Are there best practices or staffing models available to assist with setting up a team specific to the management, tracking, compliance and reporting of identified risks and issues.  Ie What's the right ratio of people to identified issues to properly manage those items to completion?

Security & GRC
1.1k viewscircle icon2 Comments
Sort by:
CIO in IT Services2 years ago

Typically, I'll use a 10-15% ratio against revenue for staffing needs (overall team size). Depending on the size of the company, the number of staff will adjust from this starting point. The CISO also needs to consider the organization's cyber maturity score, the tools that have been implemented, their compliance needs and their incident response rates. There is no hard fast rule here - it's a combination of people-process-technology that lends itself to obtaining the right answer on how to staff.

Chief Information Security Officer in Healthcare and Biotech2 years ago

ratio of people to identified issues, depending on the size and complexity of the business, nature industry, and the level of risk appetite. Organizations should try to achieve a balance between resource requirements to attend the identified problems timely with efficiency and cost-effectiveness.

Content you might like

With AI adoption accelerating across enterprises, what do you view as the top information security challenge that leaders should address? How can CISOs, VPs and Director’s align governance, risk and security investments to enable AI innovation without creating new exposures?

Do you have a lock out policy for system accounts? If so, how many attempts do you have it set too? 

Have you considered not having a lock out policy where accounts are vaulted / rotated & standing access is removed?

How are you currently managing SIEM costs? Have you found effective ways to actually reduce storage costs for your SIEM?

Which best describes your knowledge of the number of IoT devices (both managed and unmanaged) in your system’s network?

I know the exact number19%

I don't know the exact number, but have a dashboard that can tell it to me.62%

We don't have a way to determine that number currently.18%

View Results

In the past 6 months, have you seen an uptick in targeted cyberattacks on telehealth devices and networks?

No Increase17%

1-5% increase46%

6-25% increase24%

26-50% increase7%

51-75% increase1%

76%+1%

Other2%

View Results