well, we first need to determine what are the organization’s key security requirements. While benchmarks can be useful for quick peer-to-peer comparisons to determine if we are within the average range, they tend to make all security programs seem the same. This can lead to misguided investments in security services and personnel that might be better used elsewhere.

Security teams will be most successful when organizations take a personalized approach to security, considering what must be done to lower risk and operate more efficiently and effectively.

Logan Rohde

Senior Research Analyst, Security

Info-Tech Research Group

Isabelle Hertanto

Principal Research Director, Security

Info-Tech Research Group

Executive Summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

  • IT and Security leaders across all industries must determine what and how many resources are needed to support the information security program.
  • Estimating current usage, the right allocations, and future demand for security resources can be a difficult and time-consuming exercise.
  • Needing to provide a benchmark to justify increasing headcount.
  • Absence of formally defined security service offerings and service owners.
  • Lack of skills needed to provide necessary security services.
  • Info-Tech’s approach to resource planning focuses less on benchmarks and more on estimating actual demand for security services to ensure that there are enough resources to deliver them.
  • A well-designed security services portfolio is the first step toward determining resourcing needs.
  • When allocating resources, plan for both mandatory and discretionary demand to position yourself for greatest success.

Info-Tech Insight

Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

Your challenge

This research is designed to help organizations who are looking to:

  • Determine what and how many resources are needed to support the information security program.
  • Identify the organization's key service offerings and the required resourcing to support delivery of such services.
  • Estimate current staff utilization and required allocations to satisfy future demand for services.

Every organization is unique and will need different security research allocations aligned with their business needs.

“The number of priorities that CISOs have continues to grow, but if everything is a priority, nothing is. It’s important to focus on the ones that deliver the most value to your organization and that are synchronized with the overall business strategy.”

Paige H. Adams

Global CISO at Zurich

Insurance

Source: Proofpoint, 2021

Common obstacles

These barriers make this challenge difficult to address for many organizations:

  • Security leaders sometimes try to cut to the chase and lean on staffing benchmarks to justify their requests for resources. However, while staffing benchmarks are useful for quick peer-to-peer validation and decision making, they tend to reduce security programs down to a set of averages, which can be misleading when used out of context.
  • A more effective approach is to determine what security services need to be provided, the level of demand, and what it will take to meet that demand currently and in the coming years.
  • With these details available, it becomes much easier to predict what roles need to be hired, what skills need to be developed, and whether outsourcing is an option.

Hiring delays and skills gaps can fuel resourcing challenges

59% of organizations report taking 3-6+ months to fill a vacant cybersecurity position.

Source: ISACA, 2020

30% report IT knowledge as the most prevalent skills gap in today’s cybersecurity professionals.

Source: ISACA, 2020

Info-Tech’s methodology for Building a Service-Based Security Resourcing Plan

1. Determine Security Service Portfolio Offerings

2. Plan for Mandatory Versus Discretionary Demand

3. Define Your Resourcing Model

Phase Steps

1 Gather Requirements and Define Roles

1.2 Choose Security Service Offerings

2.1 Assess Demand

3.1 Review Demand Summary

3.2 Develop an Action Plan

Phase Outcomes

Security requirements

Security service portfolio

Service demand estimates

Service hour estimates

Three-year resourcing plan

Stay on top of resourcing demands with a security service portfolio

Security programs should be designed to address unique business needs.

A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

Watch out for role creep.

It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.

Time estimates will improve with practice.

It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally.

Start recruiting well in advance of need.

Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise.

People and skills are both important.

As the services in your portfolio mature and become more complex, remember to consider the skills you will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require.

Make sure your portfolio reflects reality.

There’s nothing wrong with planning for future state, but we should avoid using the portfolio as a list of goals.

Blueprint deliverable

Use this tool to build your security services portfolio, estimate demand and hours needed, and determine FTE requirements.

The image contains screenshots of the Security Resources Planning Workbook.

