Get Instant Access
to This Blueprint

Security icon

Build a Service-Based Security Resourcing Plan

Every security program is unique; resourcing allocations should reflect this.

  • IT and security leaders across all industries must determine what and how many resources are needed to support the information security program.
  • Estimating current usage and future demand for security resources can be a difficult and time-consuming exercise.

Our Advice

Critical Insight

Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

Impact and Result

  • Info-Tech’s approach to resource planning focuses less on benchmarks and more on estimating actual demand for security services to ensure that there are enough resources to deliver them.
  • A well-designed security services portfolio is the first step towards determining resourcing needs.
  • When planning resource allocations, plan for both mandatory and discretionary demand to optimize utilization.

Build a Service-Based Security Resourcing Plan Research & Tools

1. Build a Service-Based Security Resourcing Plan – A blueprint to help you define security roles, build a service portfolio, estimate demand, and determine resourcing needs.

This storyboard will help you to determine your security resourcing needs using a service-based approach.

In this project you will assign security service ownership to your team and determine demand and resourcing needs of those services.

2. Security Resources Planning Workbook – This tool will result in a defined security service portfolio and a three-year resourcing plan.

Use this tool to build your security service portfolio and to determine resourcing needs to meet your service demand.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

10.0/10


Overall Impact

$20,799


Average $ Saved

20


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Utah Transit Authority

Guided Implementation

10/10

$20,799

20

The guidance received from Isabelle Hertanto helped to guide us to see everywhere we were falling short and just how many resources we were short t... Read More


Workshop: Build a Service-Based Security Resourcing Plan

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Define Roles and Select Services

The Purpose

  • Identify the roles needed to implement and deliver your organization’s security services.

Key Benefits Achieved

  • A security services portfolio allows you to assign job roles to each service, which is the first step towards determining resourcing needs. Improve employee engagement and satisfaction with clearly defined job roles, responsibilities, and service levels.

Activities

Outputs

1.1

Assess security needs and business pressures.

  • Security Roles Definition
1.2

Define security job roles.

1.3

Define security services and assign ownership.

  • Security Services Portfolio

Module 2: Estimate Current and Future Demand

The Purpose

  • Estimate the actual demand for security resources and determine how to allocate resources accordingly.

Key Benefits Achieved

  • Allocate resources more effectively across your Security and Risk teams.
  • Raise the profile of your security team by aligning security service offerings with the demands of the business.

Activities

Outputs

2.1

Estimate current and future demand.

  • Demand Estimates
2.2

Review demand summary.

2.3

Allocate resources where they are needed the most.

  • Resourcing Plan

Module 3: Identify Required Skills

The Purpose

When defining roles, consider the competencies needed to deliver your security services. Make sure to account for this need in your resource planning.

Key Benefits Achieved

Leverage the NCWF to establish the building blocks of a capable and ready cybersecurity workforce to effectively identify, recruit, develop and maintain cybersecurity talent.

Activities

Outputs

3.1

Identify skills needed for planned initiatives.

  • Prioritized Skill Requirements and Associated Roles
3.2

Prioritize your skill requirements.

3.3

Assign work roles to the needs of your target environment.

3.4

Discuss the NICE cybersecurity workforce framework.

3.5

Develop technical skill requirements for current and future work roles.

Module 4: Future Planning

The Purpose

Create a development plan to train and upskill your employees to address current and future service requirements.

Key Benefits Achieved

  • Skill needs are based on the strategic requirements of a business-aligned security program.

Activities

Outputs

4.1

Continue developing technical skill requirements for current and future work roles.

  • Role-Based Skills Gaps
4.2

Conduct current workforce skills assessment.

4.3

Develop a plan to acquire skills.

  • Workforce Development Plan
4.4

Discuss training and certification opportunities for staff.

4.5

Discuss next steps for closing the skills gap.

4.6

Debrief.


Build a Service-Based Security Resourcing Plan

Every security program is unique; resourcing allocations should reflect this.

Analyst Perspective

Start by looking inward.

The image is a picture of Logan Rohde.The image is a picture of Isabelle Hertanto.

