Formulas for dimensioning security teams

By January 15, 2021 No Comments

* Carlos Borella


It is not new that one of the reflexes of the acceleration of the digital transformation processes brought about by the covid-19 pandemic was the increase in cybersecurity risks. With the increasing pressure on IT teams to deliver faster and faster, asset risk management has not always been brought to the forefront.

This context brought an explosion of cyber security incidents and many companies took a considerable time to find their “modus operandi” to deal with this new scenario. The next step was to look more closely at the security policies and solutions in hand.

One of the first findings of this moment is that there is a major problem in the market of availability of cyber security professionals. This makes it very complicated to assemble and maintain an internal team with a specific focus on cyber security, always remembering that the ecosystem has not managed to train enough professionals to meet the market demand.

In any case, whether internally or with third parties (through services), many companies are currently facing the challenge of structuring their security teams. It is good to remember that defining whether the positions will be internal or as a service is a strategic decision. Regardless of the model, it is necessary to scale this team effectively and for that, those responsible for the security areas of companies need a framework (a calculation basis) that allows them to defend their budget and investments in head count.

The fact is that, more and more, companies will need teams correctly sized and with specific knowledge in cyber security. Even though there is no single framework that can support this definition, it is already possible to find some case studies and benchmarks that suggest an adequate dimension. We cite some examples:

• EDUCASE Research and Education suggests allocating one cyber security professional for every thousand information processing resources (network, servers, workstation, mobile devices, etc.). In this case, for an operation with 1.2 thousand information processing resources, we would have 1.2 FTE (Full-time Equivalent), or a professional;

• The Computer Secutity Institute (CSI) proposes that cyber security professionals should compose 5% of the total Information Technology (IT) team. In this case, for an IT team with 100 professionals, we would have 5 employees - IT team: 100 (* 5%) = 5 FTE for cyber security;

• An option that has been used is the equation that takes into account the amount of processing resources and the size of the IT area: Cyber Security FTE = Ʃ (1,2 + 5) / 2, therefore Cyber Security FTE * = 4 In this format, we would have the definition of a team of four professionals.

These formulas are not plastered and aim to support companies in the dimensioning of their cyber security team, whether internal or third party. It is always good to remember that the great advantage of having a partner is that it has much more agility to hire or replace professionals, especially those with specific knowledge. 

Finally, regardless of the team, it is important to have an overview of the demand, and the calculations that we present here allow us to give a good idea and direction in this sense. It is worth mentioning that the studies and calculations presented above do not involve the maintenance of teams with 24 × 7 operation, for example, SOC (Security Operation Officer).

*Carlos Borella is CEO of Safeway.