The Inner Circle

 View Only
Expand all | Collapse all

Security Benchmark - team size, budget and salary

  • 1.  Security Benchmark - team size, budget and salary

    Posted Oct 27, 2021 07:26:00 AM
    Hey,
    Are there any good benchmark resources for security budget, team size compare to company size or budget, and the salary of security people? I'm supporting a client to build up a security team and would like to provide benchmark data to the C level. 

    thanks for your help in advance :)

    ------------------------------
    Marina Hoffmann
    Information Security Officer
    Userlane
    ------------------------------


  • 2.  RE: Security Benchmark - team size, budget and salary

    CSA Instructor
    Posted Oct 28, 2021 01:46:00 PM
    You want to start with their security requirements and the risks/threats they will be exposed to. They won't be exactly the same for every company and every industry. Once you know that, you can define the level of security needed, and then the tools, the people and the skills you need to get there.

    There are some benchmark elements discussed in this article: https://insights.integrity360.com/security-spending , but they only give you trends and average numbers. They may or may not work with your security requirements.

    ------------------------------
    Guillaume Boutisseau
    CCSK Authorized Instructor , CCSP
    ------------------------------



  • 3.  RE: Security Benchmark - team size, budget and salary

    Posted Nov 10, 2021 01:06:00 AM

    thank you, Guillaume, this is helpful. I'm aware that statistics and trends don't cover individual needs. Otherwise, it's helpful to know the average numbers.



    ------------------------------
    Marina Hoffmann
    Information Security Officer
    Userlane
    ------------------------------



  • 4.  RE: Security Benchmark - team size, budget and salary

    Posted Oct 29, 2021 08:18:00 AM
    Hi
    The correct answer is: benchmarks is not a good idea.
    The short answer would be: 10%

    And finally, the long answer that explains my two statements (and has some statistics to help you justify if you wish to go the benchmark's way), in a blog post I wrote some time ago

    ------------------------------
    Michalis Kamprianis
    Director Cyber Security
    Hexagon Manufacturing Intelligence
    ------------------------------



  • 5.  RE: Security Benchmark - team size, budget and salary

    Posted Nov 11, 2021 10:23:00 AM
    Edited by Nicholas Grove Nov 11, 2021 10:23:49 AM
    @Michalis Kamprianis I meant to say-your blog post was phenomenal. Thanks for your contribution!

    ------------------------------
    CISSP, CISM, CCSP, CCSK, CASP+, et al. | Cybersecurity • Supply Chain • Education | www.linkedin.com/in/nicholasgrove/ | www.nicholasgrove.com
    ------------------------------



  • 6.  RE: Security Benchmark - team size, budget and salary

    Posted Nov 12, 2021 07:33:00 AM
    Agree whole-heartedly about the article @Michalis Kamprianis. Would you say these three considerations are similar for 2022? I would think, yes...​

    ------------------------------
    Karen Morad
    Head of marketing
    Secberus
    ------------------------------



  • 7.  RE: Security Benchmark - team size, budget and salary

    Posted Nov 12, 2021 07:58:00 AM
    Karen,
    my statements on what is the appropriate way forward stand, but the numbers don't any more.

    In 2019 the average spend was 10%, in 2020 the average spent was 13% and in 2021, it is way over 20%
    The updated report from Hiscox, is here

    If one looks at Statista, you will find a 50% growth since 2019.

    I think it's time for me to write a follow up to this blog post.


    ------------------------------
    Michalis Kamprianis
    Director Cyber Security
    Hexagon Manufacturing Intelligence
    ------------------------------



  • 8.  RE: Security Benchmark - team size, budget and salary

    Posted Nov 12, 2021 08:02:00 AM
    Yes please!

    --

    Karen Morad

    Head of Marketing

    Secberus, Inc.

    Helping Companies Gain Confidence in the Cloud

    +1 609-865-5957
    [email protected]
    www.secberus.com
    78 SW 7th St, Ste. 800, Miami, FL 33130, USA


    This email and any attachments thereto contain private, confidential, and privileged material for the sole use of the intended recipient.  Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.  If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.