Key deliverable:

Security Resources Planning Workbook

The Security Resources Planning Workbook will be used to:

  • Build a security services portfolio.
  • Estimate demand for security services and the efforts to deliver them.
  • Determine full-time equivalent (FTE) requirements for each service.
The image contains a thought model to demonstrate the benchmarks that lead to a one-size-fits-all approach to security.

Blueprint benefits

IT Benefits

Business Benefits

  • Allocate resources more effectively across your security and risk teams.
  • Improve employee engagement and satisfaction with clearly defined job roles, responsibilities, and service levels.
  • Raise the profile of your security team by aligning security service offerings with the demands of the business.
  • Ensure that people, financial, knowledge, and technology resources are appropriately allocated and leveraged across the organization.
  • Improve your organization’s ability to satisfy compliance obligations and reduce information security risk.
  • Increase customer and business stakeholder satisfaction through reliable service delivery.

Measure the value of this blueprint

Use these metrics to realize the value of completing this blueprint.

Metric

Expected Improvement

Level of business satisfaction with IT security

You can expect to see a 20% improvement in your IT Security Business Satisfaction Diagnostic.

Reports on key performance indicators and service level objectives

Expect to see a 40% improvement in security service-related key performance indicators and service level objectives.

Employee engagement scores

You can expect to see approximately a 10% improvement in employee engagement scores.

Changes in rates of voluntary turnover

Anticipating demand and planning resources accordingly will help lower employee turnover rates due to burnout or stress leave by as much as 10%.

47% of cybersecurity professionals said that stress and burnout has become a major issue due to overwork, with most working over 41 hours a week, and some working up to 90.

Source: Security Boulevard, 2021

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

Phase 1 Phase 2 Phase 3

Call #1: Scope requirements, objectives, and your specific drivers.

Call #2: Discuss roles and duties.

Call #3: Build service portfolio and assign ownership.

Call #4: Estimate required service hours.

Call #5: Review service demand and plan for future state.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 4 to 6 calls over the course of 2 to 3 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Day 1 Day 2 Day 3 Day 4 Day 5

Define Roles and Select Services

Estimate Current and Future Demand

Identify Required Skills

Future Planning

Next Steps and
Wrap-Up (offsite)

Activities

1.1 Assess Security Needs and Business Pressures.

1.2 Define Security Job Roles.

1.3 Define Security Services and Assign Ownership.

2.1 Estimate Current and Future Demand.

2.2 Review Demand Summary.

2.3 Allocate Resources Where They Are Needed the Most.

3.1 Identify Skills Needed Skills for Planned Initiatives.

3.2 Prioritize Your Skill Requirements.

3.3 Assign Work Roles to the Needs of Your Target Environment.

3.4 Discuss the NICE Cybersecurity Workforce Framework.

3.5 Develop Technical Skill Requirements for Current and Future Work Roles.

4.1 Continue Developing Technical Skill Requirements for Current and Future Work Roles.

4.2 Conduct Current Workforce Skills Assessment.

4.3 Develop a Plan to Acquire Skills.

4.4 Discuss Training and Certification Opportunities for Staff.

4.5 Discuss Next Steps for Closing the Skills Gap.

4.6 Debrief.

5.1 Complete In-Progress Deliverables From Previous Four Days.

5.2 Set Up Review Time for Workshop Deliverables and to Discuss Next steps.

Deliverables
  1. FTE-Hours Calculation
  2. Security Roles Definition
  3. Security Services Portfolio
  1. Demand Estimates
  2. Resourcing Plan
  1. Skills Gap Prioritization Tool
  2. Technical Skills Tool
  1. Technical Skills Tool
  2. Current Workforce Skills Assessment
  3. Skills Development Plan

Phase 1

Determine Security Service Portfolio Offerings

Phase 1

Phase 2

Phase 3

1.1 Gather Requirements and Define Roles

1.2 Choose Security Service Offerings

2.1 Assess Demand

3.1 Determine Resourcing Status

This phase involves the following participants:

  • CISO
  • Core Security Team
  • Business Representative (optional)

