BLOG

by Bethany Page Ishii

Organizations across industries grapple with the challenge of ensuring their security programs are adequately staffed to counter against evolving threats. While the NIST Cybersecurity Framework (CsF) raises the question of whether security teams are appropriately sized, it falls short of providing concrete guidance on how to evaluate and determine the optimal level of staffing.

At Meditology, we address this gap with a hybrid approach to security staffing assessments. By combining benchmarking data, staffing ratios, and the results of a security risk assessment, we provide a comprehensive analysis and actionable recommendations tailored to your organization.

In this blog, I’ll discuss how organizations can adopt a structured, data-driven approach to measuring whether their security team is properly staffed.

1. Benchmarking Security Staffing Against Industry Standards

One of the most practical ways to assess the size of your security team is to compare your team size to industry benchmarks. Various industry sources and security workforce studies offer insights into the average number of security personnel per organization size, industry, and regulatory requirements.

For example:

• Healthcare organizations typically have 1 security full-time employee (FTE) equivalent per a specific number of employees or active users.
• Financial services firms may maintain a higher security staffing ratio due to strict regulatory requirements and low risk tolerance.
• Smaller organizations frequently rely heavily on outsourced security functions.

While these benchmarks provide useful context, they should not be viewed in isolation. Factors such as your organization’s risk profile, security maturity, and reliance on external vendors must be considered to ensure a well-rounded assessment.he security framework that best aligns with their needs, risks, and long-term goals.

2. Assessing Staffing Ratios and Responsibilities

Beyond benchmarking, analyzing staffing ratios within your security program helps determine whether critical roles are adequately covered.

Key areas to consider include:

• Security Operations: Do you have enough analysts to effectively monitor and respond to threats based on the volume of alerts?
• Risk and Compliance: Is your team adequately staffed to both handle regulatory requirements and manage third-party risks?
• Identity and Access Management: Does your team have sufficient bandwidth to manage user provisioning, conduct role reviews, and perform security monitoring?
• Security Engineering and Architecture: Do you have adequate resources to support secure system design and maintain cloud security?

It’s also important to recognize that security responsibilities may be distributed across other departments. For example, IT teams managing endpoint security or compliance teams overseeing risk assessments. While a high-level staffing ratio comparison provides useful insights, organizations should also map where security functions reside to uncover potential gaps in coverage..

3. Conducting a Security Risk Assessment to Identify Gaps and Align Staffing with Risk Exposure

A security risk assessment provides a critical reality check for your organization. Even if your staffing ratios align with industry standards, are there vulnerabilities in your security posture that are not addressed?

Key areas to evaluate include:

• Team structure: Are critical security functions understaffed or over-reliant on a single individual?
• Incident response times: Can your security team effectively investigate and respond to threats in a timely manner?
• Compliance and Risk management: Are there recurring gaps in compliance audits, regulatory requirements, or risk assessments as a result of inadequate resources?
• Operational effectiveness: Are key security initiatives (such as vulnerability management or security awareness training) successfully implemented, or have they been hindered by resource limitations?

By aligning security staffing recommendations with actual risk exposure and operational performance, organizations can build a strong business case for new investments or identify opportunities to restructure existing roles, ensuring a more resilient and effective security strategy.

4. High-Level Staffing Analysis versus a Comprehensive Organizational Review

A high-level staffing analysis offers valuable insights into overall resourcing of security teams, often benchmarking factors such as organization size, security budget, and balancing outsourcing with in-house capabilities. However, this approach may overlook the complexities of how security functions are integrated within the organization.

To gain a more thorough understanding, organizations should evaluate key areas, including:

• The placement of security functions (e.g., within IT, compliance, or a dedicated security team).
• Role coverage and skill gaps (e.g., whether critical roles like security architects, incident responders, or risk managers are adequately staffed).
• Reliance on outsourced services (e.g., MSSPs, vCISO, or third-party risk management providers).

While our Security Risk Assessment (SRA) typically delivers a high-level security staffing analysis, it can be expanded to conduct into a deeper evaluation of personnel gaps, organizational structure, and role coverage, ensuring no critical area is overlooked.

5. Beyond the Numbers: Aligning Staffing with Security Program Structure

An effective security staffing analysis goes beyond numbers and considers how security is structured within the organization. Instead of simply asking, “Do we have enough security personnel?” organizations should consider key questions like:

• Are key security leadership positions (CISO, Security Architect, Risk Manager) properly filled?
• Do we have the right roles in place to address current and future security needs?
• Are security responsibilities clearly defined and distributed across teams?
• Are there gaps in coverage that increase risk exposure?
• Does the security team have a direct line to executive leadership, or is it buried under IT?
• Are outsourced security functions effectively managed to ensure accountability and performance?

A thorough staffing assessment should combine both quantitative metrics and qualitative insights. This ensures the team is appropriately staffed and that is strategically  structured to meet the organization’s security needs while minimizing risk.

Final Thoughts: Right-Sizing Your Security Program

There is no universal one-size-fits-all formula to determine the perfect security team size. However, by leveraging benchmarking data, staffing ratios, and security risk assessments, organizations can develop a data-driven strategy for right-sizing their security team. While high-level comparisons provide valuable insights, a deeper analysis into security roles, responsibilities, and program maturity is crucial to ensure the organization is truly prepared to safeguard its assets.

At Meditology, we help organizations assess and optimize their security staffing to align with both risk profile and business objectives. By taking a holistic approach, we ensure security teams are positioned to meet compliance requirements and to also effectively combat real-world threats.

About the Author

Bethany Page Ishii | Senior Director, Cybersecurity & IT Risk Management

Bethany Page Ishii is a seasoned cybersecurity and risk management executive with 15 years of experience. Her expertise spans security consulting, operational leadership, and customer success, making her uniquely equipped to deliver comprehensive solutions that align strategic vision with practical execution. With a decade of consulting under her belt, Bethany led the firm’s Validation Service Line, overseeing Security Risk Assessments, HITRUST certifications, Privacy Assessments and SOC 2 attestation efforts. Bethany also served as a CISO for five years, where she directed data security and threat response activities. Her approach marries practitioner experience, consulting insight, and a focus on client relationships to drive success across a variety of security disciplines.