Organizations have a critical need for skilled cybersecurity resources as the cyberthreat landscape becomes more complex. This has put a strain on many security teams who must continue to meet demand for an increasing number of security services. To deliver services well, we first need to determine what are the organization’s key security requirements. While benchmarks can be useful for quick peer-to-peer comparisons to determine if we are within the average range, they tend to make all security programs seem the same. This can lead to misguided investments in security services and personnel that might be better used elsewhere.

Security teams will be most successful when organizations take a personalized approach to security, considering what must be done to lower risk and operate more efficiently and effectively.

Logan Rohde

Senior Research Analyst, Security

Info-Tech Research Group

Isabelle Hertanto

Principal Research Director, Security

Info-Tech Research Group

Executive Summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

  • IT and Security leaders across all industries must determine what and how many resources are needed to support the information security program.
  • Estimating current usage, the right allocations, and future demand for security resources can be a difficult and time-consuming exercise.
  • Needing to provide a benchmark to justify increasing headcount.
  • Absence of formally defined security service offerings and service owners.
  • Lack of skills needed to provide necessary security services.
  • Info-Tech’s approach to resource planning focuses less on benchmarks and more on estimating actual demand for security services to ensure that there are enough resources to deliver them.
  • A well-designed security services portfolio is the first step toward determining resourcing needs.
  • When allocating resources, plan for both mandatory and discretionary demand to position yourself for greatest success.

Info-Tech Insight

Not all security programs need to be the same. A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

Your challenge

This research is designed to help organizations who are looking to:

  • Determine what and how many resources are needed to support the information security program.
  • Identify the organization's key service offerings and the required resourcing to support delivery of such services.
  • Estimate current staff utilization and required allocations to satisfy future demand for services.

Every organization is unique and will need different security research allocations aligned with their business needs.

“The number of priorities that CISOs have continues to grow, but if everything is a priority, nothing is. It’s important to focus on the ones that deliver the most value to your organization and that are synchronized with the overall business strategy.”

Paige H. Adams

Global CISO at Zurich

Insurance

Source: Proofpoint, 2021

Common obstacles

These barriers make this challenge difficult to address for many organizations:

  • Security leaders sometimes try to cut to the chase and lean on staffing benchmarks to justify their requests for resources. However, while staffing benchmarks are useful for quick peer-to-peer validation and decision making, they tend to reduce security programs down to a set of averages, which can be misleading when used out of context.
  • A more effective approach is to determine what security services need to be provided, the level of demand, and what it will take to meet that demand currently and in the coming years.
  • With these details available, it becomes much easier to predict what roles need to be hired, what skills need to be developed, and whether outsourcing is an option.

Hiring delays and skills gaps can fuel resourcing challenges

59% of organizations report taking 3-6+ months to fill a vacant cybersecurity position.

Source: ISACA, 2020

30% report IT knowledge as the most prevalent skills gap in today’s cybersecurity professionals.

Source: ISACA, 2020

Info-Tech’s methodology for Building a Service-Based Security Resourcing Plan

1. Determine Security Service Portfolio Offerings

2. Plan for Mandatory Versus Discretionary Demand

3. Define Your Resourcing Model

Phase Steps

1 Gather Requirements and Define Roles

1.2 Choose Security Service Offerings

2.1 Assess Demand

3.1 Review Demand Summary

3.2 Develop an Action Plan

Phase Outcomes

Security requirements

Security service portfolio

Service demand estimates

Service hour estimates

Three-year resourcing plan

Stay on top of resourcing demands with a security service portfolio

Security programs should be designed to address unique business needs.

A service-aligned security resourcing strategy will put organizations in the best position to respond to current and future service demands and address business needs as they evolve over time.

Watch out for role creep.

It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.

Time estimates will improve with practice.

It may be difficult to estimate exactly how long it takes to carry out each service at first. But making the effort to time your activities each quarter will help you to improve the accuracy of your estimates incrementally.

Start recruiting well in advance of need.

Security talent can be difficult to come by, so make sure to begin your search for a new hire three to six months before your demand estimates indicate the need will arise.

People and skills are both important.

As the services in your portfolio mature and become more complex, remember to consider the skills you will need to be able to provide that service. Make sure to account for this need in your resource planning and keep in mind that we can only expect so much from one role. Therefore, hiring may be necessary to keep up with the diverse skills your services may require.

Make sure your portfolio reflects reality.