Step 1.1

Gather Requirements and Define Roles

Activities

1.1.1 Assess Business Needs and Pressures

1.1.2 Define Security Roles

This step involves the following participants:

  • CISO
  • Core Security Team
  • Business Representative (optional)

Outcomes of this step

  • Security program requirements
  • Security roles definitions

1.1.1 Assess security needs and pressures

1 hour

  1. As a group, brainstorm the security requirements for your organization and any business pressures that exist within your industry (e.g. compliance obligations).
    • To get started, consider examples of typical business pressures on the next slides. Determine how your organization must respond to these points (note: this is not an exhaustive list).
    • You will likely notice that these requirements have already influenced the direction of your security program and the kinds of services it needs to provide to the business side of the organization.
  2. There may be some that have not been well addressed by current service offerings (e.g. current service maturity, under/over definition of a service). Be sure to make a note of these areas and what the current challenge is and use these details in Step 1.2.
  3. Document the results for future use in Step 1.2.1.
Input Output
  • List of key business requirements and industry pressures
  • Prioritized list of security program requirements
Materials Participants
  • Whiteboard
  • Sticky notes
  • CISO
  • Core Security Team
  • Business Representative (optional)

Typical business pressures examples

The security services you will provide to the organization should be based on its unique business requirements and pressures, which will make certain services more applicable than others. Use this exercise to get an idea of what those business drivers might be.

The image contains a screenshot of Typical business pressures examples.

1.1.2 Define security roles

1-2 hours

  1. Using the link below, download the Security Resources Planning Workbook and review the examples provided on the next slide.
  2. On tab 1 (Roles), review the example roles and identify which roles you have within your security team.
    • If necessary, customize the roles and descriptions to match your security team’s current make up.
    • If you have roles within your security team that do not appear in the examples, you can add them to the bottom of the table.
  3. For each role, use columns D-F to indicate how many people (headcount) you have, or plan to have, in that role.
  4. Use columns H-J to indicate how many hours per year each role has available to deliver the services within your service catalog.
Input Output
  • Full-time hours worked per week Weeks worked per year Existing job descriptions/roles
  • Calculated full-time equivalents (FTE) Defined security roles
Materials Participants
  • Security Resources Planning Workbook
  • CISO
  • Core Security Team

Download the Security Resources Planning Workbook

Calculating FTEs and defining security roles

The image contains a screenshot of the workbook demonstrating calculating FTEs and defining security roles.

  1. Start by entering the current and planned headcount for each role
  2. Then enter number of hours each role works per week
  3. Estimate the number of administrative hours (e.g. team meetings, training) per week
  4. Enter the average number of weeks per year that each role is available for service delivery
  5. The tool uses the data from steps 2-4 to calculate the average number of hours each role has for service delivery per year (FTE)

Info-Tech Insight

Watch out for role creep. It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.

Other considerations

Address your skills gap.

Cybersecurity is a rapidly evolving discipline and security teams from all over are reporting challenges related to training and upskilling needed to keep pace with the developments of the threat landscape.

95% Security leaders who agree the cybersecurity skills gap has not improved over the last few years.*

44% Security leaders who say the skills gap situation has only gotten worse.*

When defining roles, consider the competencies needed to deliver your security services. Use Info-Tech’s blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan to help you determine the required skillsets for each role.

* Source: ISSA, 2021

Info-Tech Insight

As the services in your portfolio mature and become more complex, remember to consider the skills you need and will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require.

