The Inner Circle

Expand all | Collapse all

Security Benchmark - team size, budget and salary

  • 1.  Security Benchmark - team size, budget and salary

    Posted 30 days ago
    Hey,
    Are there any good benchmark resources for security budget, team size compare to company size or budget, and the salary of security people? I'm supporting a client to build up a security team and would like to provide benchmark data to the C level.

    thanks for your help in advance :)

    ------------------------------
    Marina Hoffmann
    Information Security Officer
    Userlane
    ------------------------------


  • 2.  RE: Security Benchmark - team size, budget and salary

    CSA Instructor
    Posted 29 days ago
    You want to start with their security requirements and the risks/threats they will be exposed to. They won't be exactly the same for every company and every industry. Once you know that, you can define the level of security needed, and then the tools, the people and the skills you need to get there.

    There are some benchmark elements discussed in this article: https://insights.integrity360.com/security-spending , but they only give you trends and average numbers. They may or may not work with your security requirements.

    ------------------------------
    Guillaume Boutisseau
    CCSK Authorized Instructor , CCSP
    ------------------------------



  • 3.  RE: Security Benchmark - team size, budget and salary

    Posted 16 days ago

    thank you, Guillaume, this is helpful. I'm aware that statistics and trends don't cover individual needs. Otherwise, it's helpful to know the average numbers.



    ------------------------------
    Marina Hoffmann
    Information Security Officer
    Userlane
    ------------------------------



  • 4.  RE: Security Benchmark - team size, budget and salary

    Posted 28 days ago
    Hi
    The correct answer is: benchmarks is not a good idea.
    The short answer would be: 10%

    And finally, the long answer that explains my two statements (and has some statistics to help you justify if you wish to go the benchmark's way), in a blog post I wrote some time ago

    ------------------------------
    Michalis Kamprianis
    Director Cyber Security
    Hexagon Manufacturing Intelligence
    ------------------------------



  • 5.  RE: Security Benchmark - team size, budget and salary

    Posted 15 days ago
    Edited by Nicholas Grove 15 days ago
    @Michalis Kamprianis I meant to say-your blog post was phenomenal. Thanks for your contribution!

    ------------------------------
    CISSP, CISM, CCSP, CCSK, CASP+, et al. | Cybersecurity • Supply Chain • Education | www.linkedin.com/in/nicholasgrove/ | www.nicholasgrove.com
    ------------------------------



  • 6.  RE: Security Benchmark - team size, budget and salary

    Posted 14 days ago
    Agree whole-heartedly about the article @Michalis Kamprianis. Would you say these three considerations are similar for 2022? I would think, yes...​

    ------------------------------
    Karen Morad
    Head of marketing
    Secberus
    ------------------------------



  • 7.  RE: Security Benchmark - team size, budget and salary

    Posted 14 days ago
    Karen,
    my statements on what is the appropriate way forward stand, but the numbers don't any more.

    In 2019 the average spend was 10%, in 2020 the average spent was 13% and in 2021, it is way over 20%
    The updated report from Hiscox, is here

    If one looks at Statista, you will find a 50% growth since 2019.

    I think it's time for me to write a follow up to this blog post.


    ------------------------------
    Michalis Kamprianis
    Director Cyber Security
    Hexagon Manufacturing Intelligence
    ------------------------------



  • 8.  RE: Security Benchmark - team size, budget and salary

    Posted 14 days ago
    Yes please!

    --

    Karen Morad

    Head of Marketing

    Secberus, Inc.

    Helping Companies Gain Confidence in the Cloud

    +1 609-865-5957
    [email protected]
    www.secberus.com
    78 SW 7th St, Ste. 800, Miami, FL 33130, USA


    This email and any attachments thereto contain private, confidential, and privileged material for the sole use of the intended recipient.  Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.  If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
    facebook
    twitter
    linkedin







  • 9.  RE: Security Benchmark - team size, budget and salary

    Posted 11 days ago
    Interesting, not sure about your personal experience, but I see that most security teams are highly understaffed. And they will get the budget only if there was a critical data breach.
    I'm just thinking - Isn't cloud security alliance is the right place to perform research on it and may start providing a benchmark on it?

    best,
    Marina

    ------------------------------
    Marina Hoffmann
    Information Security Officer
    Userlane
    ------------------------------



  • 10.  RE: Security Benchmark - team size, budget and salary

    Posted 10 days ago
    I guess I will play the spoiler and toss out an unpopular idea. I think most firms spend too MUCH on security and not enough time on proper analysis and long term thinking (move fast and break things).

    Here in California folks are trying to prevent fires to save houses. Of course building wooden structures right next to wooded areas with a long history of droughts now seems crazy in hindsight. So how much should we now budget for fire fighting and mitigation for these houses? How many Billions? Trillions? Should we reallocate from education and healthcare to protect the unprotectable until the inevitable occurs? How much is enough to spend on bad decision making habits and myopic short term planning?  Insurers are no longer insuring these houses so that's one indication of he math.

    The way we approach security is like hiring a bunch of firefighters to stand around your wooden house that you build in a drought stricken forest. How many fire fighters are enough? When the blaze comes and the IT house burns anyway, did we not spend enough? Or…should we change how we do things and spend less in the wrong ways and more time/energy/thinking on how to do things the right way?

    I think those who spend less and work smarter will be harder targets. But - spending less and doing nothing to change bad habits is also not going to work - so I guess most will keep buying more tools and hiring more firefighters. At some point the insurers will stop insuring the unprotectable.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 11.  RE: Security Benchmark - team size, budget and salary

    Posted 10 days ago
    Edited by Robert Ficcaglia 10 days ago

    I submit for example:

    https://oversight.house.gov/sites/democrats.oversight.house.gov/files/20211116%20Supplemental%20Memo%20on%20CORs%20Investigation%20into%20Ransomware.pdf

    The CSA controls/ guidelines would certainly have helped here, at very low cost and without requiring lots of staff (e.g. requiring MFA, having a checklist for HR off-boarding, and a cron job to remove or completely neuter all inactive accounts, say after >90 days inactivity).

    all of these, yes, take effort and planning and leadership support from the business to do things securely instead of rewarding short cuts, but not huge budgets.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 12.  RE: Security Benchmark - team size, budget and salary

    Posted 10 days ago
    Edited by Michalis Kamprianis 10 days ago
    My experience is that the security teams I have worked with in the past were mostly understaffed. But this is my experience, I had different sizes of teams, different companies, different regulatory and customer requirements and different operational models in the companies.

    I insist that benchmarks are a bad idea. The reason for that is that every company and situation is different.

    Here is an example of what I mean:
    A company that produces system software sold to the DoD doesn't have monitoring at all (0 cost, 0 resources), a dating site that stores sensitive data (sexual orientation) may have outsourced 24x7 (Some cost, 0 resources) and a restaurant chain has in house 8x5 personnel to look at alerts (some cost, 1-2 resources)

    Which company gets more value from their investment, which one should raise the investment levels and which one should reduce them?
    You may be able to answer for these camples, because you have the information such as industry, operational times, security needs etc. But if you remove these parameters and look only at the numbers, you cannot answer right.

    The research is valuable if it has a lot of raw data and that data is analyzed by experts to match to the situation in hand. I believe that it has no value as a statistical number and benchmark.

    Michalis

    ------------------------------
    Michalis Kamprianis
    Director Cyber Security
    Hexagon Manufacturing Intelligence
    ------------------------------