CISO metrics: Right sizing and right costing an information security program


In the continuing attempt to prove to the wider world I’m a desirable hire as a CISO for a fortune 100 company. I offer the following and hope even if you don’t hire me that you get something of use out of the effort. Enjoy —SPL


How much should you spending on a cybersecurity program within your enterprise? How do you know if you are resource poor or resource heavy? Given a statement of fiduciary requirement how do you stand behind it? Between all of these questions stands the view of a quizzical executive on what exactly am I paying for if I’m still getting breached. So, lets talk about the nexus between a cybersecurity team and risk.

It seems like anytime you put real numbers to a problem you have people coming out of the woodwork to poke holes in a generalized statement with anecdotal contrarian views. I’m going to say right up front some of these numbers are exemplar but not necessarily will they add up to zero on zero. I get it, and I understand this is the Internet. So the this is a really poor way to start out a story of metrics but I’m all about the different methodologies, and understanding there is a variety of maturity levels within organizations let’s look at right sizing a security program. We’re engaging in a SWAG using guestimates because nobody reading this can use the actual numbers, but can use the pattern to get to real numbers. Whew… Is that reasonable?

Gartner and others have studied the problem of security metrics and cost containment for the enterprise. Each year they produce reports of what people self-report they are spending.

One area most writers take a light touch is defining the organizational boundaries between operations and security teams. A pithy way of understanding the difference is business as usual versus exception handling. In some organizations the firewall team is part of the security team. That isn’t necessarily the right way to think of this. A firewall is a general purpose network device that is usually static for traffic passing, and dynamic for traffic restriction. The exception is when you want a new rule put in place. Not the care and feeding of the device. Another example is a security incident event management (SIEM) solution. The hardware, software, and patching of the SIEM is operations. The use, deployment, adjustment and tuning of the SIEM is information security.

One reason that operations tasks tend to creep into the security team is mission over reach. That is where the security team has the keys to the kingdom (passwords) and they simply short circuit tasking and do operations tasks because it easier. This leads to utilizing a fairly expensive security engineer doing sometimes menial grunt information technology tasks. Second, the security team is usually the group who have already had careers in information technology, been there done that (BTDT), and may even serve as subject matter experts (SMEs) to the operations team.

Every organization is different and a CISO must understand the way things work, how they should work, and what can be accomplished in controlling mission overlap between information security and operations.

Human resource wise there are some great number sources out there. It doesn’t really matter if you look at a particular report or another. What really matters is baselining the size of the team currently against some best practices. We’re going to round figures so the numbers quoted may be slightly off from the actual documents referenced. Gartner set the spending as a percentage of IT spending at ~6%. Of that Gartner has previously put the security spend at ~20% hardware, ~30% software, ~40% personnel, and ~10% outsourcing. We can start pulling some rabbits out of the hat. Where 100 IT full time employee (FTE), cost is multiplied by ~6% security cost, and ~40% of that is personnel).

That means ~2.5 security FTE per 100 IT FTE but reported FTE is nearly double at ~5

Gartner has reported numerous statistics over time from their various IT security surveys. One interesting example shows based on one billion dollars in revenue an organization will have approximately 2600 employees. As you adjust that number to fit your business you have a metric to start identifying your organizations difference from a base line. The base line is nothing but a point of comparison within this document. According to Forbes there are nearly 2000 public companies worldwide with over a billion dollars in revenue and hundreds of private companies.

Consider that the measurements feeding into the metrics applied are dependent highly on where you are in industry maturity and how much of your core mission is dependent on information technology. Software and Internet companies spend ~8% of revenue on Information technology whereas energy companies are around ~1% according to Gartner. If you look at the costs compared to operating expenses the national governments come in at ~10% with energy following up down in the ~1% area.

A 5% baseline of IT spend whether revenue or operations costs is a good guestimate

There are other ways to determine costs per employee for IT security spending that short cut some of this math. Depending on industry and maturity of the industry an information security budget can see anywhere between ~$350 and ~$500 in spend rate per user.  There are lots of confounding variables in this particular equation. Size of company, maturity of industry, where the company is on the line between no-tech and high-tech, and how regulated the company is within an industry. These all effect the information security spend per user. Consider that a high tech or high finance company might spend $30K on IT per employee. The 5% security spend per user obviously skews these numbers.


So… a billion-dollar company might have a $50 million information technology budget and $3 million information security budget.

As you adjust these numbers up and down based on your own enterprise unique characteristics you’ll find interesting areas. Those areas are usually where security mission has creeped into operations increasing lost hours and wage time of security teams. I usually get criticism on the numbers in this methodology that the security spend rate is way higher. If you are coming from behind or have failed within the governance realm it is highly likely the cost is not reflective of actual need. Further the Gartner numbers are reflective of industry trends and subject to the perturbations of fad and fancy. Regulation is the enemy of cost containment and as it strikes within industries audit functions are usually layered onto the information security staff. This itself is a poor fit worthy of an entire book.


If… You have a billion-dollar company there are on average 2600 employees who receive IT services from 130 employees who are serviced by 4 information security personnel.


This strategy is one where the information security personnel fluctuates the most in my experience. As a real world example I was CISO of an organization with $20 billion in operations that had 35K employees (slightly above predicted), and nearly 1200 information technology FTEs (significantly lower than predicted), and finally a security team of 50 (slightly less than predicted). The real world is determined by lots of outside influences. Understanding the tensions and outside influences on the information security budget is almost as important as the attack surface adversaries operate upon.

Some companies have very small staffs because they outsource everything to a service provider. The budget cost mix ranges fairly widely. As information technology investment includes external service providers in my own experience (I’d like to hear yours) the information security personnel pool increases. Outsourcing means more internal security team members. If you are going to operate a SOC around the clock you will increase the security team dramatically just for the purpose of scheduling.

Other things besides cloud providers, managed service providers, and industry maturity you might think about as you balance and right size your own security budget include strategic investments, and organizational structure. I’ll talk about CISO/CSO reference and structural points in a future article. The managed service provider conundrum and tension on audit and regulatory risk from a CISO to CFO standpoint are also in future articles.

Leave a Reply