Download blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

Step 1.2

Choose Security Service Offerings

Activities

1.2.1 Define Security Services and Role Assignments

This step involves the following participants:

  • CISO
  • Core Security Team

Outcomes of this step

  • Service portfolio
  • Service pipeline status
  • Service ownership

1.2.1 Define security services and role assignments

2-4 hours

  1. As a group, review the outputs from Step 1.1.1. These requirements will serve as the basis to prioritize the service offerings of your security portfolio.
  2. Take these outputs, as well as any additional notes you’ve made, and put them side by side with the example service offerings on tab 3 of the Security Resources Planning Workbook so each service can be considered alongside these requirements (i.e. to determine if that service should be included in the security service portfolio at this time).
  3. Using the following slides as a guide, work your way down the list of example services and choose the services for your portfolio. For each service selected, be sure to customize the definition of the service and state its outcome (i.e. what time is spent when providing this service, indicate if it is outsourced, which role is responsible for delivering it, and the service pipeline status (in use, plan to use, plan to retire)).
InputOutput
  • Business and security requirements gathered in Step 1.1.1
  • Defined security service portfolio
  • Service ownership assigned to role
MaterialsParticipants
  • Security Resources Planning Workbook
  • CISO
  • Core Security Team

Download the Security Resources Planning Workbook

Service needs aligned with your control framework

Use Info-Tech's best-of-breed Security Framework to develop a comprehensive baseline set of security service areas.

The image contains a screenshot of the Security Framework.

Prioritize your security services

Example of a custom security services portfolio definition

Security Strategy and Governance Model

  • Aligned Business Goals
  • Security Program Objectives
  • Centralized vs. Decentralized Governance Model

Compliance Obligations

  • Penetration testing
  • Annual security audits
  • Data privacy and protection laws

CISO Accountabilities

  • Security Policy
  • Risk Management
  • Application & Infrastructure Security
  • Program Metrics and Reporting

Consider each of the requirement categories developed in Step 1.1.1 against the taxonomy and service domain here. If there is a clear need to add this service, use the drop-down list in the “Include in Catalog” column to indicate “Yes.” Mark un-needed services as “No.”

The image contains a screenshot of the security services portfolio definition.

Assigning roles to services

The image contains an example of assigning roles to services.

  1. If the service is being outsourced, use the drop-down list to select “Yes.” This will cause the formatting to change in the neighboring cell (Role), as this cell does not need to be completed.
  2. For all in-sourced services, indicate the role assigned to perform the service.
  3. Indicate the service-pipeline status for each of the services you include. The selection you make will affect the conditional formatting on the next tab, similar to what is described in step 1.

Info-Tech Insight

Make sure your portfolio reflects current state and approved plans. There’s nothing wrong with planning for the future, but we should avoid using the portfolio as a list of goals.

Phase 2

Plan for Mandatory Versus Discretionary Demand

Phase 1

Phase 2

Phase 3

1.1 Gather Requirements and Define Roles

1.2 Choose Security Service Offerings

2.1 Assess Demand

3.1 Determine Resourcing Status

This phase involves the following participants:

  • CISO
  • Core Security Team

Step 2.1

Assess Demand

Activities

2.1.1 Estimate Current and Future Demand

This step involves the following participants:

  • CISO
  • Core Security Team

Outcomes of this step

  • Service demand estimates
  • Total service hours required
  • FTEs required per service

2.1.1 Estimate current and future demand

2-4 hours

  1. Estimate the number of hours required to complete each of the services in your portfolio and how frequently it is performed. Remember the service-hour estimates should be based on the outcome of the service (see examples on the next slide).
    • To do this effectively, think back over the last quarter and count how many times the members of your team performed each service and how many hours it took to complete.
    • Then, think back over the last year and consider if the last quarter represents typical demand (i.e. you may notice that certain services have a greater demand at different parts of the year, such as annual audit) and arrive at your best estimate for both service hours and demand.
    • See examples on next slide.

Note: For continuous services (i.e. 24/7 security log monitoring), use the length of the work shift for estimating the Hours to Complete and the corresponding number of shifts per year for Mandatory Demand estimates. Example: For an 8-hour shift, there are 3 shifts per day at 365 days/year, resulting in 1,095 total shifts per year.

Download the Security Resources Planning Workbook

InputOutput
  • Service-hour estimations
  • Expected demand for service
  • Discretionary demand for service
  • Total hours required for service
  • FTEs required for service
MaterialsParticipants
  • Security Resources Planning Workbook
  • CISO
  • Core Security Team

Info-Tech Insight

Time estimates will improve over time. It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally.

