Executives and Boards across industries have identified cybersecurity as one of their top concerns. This is understandable because of the increasing number of recent ransomware attacks, security breaches, and privacy incidents. The consequences of these security breaches are significant but developing solutions to address breaches is often the first hurdle.
Executives may start by asking if they have the right number of people with the appropriate skills required to build a robust security program. A logical reaction is to look to peer organizations because staffing benchmarks for IT departments have been used with success. Unfortunately, there is not enough credible benchmarking data to use for the cybersecurity community and the numbers that do exist contain misleading assumptions. When those numbers are taken out of context, the results can lead to understaffing, which is ultimately a major contributor to the security gaps facing industries across the globe.
Five Missteps to Avoid
There are five missteps of security benchmarking that must be recognized before organizations can determine an appropriate level of security staffing. The first misstep is to falsely assume that cybersecurity professionals are ubiquitous and interchangeable. In reality, cybersecurity professionals have specialties and work in different disciplines. This specialization has evolved over the years to leverage advances in knowledge and technology. The proliferation of advanced security tools and the complexity of implementing security controls requires new skills. These skills only come with specialized training and an investment of time and resources.
The second misstep is falsely assuming that an organization’s size can be used as a linear determinant for appropriate security staff levels. Because of specialization, all security functions must be performed regardless of the organization’s size, therefore even small companies require a minimum number of security staff. Using healthcare as an example, hospitals have long understood they must keep a mix of healthcare staff specialties regardless of the number of licensed beds. All positions such as physicians, nurses, radiology technicians, and laboratory specialists must be filled, even if comparable benchmarking ratios drop below a full-time position for small organizations. The same is true with security professionals – certain positions must be filled even for small organizations.
The third misstep is assuming all staffing models are applicable, even when bridging different industries. Take healthcare’s lessons learned from making this mistake as an example. Healthcare security professionals must implement unique controls that are designed for a specialized threat spectrum and risks. In addition, the regulatory complexity in healthcare is different from other sectors, which requires specific skills. For example, biomedical devices introduce some very different security challenges. These devices often have life cycles exceeding 15 or more years, may be hampered with very few patch and vulnerability management options, and can’t be actively scanned due to an unacceptable risk of causing a Sentinel Event (e.g. patient safety). The banking and finance sector would never permit customers to have unescorted access to computer assets; however, hospitals must routinely leave patients and family in treatment rooms full of biomedical equipment that, in many instances, do not require log-on credentials. Therefore, benchmarks from the financial sector will not address the diverse complexity needed for healthcare.
The fourth misstep is assuming it takes the same amount of staff to build a security management program as it does to manage a mature organization — therefore any comparison would require knowing the “security maturity” of the organization being used for the benchmark comparison. It’s important to recognize the different skill sets between builders and operators, then acknowledge that some who are great builders (e.g. security architects) may not be happy in an ongoing support role (e.g. security operations) for a long period of time. It is important to select a benchmarking target that is the same maturity in order to accurately assess the security program’s staffing needs.
The final and most important misstep to avoid is making a false assumption that other, similar businesses are performing well, and then using those other organizations’ staffing levels as a basis for comparison. In reality, it can be difficult to get a transparent, accurate read on the cybersecurity posture of another organization. Therefore, benchmarking security staffing against an organization that may be failing is a recipe for disaster.
An Improved Approach
So how does one build a staffing model correctly? From the bottom up! Start by identifying the major control groups of the entire security department. In the case of healthcare, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule lays out these major groups as follows:
- Security (and risk) management
- Workforce security (onboarding, awareness, & training)
- Incident management
- Contingency planning, including business continuity management
- Security audit and compliance
- Vendor management
- Physical security
- Physical asset management (including disposal)
- Access controls (includes vulnerability and patch management)
- Policy and procedures
Not all organizations have the resources to adopt this target organizational structure, so it will be necessary for individuals to assume multiple responsibilities. Not all organizations will face the same risks across all areas, either. Staffing models should reflect not only the IT security needs of the organization but the specific risks and threats it faces while recognizing the risk levels that management may agree to accept. Executives must balance the organizational resource limitations with the risk associated with assigning responsibility above the individuals’ skill sets.
Executives seeking to build a mature security management team should first focus on addressing the highest risks. Every risk should have a corresponding plan of action that identifies both the technology and staffing needed to reduce the risks to a level acceptable to the Board or leadership team.
About the author: Clyde Hewitt is Vice President of Security Strategy for CynergisTek and a regular cybersecurity contributor to Securityinfowatch.com.