  • 9.  RE: Security Benchmark - team size, budget and salary

    Posted Nov 15, 2021 02:32:00 AM
    Interesting, not sure about your personal experience, but I see that most security teams are highly understaffed. And they will get the budget only if there was a critical data breach. 
    I'm just thinking - Isn't cloud security alliance is the right place to perform research on it and may start providing a benchmark on it?

    best,
    Marina

    ------------------------------
    Marina Hoffmann
    Information Security Officer
    Userlane
    ------------------------------



  • 10.  RE: Security Benchmark - team size, budget and salary

    Posted Nov 16, 2021 07:56:00 AM
    I guess I will play the spoiler and toss out an unpopular idea. I think most firms spend too MUCH on security and not enough time on proper analysis and long term thinking (move fast and break things). 

    Here in California folks are trying to prevent fires to save houses. Of course building wooden structures right next to wooded areas with a long history of droughts now seems crazy in hindsight. So how much should we now budget for fire fighting and mitigation for these houses? How many Billions? Trillions? Should we reallocate from education and healthcare to protect the unprotectable until the inevitable occurs? How much is enough to spend on bad decision making habits and myopic short term planning?  Insurers are no longer insuring these houses so that's one indication of he math.

    The way we approach security is like hiring a bunch of firefighters to stand around your wooden house that you build in a drought stricken forest. How many fire fighters are enough? When the blaze comes and the IT house burns anyway, did we not spend enough? Or…should we change how we do things and spend less in the wrong ways and more time/energy/thinking on how to do things the right way?

    I think those who spend less and work smarter will be harder targets. But - spending less and doing nothing to change bad habits is also not going to work - so I guess most will keep buying more tools and hiring more firefighters. At some point the insurers will stop insuring the unprotectable.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 11.  RE: Security Benchmark - team size, budget and salary

    Posted Nov 16, 2021 03:53:00 PM
    Edited by Robert Ficcaglia Nov 16, 2021 03:59:14 PM

    I submit for example:

    https://oversight.house.gov/sites/democrats.oversight.house.gov/files/20211116%20Supplemental%20Memo%20on%20CORs%20Investigation%20into%20Ransomware.pdf

    The CSA controls/ guidelines would certainly have helped here, at very low cost and without requiring lots of staff (e.g. requiring MFA, having a checklist for HR off-boarding, and a cron job to remove or completely neuter all inactive accounts, say after >90 days inactivity).

    all of these, yes, take effort and planning and leadership support from the business to do things securely instead of rewarding short cuts, but not huge budgets.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 12.  RE: Security Benchmark - team size, budget and salary

    Posted Nov 16, 2021 09:21:00 AM
    Edited by Michalis Kamprianis Feb 08, 2022 05:20:34 PM
    My experience is that the security teams I have worked with in the past were mostly understaffed. But this is my experience, I had different sizes of teams, different companies, different regulatory and customer requirements and different operational models in the companies.

    I insist that benchmarks are a bad idea. The reason for that is that every company and situation is different.

    Here is an example of what I mean:
    A company that produces system software sold to the DoD doesn't have monitoring at all (0 cost, 0 resources), a dating site that stores sensitive data (sexual orientation) may have outsourced 24x7 (Some cost, 0 resources) and a restaurant chain has in house 8x5 personnel to look at alerts (some cost, 1-2 resources)

    Which company gets more value from their investment, which one should raise the investment levels and which one should reduce them?
    You may be able to answer for these samples, because you have the information such as industry, operational times, security needs etc. But if you remove these parameters and look only at the numbers, you cannot answer right.

    The research is valuable if it has a lot of raw data and that data is analyzed by experts to match to the situation in hand. I believe that it has no value as a statistical number and benchmark.

    Michalis

    ------------------------------
    Michalis Kamprianis
    Director Cyber Security
    Hexagon Manufacturing Intelligence
    ------------------------------