Understanding mandatory versus discretionary demand

Every service may have a mix of mandatory and discretionary demands. Understanding and differentiating between these types of demand is critical to developing an efficient resourcing plan.

The image contains a picture used to represent mandatory demand.

Mandatory Demand

Mandatory demand refers to the amount of work that your team must perform to meet compliance obligations and critical business and risk mitigation requirements.

Failure to meet mandatory demand levels will have serious consequences, such as regulatory fines or the introduction of risks that far exceed risk tolerances. This is work you cannot refuse.

The image contains a diagram to demonstrate the relationship between Mandatory and Discretionary demand.

The image contains a picture used to represent discretionary demand.

Discretionary Demand

Discretionary demand refers to the amount of work the security team is asked to perform that goes above and beyond your mandatory demand. Discretionary demand often comes in the form of ad hoc requests from business units or the IT department.

Failure to meet discretionary demand levels usually has limited consequences, allowing you more flexibility to decide how much of this type of work you can accept.

Mandatory versus discretionary demand examples

Service Name

Mandatory Demand Example

Discretionary Demand Example

Penetration Testing

PCI compliance requires penetration testing against all systems within the cardholder data environment annually (currently 2 systems per year).

Business units request ad hoc penetration testing against non-payment systems (expected 2-3 systems per year).

Vendor Risk Assessments

GDPR compliance requires vendor security assessments against all third parties that process personal information on our behalf (expected 1-2 per quarter).

IT department has requested that the security team conduct vendor security assessments for all cloud services, regardless of whether they store personal information (expected 2-3 assessments per quarter).

e-Discovery and Evidence Handling

There is no mandatory demand for this service.

The legal department occasionally asks the security team to assist with e-Discovery requests (expected demand 1-2 investigations per quarter).

Example of service demand estimations

The image contains a screenshot example of service demand estimations.

  1. For each service, describe the specific outcome or deliverable that the service produces. Modify the example deliverables as required.
  2. Enter the number of hours required to produce one instance of the service deliverable. For example, if the deliverable for your security training service is an awareness campaign, it may require 40 person hours to develop and deliver.
  3. Enter the number of mandatory and discretionary demands expected for each service within a given year. For instance, if you are delivering quarterly security awareness campaigns, enter 4 as the demand.

Phase 3

Build Your Resourcing Plan

Phase 1

Phase 2

Phase 3

1.1 Gather Requirements and Define Roles

1.2 Choose Security Service Offerings

2.1 Assess Demand

3.1 Determine Resourcing Status

This phase involves the following participants:

  • CISO
  • Security Manager

Step 3.1

Determine Resourcing Status

Activities

3.1.1 Review Demand Summary

3.1.2 Fill Resource Gaps

This step involves the following participants:

  • CISO
  • Security Manager

Outcomes of this step

  • The number of FTEs required to meet demand
  • Resourcing gaps

3.1.1 Review demand summary

1-2 hours

  1. On tab 5 of the Security Resourcing Planning Tool (Demand Summary), review the results. This tab will show you if you have enough FTE hours per role to meet the demand level for each service.
    • Green indicates that there is a surplus of FTEs and the number displayed shows how many extra FTEs there are.
    • Yellow text that you have adequate FTEs to meet all of your mandatory demand but may not have enough to meet all of your discretionary demand.
    • Red text indicates that there are too few FTEs available, and the number displayed shows how many additional FTEs you will require.
  2. Take note of how many FTEs you will need to meet expected and discretionary demand in each of the years you’ve planned for.
Input Output
  • Current staffing
  • Resourcing model
Materials Participants
  • Security Resources Planning Workbook
  • CISO
  • HR Representative

Download the Security Resources Planning Workbook

Info-Tech Insight

Start recruiting well in advance of need. Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise.

Example of demand planning summary (1/2)

The image contains a screenshot of an example of demand planning summary.