There’s nothing wrong with planning for future state, but we should avoid using the portfolio as a list of goals.

Blueprint deliverable

Use this tool to build your security services portfolio, estimate demand and hours needed, and determine FTE requirements.

The image contains screenshots of the Security Resources Planning Workbook.

Key deliverable:

Security Resources Planning Workbook

The Security Resources Planning Workbook will be used to:

  • Build a security services portfolio.
  • Estimate demand for security services and the efforts to deliver them.
  • Determine full-time equivalent (FTE) requirements for each service.
The image contains a thought model to demonstrate the benchmarks that lead to a one-size-fits-all approach to security.

Blueprint benefits

IT Benefits

Business Benefits

  • Allocate resources more effectively across your security and risk teams.
  • Improve employee engagement and satisfaction with clearly defined job roles, responsibilities, and service levels.
  • Raise the profile of your security team by aligning security service offerings with the demands of the business.
  • Ensure that people, financial, knowledge, and technology resources are appropriately allocated and leveraged across the organization.
  • Improve your organization’s ability to satisfy compliance obligations and reduce information security risk.
  • Increase customer and business stakeholder satisfaction through reliable service delivery.

Measure the value of this blueprint

Use these metrics to realize the value of completing this blueprint.

Metric

Expected Improvement

Level of business satisfaction with IT security

You can expect to see a 20% improvement in your IT Security Business Satisfaction Diagnostic.

Reports on key performance indicators and service level objectives

Expect to see a 40% improvement in security service-related key performance indicators and service level objectives.

Employee engagement scores

You can expect to see approximately a 10% improvement in employee engagement scores.

Changes in rates of voluntary turnover

Anticipating demand and planning resources accordingly will help lower employee turnover rates due to burnout or stress leave by as much as 10%.

47% of cybersecurity professionals said that stress and burnout has become a major issue due to overwork, with most working over 41 hours a week, and some working up to 90.

Source: Security Boulevard, 2021

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

Phase 1 Phase 2 Phase 3

Call #1: Scope requirements, objectives, and your specific drivers.

Call #2: Discuss roles and duties.

Call #3: Build service portfolio and assign ownership.

Call #4: Estimate required service hours.

Call #5: Review service demand and plan for future state.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 4 to 6 calls over the course of 2 to 3 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Day 1 Day 2 Day 3 Day 4 Day 5

Define Roles and Select Services

Estimate Current and Future Demand

Identify Required Skills

Future Planning

Next Steps and
Wrap-Up (offsite)

Activities

1.1 Assess Security Needs and Business Pressures.

1.2 Define Security Job Roles.

1.3 Define Security Services and Assign Ownership.

2.1 Estimate Current and Future Demand.

2.2 Review Demand Summary.

2.3 Allocate Resources Where They Are Needed the Most.

3.1 Identify Skills Needed Skills for Planned Initiatives.

3.2 Prioritize Your Skill Requirements.

3.3 Assign Work Roles to the Needs of Your Target Environment.

3.4 Discuss the NICE Cybersecurity Workforce Framework.

3.5 Develop Technical Skill Requirements for Current and Future Work Roles.

4.1 Continue Developing Technical Skill Requirements for Current and Future Work Roles.

4.2 Conduct Current Workforce Skills Assessment.

4.3 Develop a Plan to Acquire Skills.

4.4 Discuss Training and Certification Opportunities for Staff.

4.5 Discuss Next Steps for Closing the Skills Gap.

4.6 Debrief.

5.1 Complete In-Progress Deliverables From Previous Four Days.

5.2 Set Up Review Time for Workshop Deliverables and to Discuss Next steps.

Deliverables
  1. FTE-Hours Calculation
  2. Security Roles Definition
  3. Security Services Portfolio
  1. Demand Estimates
  2. Resourcing Plan
  1. Skills Gap Prioritization Tool
  2. Technical Skills Tool
  1. Technical Skills Tool
  2. Current Workforce Skills Assessment
  3. Skills Development Plan

Phase 1

Determine Security Service Portfolio Offerings

Phase 1

Phase 2

Phase 3

1.1 Gather Requirements and Define Roles

1.2 Choose Security Service Offerings

2.1 Assess Demand

3.1 Determine Resourcing Status

This phase involves the following participants:

