Are there best practices or staffing models available to assist with setting up a team specific to the management, tracking, compliance and reporting of identified risks and issues. Ie What's the right ratio of people to identified issues to properly manage those items to completion?
Sort By:
Oldest
Chief Information Security Officer in Healthcare and Biotech7 months ago
ratio of people to identified issues, depending on the size and complexity of the business, nature industry, and the level of risk appetite. Organizations should try to achieve a balance between resource requirements to attend the identified problems timely with efficiency and cost-effectiveness.CIO in IT Services7 months ago
Typically, I'll use a 10-15% ratio against revenue for staffing needs (overall team size). Depending on the size of the company, the number of staff will adjust from this starting point. The CISO also needs to consider the organization's cyber maturity score, the tools that have been implemented, their compliance needs and their incident response rates. There is no hard fast rule here - it's a combination of people-process-technology that lends itself to obtaining the right answer on how to staff.