Example of demand planning summary (2/2)

The image contains a screenshot of an example of demand planning. This image has a screenshot of the dashboard.

3.1.2 Fill resource gaps

2-4 hours

  1. Now that you have a resourcing model for your security services, you will need to plan to close the gaps between available FTEs and required service hours. For each role that has been under/over committed to service delivery, review the services assignments on tab 3 and determine the viability of the following gap closure actions:
    1. Reassign service responsibility to another role with fewer commitments
    2. Create efficiencies to reduce required hours
    3. Hire to meet the service demand
    4. Outsource the service
  2. Your resourcing shortages may not all be apparent at once. Therefore, build a roadmap to determine which needs must be addressed immediately and which can be scheduled for years two and three.

Consider outsourcing

Outsourcing provides access to tools and talent that would otherwise be prohibitively expensive. Typical reasons for outsourcing security operations include:

  • Difficulty finding or retaining security staff with advanced and often highly specialized skillsets.
  • The desire to transfer liability for high-risk operational activities such as 24/7 security monitoring.
  • Workforce scalability to accommodate irregular or infrequent events such as incident response and incident-related forensic investigations.

Given the above, three different models have emerged for the operational security organization:

1. Outsourced SecOps

A fully outsourced Security Operations Center, managed and governed by a smaller in-house team

2. Balanced Hybrid

In-house operational security staff with some reliance on managed services

3. In-House SecOps

A predominantly in-house security team, augmented by a small managed services contract

Once you have determined that further outsourcing is needed, go back and adjust the status in your service portfolio. Use Info-Tech's blueprint Develop Your Security Outsourcing Strategy to determine the right approach for your business needs.

“The workforce of the future needs to be agile and adaptable, enabled by strong partnerships with third-party providers of managed security services. I believe these hybrid models really are the security workforce of the future.”

– Senior Manager, Cybersecurity at EY

Download blueprint Develop Your Security Outsourcing Strategy

Info-Tech Insight

Choose the right model for your organization’s size, risk tolerance, and process maturity level. For example, it might make more sense for larger enterprises with low risk tolerance to grow their internal teams and build in-house capability.

Create efficiencies

Resourcing challenges are often addressed more directly by increased spending. However, for a lot of organizations, this just isn’t possible. While there is no magic solution to resolve resource constraints and small budgets, the following tactics should be considered as a means to reduce the hours required for the services your team provides.

Upskill Your Staff

If full-scale training is not an option, see if there are individual skills that could be improved to help improve time to completion for your services. Use Info-Tech's blueprint Close the InfoSec Skills Gap to determine which skills are needed for your security team.

Improve Process Familiarity

In some organizations, especially low-maturity ones, problems can arise simply because there is a lack of familiarity with what needs to be done. Review the process, socialize it, and make sure your staff can execute in within the target time allotment.

Add Technology

Resourcing crunch or not, technology can help us do things better. Investigate whether automation software might help to shave a few hours off a given service. Use Info-Tech's blueprint Build a Winning Business Process Automation Playbook to optimize and automate your business processes with a user-centric approach.

Download the blueprint Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

Download the blueprint Build a Winning Business Process Automation Playbook

Info-Tech Insight

Every minute counts. While using these strategies may not solve every resourcing crunch you have, they can help put you in the best position possible to deliver on your commitments for each service.

Plan for employee turnover

Cybersecurity skills are in high demand; practitioners are few. The reality is that experienced security personnel have a lot of opportunities. While we cannot control for the personal reasons employees leave jobs, we can address the professional reasons that cause them to leave.

Fair wage

Reasonable expectations

Provide training

Defined career path

It’s a sellers’ market for cybersecurity skills these days. Higher-paying offers are one of the major reasons security leaders leave their jobs (ISSA, 2021).

Many teams lose out on good talent simply because they have unrealistic expectations, seeking 5+ years experience for an entry-level position, due to misalignment with HR (TECHNATION, 2021).