  • CISO
  • Core Security Team
  • Business Representative (optional)

Step 1.1

Gather Requirements and Define Roles

Activities

1.1.1 Assess Business Needs and Pressures

1.1.2 Define Security Roles

This step involves the following participants:

  • CISO
  • Core Security Team
  • Business Representative (optional)

Outcomes of this step

  • Security program requirements
  • Security roles definitions

1.1.1 Assess security needs and pressures

1 hour

  1. As a group, brainstorm the security requirements for your organization and any business pressures that exist within your industry (e.g. compliance obligations).
    • To get started, consider examples of typical business pressures on the next slides. Determine how your organization must respond to these points (note: this is not an exhaustive list).
    • You will likely notice that these requirements have already influenced the direction of your security program and the kinds of services it needs to provide to the business side of the organization.
  2. There may be some that have not been well addressed by current service offerings (e.g. current service maturity, under/over definition of a service). Be sure to make a note of these areas and what the current challenge is and use these details in Step 1.2.
  3. Document the results for future use in Step 1.2.1.
Input Output
  • List of key business requirements and industry pressures
  • Prioritized list of security program requirements
Materials Participants
  • Whiteboard
  • Sticky notes
  • CISO
  • Core Security Team
  • Business Representative (optional)

Typical business pressures examples

The security services you will provide to the organization should be based on its unique business requirements and pressures, which will make certain services more applicable than others. Use this exercise to get an idea of what those business drivers might be.

The image contains a screenshot of Typical business pressures examples.

1.1.2 Define security roles

1-2 hours

  1. Using the link below, download the Security Resources Planning Workbook and review the examples provided on the next slide.
  2. On tab 1 (Roles), review the example roles and identify which roles you have within your security team.
    • If necessary, customize the roles and descriptions to match your security team’s current make up.
    • If you have roles within your security team that do not appear in the examples, you can add them to the bottom of the table.
  3. For each role, use columns D-F to indicate how many people (headcount) you have, or plan to have, in that role.
  4. Use columns H-J to indicate how many hours per year each role has available to deliver the services within your service catalog.
Input Output
  • Full-time hours worked per week Weeks worked per year Existing job descriptions/roles
  • Calculated full-time equivalents (FTE) Defined security roles
Materials Participants
  • Security Resources Planning Workbook
  • CISO
  • Core Security Team

Download the Security Resources Planning Workbook

Calculating FTEs and defining security roles

The image contains a screenshot of the workbook demonstrating calculating FTEs and defining security roles.

  1. Start by entering the current and planned headcount for each role
  2. Then enter number of hours each role works per week
  3. Estimate the number of administrative hours (e.g. team meetings, training) per week
  4. Enter the average number of weeks per year that each role is available for service delivery
  5. The tool uses the data from steps 2-4 to calculate the average number of hours each role has for service delivery per year (FTE)

Info-Tech Insight

Watch out for role creep. It may be tempting to assign tasks to the people who already know how to do them, but we should consider which role is most appropriate for each task. If all services are assigned to one or two people, we’ll quickly use up all their time.

Every security program is unique; resourcing allocations should reflect this.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

10.0/10
Overall Impact

$20,799
Average $ Saved

20
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 5 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Determine Security Service Portfolio Offerings
  • Call 1: Scope requirements, objectives, and your specific drivers.

Guided Implementation 2: Plan for Mandatory Versus Discretionary Demand
  • Call 1: Discuss roles and duties.
  • Call 2: Build service portfolio and assign ownership.

Guided Implementation 3: Build Your Resourcing Plan
  • Call 1: Estimate required service hours.
  • Call 2: Review service demand and plan for future state.

Authors

Logan Rohde

Isabelle Hertanto

Contributors

  • George Al-Koura, CISO, Ruby Life
  • Brian Barniner, Head of Decision Science and Analytics, ValueBridge Advisors
  • Tracy Dallaire, CISO / Director of Information Security, McMaster University
  • Ricardo Johnson, Chief Information Security Officer, Citrix
  • Ryan Rodriguez, Senior Manager, Cyber Threat Management, EY
  • Paul Townley, VP Information Security and Personal Technology, Owens Corning
  • 13 Anonymous contributors
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019