One of the hardest things for leaders in the Security space is justifying team sizes and budget. So, I thought I’d share some perspectives on this. Part 1 (Probably)
thanks for writing this up. I recently started a new gig about a month ago as CISO for a SaaS software company and this has been something that's been on my mind. You measurement is based on Engineering size so I wonder what do you mean here when you say Security? Nowadays it's not uncommon for InfoSec to include SecEng/SecOps, GRC and Customer Security. Is that 3%-5% number you mention focused on a SecEng function?
I think about "Security" as an umbrella term for all those functions. I've got a post coming that talks more about what functions and scopes might exist in a "Security" org. But, Yes, I think about all the functions you list as fitting into that 3-5%. Also, Engineering is a term specific to the kind of orgs I've worked in. But, I think you can interpret it more broadly to mean the IT or other Technical Operations part of your organization. YMMV.
Thanks for the article, Geoff. At my company we are right at that inflection point of trying to decide when it makes sense to begin to grow our Security team beyond our first Security Engineer (myself).
I like denoting "Customer Security" as its own skillset. That's much more of an art than a science in my experience.
You mention this in your reply to Anthony, but I'm curious how to think about the growth of security-adjacent teams such as IT and Compliance (that initially fall under the responsibility of the SecEng#1), and when it makes sense to begin to hire dedicated people for those roles.
Geoff,
thanks for writing this up. I recently started a new gig about a month ago as CISO for a SaaS software company and this has been something that's been on my mind. You measurement is based on Engineering size so I wonder what do you mean here when you say Security? Nowadays it's not uncommon for InfoSec to include SecEng/SecOps, GRC and Customer Security. Is that 3%-5% number you mention focused on a SecEng function?
I think about "Security" as an umbrella term for all those functions. I've got a post coming that talks more about what functions and scopes might exist in a "Security" org. But, Yes, I think about all the functions you list as fitting into that 3-5%. Also, Engineering is a term specific to the kind of orgs I've worked in. But, I think you can interpret it more broadly to mean the IT or other Technical Operations part of your organization. YMMV.
Thanks for the article, Geoff. At my company we are right at that inflection point of trying to decide when it makes sense to begin to grow our Security team beyond our first Security Engineer (myself).
I like denoting "Customer Security" as its own skillset. That's much more of an art than a science in my experience.
You mention this in your reply to Anthony, but I'm curious how to think about the growth of security-adjacent teams such as IT and Compliance (that initially fall under the responsibility of the SecEng#1), and when it makes sense to begin to hire dedicated people for those roles.