Technology is changing (and being adopted) faster than security professionals can train on it. Ongoing training is needed to close these gaps (ISO, 2021).

People want to see where they are now, visualize where they will be in the future, and understand what takes to get there. This helps to determine what types of training and specialization are necessary (DigitalGuardian, 2020).

Use Info-Tech’s blueprint Build a Strategic IT Workforce Plan to help staff your security organization for success.

The image contains a screenshot of the Build a Strategic IT Workforce Plan.

Download blueprint Build a Strategic IT Workforce Plan

Summary of Accomplishment

Problem Solved

You have now successfully identified your business and security drivers, determined what services your security program will provide, and determined your resourcing plan to meet these demands over the next three years.

As needs change at your organization, don’t forget to re-evaluate the decisions you’ve made. Don’t forget that outsourcing a service may be the most reliable way to provide and resource it. However, this is just one tool among many that should be considered, along with upskilling, process improvement/familiarity, and process automation.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Research Contributors and Experts

The image contains a picture of George Al-Koura.

George Al-Koura

CISO

Ruby Life

The image contains a picture of Brian Barniner.

Brian Barniner

Head of Decision Science and Analytics

ValueBridge Advisors

The image contains a picture of Tracy Dallaire.

Tracy Dallaire

CISO / Director of Information Security

McMaster University

The image contains a picture of Ricardo Johnson.

Ricardo Johnson

Chief Information Security Officer

Citrix

Research Contributors and Experts

The image contains a picture of Ryan Rodriguez.

Ryan Rodriguez

Senior Manager, Cyber Threat Management

EY

The image contains a picture of Paul Townley.

Paul Townley

VP Information Security and Personal Technology

Owens Corning

13 Anonymous Contributors

Related Info-Tech Research

Cost-Optimize Your Security Budget

Develop Your Security Outsourcing Strategy

Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan

Bibliography

2021 Voice of the CISO Report.” Proofpoint, 2021. Web.

“2022 Voice of the CISO.” Proofpoint, 2022. Web.

Brook, Chris. “How to Find and Retain Skilled Cybersecurity Talent.” DigitalGuardian, 17 Sep. 2020. Web.

“Canadian Cybersecurity Skills Framework” TECHNATION Canada, April 2020. Web.

“Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment.” ISSA, 28 July 2021. Web.

“Cybersecurity Workforce, National Occupational Standard.” TECHNATION Canada, April 2020. Web.

Naden, Clare. “The Cybersecurity Skills Gap: Why Education Is Our Best Weapon against Cybercrime.” ISO, 15 April 2021. Web.

Purse, Randy. “Four Challenges in Finding Cybersecurity Talent And What Companies Can Do About It.” TECHNATION Canada, 29 March 2021. Web.

Social-Engineer. “Burnout in the Cybersecurity Community.” Security Boulevard, 8 Dec. 2021. Web.

“State of Cybersecurity 2020.” ISACA, 2020. Web.

Every security program is unique; resourcing allocations should reflect this.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 5 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Determine Security Service Portfolio Offerings
  • Call #1 - Scope requirements, objectives, and your specific drivers.

Guided Implementation #2 - Plan for Mandatory Versus Discretionary Demand
  • Call #1 - Discuss roles and duties.
  • Call #2 - Build service portfolio and assign ownership.

Guided Implementation #3 - Build Your Resourcing Plan
  • Call #1 - Estimate required service hours.
  • Call #2 - Review service demand and plan for future state.

Authors

Isabelle Hertanto

Logan Rohde

Contributors

  • George Al-Koura, CISO, Ruby Life
  • Brian Barniner, Head of Decision Science and Analytics, ValueBridge Advisors
  • Tracy Dallaire, CISO / Director of Information Security, McMaster University
  • Ricardo Johnson, Chief Information Security Officer, Citrix
  • Ryan Rodriguez, Senior Manager, Cyber Threat Management, EY
  • Paul Townley, VP Information Security and Personal Technology, Owens Corning
  • 13 Anonymous contributors
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019