My experience is that the security teams I have worked with in the past were mostly understaffed. But this is my experience, I had different sizes of teams, different companies, different regulatory and customer requirements and different operational models in the companies.
I insist that benchmarks are a bad idea. The reason for that is that every company and situation is different.
Here is an example of what I mean:
A company that produces system software sold to the DoD doesn't have monitoring at all (0 cost, 0 resources), a dating site that stores sensitive data (sexual orientation) may have outsourced 24x7 (Some cost, 0 resources) and a restaurant chain has in house 8x5 personnel to look at alerts (some cost, 1-2 resources)
Which company gets more value from their investment, which one should raise the investment levels and which one should reduce them?
You may be able to answer for these samples, because you have the information such as industry, operational times, security needs etc. But if you remove these parameters and look only at the numbers, you cannot answer right.
The research is valuable if it has a lot of raw data and that data is analyzed by experts to match to the situation in hand. I believe that it has no value as a statistical number and benchmark.
Michalis
------------------------------
Michalis Kamprianis
Director Cyber Security
Hexagon Manufacturing Intelligence
------------------------------
Original Message:
Sent: Nov 15, 2021 02:32:05 AM
From: Marina Hoffmann
Subject: Security Benchmark - team size, budget and salary
Interesting, not sure about your personal experience, but I see that most security teams are highly understaffed. And they will get the budget only if there was a critical data breach.
I'm just thinking - Isn't cloud security alliance is the right place to perform research on it and may start providing a benchmark on it?
best,
Marina
------------------------------
Marina Hoffmann
Information Security Officer
Userlane
Original Message:
Sent: Nov 12, 2021 07:58:09 AM
From: Michalis Kamprianis
Subject: Security Benchmark - team size, budget and salary
Karen,
my statements on what is the appropriate way forward stand, but the numbers don't any more.
In 2019 the average spend was 10%, in 2020 the average spent was 13% and in 2021, it is way over 20%
The updated report from Hiscox, is here
If one looks at Statista, you will find a 50% growth since 2019.
I think it's time for me to write a follow up to this blog post.
------------------------------
Michalis Kamprianis
Director Cyber Security
Hexagon Manufacturing Intelligence
Original Message:
Sent: Nov 12, 2021 07:33:01 AM
From: Karen Morad
Subject: Security Benchmark - team size, budget and salary
Agree whole-heartedly about the article @Michalis Kamprianis. Would you say these three considerations are similar for 2022? I would think, yes...
------------------------------
Karen Morad
Head of marketing
Secberus
Original Message:
Sent: Nov 11, 2021 10:22:56 AM
From: Nicholas Grove
Subject: Security Benchmark - team size, budget and salary
@Michalis Kamprianis I meant to say-your blog post was phenomenal. Thanks for your contribution!
------------------------------
CISSP, CISM, CCSP, CCSK, CASP+, et al. | Cybersecurity • Supply Chain • Education | www.linkedin.com/in/nicholasgrove/ | www.nicholasgrove.com
Original Message:
Sent: Oct 29, 2021 08:17:41 AM
From: Michalis Kamprianis
Subject: Security Benchmark - team size, budget and salary
Hi
The correct answer is: benchmarks is not a good idea.
The short answer would be: 10%
And finally, the long answer that explains my two statements (and has some statistics to help you justify if you wish to go the benchmark's way), in a blog post I wrote some time ago
------------------------------
Michalis Kamprianis
Director Cyber Security
Hexagon Manufacturing Intelligence
Original Message:
Sent: Oct 27, 2021 07:25:44 AM
From: Marina Hoffmann
Subject: Security Benchmark - team size, budget and salary
Hey,
Are there any good benchmark resources for security budget, team size compare to company size or budget, and the salary of security people? I'm supporting a client to build up a security team and would like to provide benchmark data to the C level.
thanks for your help in advance :)
------------------------------
Marina Hoffmann
Information Security Officer
Userlane
------------------------------