Author
Nick DiVito
Published
Review status
Current / Reviewed Jul 12, 2026
Executive summary
Cybersecurity capacity planning is the process of deciding how much security work the business actually needs, who should do that work, what should be handled by IT, what should be handled by security, what should be funded by the business unit creating the demand, and where leadership is accepting risk because capacity is limited.
It is not only a staffing exercise.
It is not only a budget exercise.
It is not a formula where a company spends a fixed percentage of IT budget and calls the result mature.
A useful capacity plan answers practical questions:
- What security work is required to keep the business operating safely?
- What work is discretionary, project-based, customer-driven, regulatory, or tied to growth?
- Which responsibilities belong to IT operations, security leadership, legal, privacy, HR, finance, product, engineering, facilities, OT, or the business owner?
- What level of response should the company expect during normal operations, growth projects, audit season, customer questionnaires, incidents, and acquisitions?
- Which roles require senior judgment, which roles require execution capacity, and which roles can be outsourced?
- Which costs are true cybersecurity costs, which are IT platform costs, and which are business-project costs being incorrectly pushed into security?
- When does the company need a part-time advisor, a named security owner, a full-time security lead, a CISO, a small security team, or a specialized security organization?
This matters because security teams often fail in two opposite ways.
Some companies underbuild. They buy tools, assign security to an already overloaded IT person, assume an MSP is handling it, and only discover the gap during an incident, insurance renewal, customer review, CMMC readiness effort, acquisition, or board discussion.
Other companies overreact. They copy an enterprise org chart, buy tools without owners, hire roles before the operating model is clear, and create administrative drag without reducing the risks that matter.
The right answer is usually less dramatic and more disciplined.
Start with the work. Separate recurring operations from project demand, compliance evidence, risk decisions, incident readiness, customer requirements, and executive advisory work. Map ownership. Identify the skills required. Decide which work is internal, which work is shared with IT, which work belongs to a vendor, and which work requires leadership judgment. Fund the work where the demand actually lives.
A CISO, or a fractional CISO for companies that do not need a full-time executive, should make that model explicit. The job is not to collect every cybersecurity expense into one budget and then apologize for the total. The job is to help leadership see the real demand, the available capacity, the tradeoffs, and the consequences of underfunding or misallocating the work.
Capacity planning is a CISO discipline
Cybersecurity capacity planning belongs in security leadership because it connects risk, operations, budget, people, vendors, and executive decision-making.
A ticket queue can show workload. A budget spreadsheet can show spend. An org chart can show reporting lines. None of those prove the business has enough capacity to manage cyber risk.
Capacity planning asks a larger question: can the organization do the security work it has implicitly promised to do?
That promise may come from customer contracts, insurance applications, regulatory obligations, CMMC or NIST 800-171 readiness, GLBA safeguards work, SEC-facing governance expectations, board oversight, bank requirements, vendor due diligence, product commitments, privacy obligations, internal policy, or basic operational need.
If the company says it reviews access, monitors security events, responds to incidents, maintains backups, approves vendors, protects sensitive data, manages endpoint controls, documents exceptions, trains employees, reviews cloud configurations, supports audits, and performs risk assessments, then those words require time, skill, budget, and ownership.
NIST's Cybersecurity Framework 2.0 is useful here because it does not treat cybersecurity as only a technical control set. It includes governance, roles, responsibilities, oversight, risk management strategy, and policy as part of the work. That framing is important. A company cannot capacity-plan security well if leadership treats governance as something separate from the people doing the work.
NIST IR 8286 Revision 1 makes the same point from the risk side. Cyber risk needs to be understood in the context of mission and business objectives, and risk information needs to move from systems and organizations up to enterprise decision-making. That is exactly where capacity planning sits. It tells leadership what risks are being reduced, what risks are waiting behind limited capacity, and what decisions need funding or acceptance.
A CISO should not be measured only by whether the security budget increased or decreased. A useful CISO capacity plan should make the work legible enough that leadership can make deliberate choices instead of accidental ones.
What cybersecurity capacity actually includes
A company that says "we need more security people" may be right, but the sentence is incomplete.
More capacity for what?
Cybersecurity work usually falls into five buckets.
Run work
Run work is recurring security operation. It keeps the environment from drifting into avoidable weakness.
Examples include access review, MFA enforcement, endpoint coverage checks, logging review, alert triage, vulnerability review, patch governance, vendor access review, backup verification, security awareness, phishing reporting, exception tracking, configuration baselines, secure onboarding and offboarding, and evidence collection.
Some of this work overlaps with IT. That does not make it optional security work. If nobody checks whether privileged accounts still belong to active employees and vendors, the fact that the identity platform is "an IT system" does not reduce the risk.
Change work
Change work is project demand. It happens when the business adds a system, replaces a system, opens a location, launches a product, migrates to cloud, adds a vendor, creates a customer portal, changes remote access, starts using a new data type, or modifies a production environment.
This work is easy to underestimate because security involvement often appears late. The business thinks it is buying a CRM, HR platform, ERP module, manufacturing application, payroll tool, marketing platform, or developer service. Security sees identity integration, data classification, access roles, logging, vendor review, contract terms, backup implications, incident contacts, admin rights, and retention decisions.
When change work is not capacity-planned, security becomes either a blocker at the end or a rubber stamp at the beginning.
Assurance work
Assurance work is the evidence layer. It includes customer questionnaires, cyber insurance applications, policy updates, control evidence, audit support, CMMC readiness, vendor due diligence responses, third-party risk responses, board reporting, risk register updates, tabletop exercises, and control testing.
Assurance work is often treated as paperwork. That is a mistake.
Bad evidence creates business risk. A company that cannot support its security claims may lose a customer opportunity, weaken an acquisition process, create insurance trouble, or discover during an incident that the control existed only as a sentence in a policy.
The risk register guide is one way to keep this work tied to decisions instead of letting it become a document pile.
Incident capacity
Incident work is not normal queue work with a different label. It is surge demand.
NIST SP 800-61 Revision 3 focuses incident response on preparation, impact reduction, detection, response, and recovery. That matters for capacity planning because incidents consume people across IT, security, legal, communications, HR, finance, executives, vendors, and sometimes customers.
If every IT and security person is already planned at 100 percent utilization, the company has no incident capacity. It has a calendar that will collapse the moment something breaks.
A company does not need a large internal incident response team to plan responsibly. It does need an incident owner, a response process, logging that can answer basic questions, backups that have been tested, vendor contacts, escalation paths, communications discipline, and reserved capacity for exercises and recovery planning.
Leadership and advisory work
Leadership work is where many capacity plans miss the mark.
Security leadership includes prioritizing risk, advising executives, setting standards, reviewing exceptions, shaping budget, deciding which vendors are appropriate, translating technical findings into business impact, coordinating with counsel and insurance, supporting customer trust, and explaining what the company is accepting when it defers work.
A junior analyst cannot carry that accountability just because they are the first person in the security seat.
A strong engineer may not be the right person to explain risk appetite to the board, negotiate security obligations in customer commitments, or decide whether a gap is tolerable before an acquisition closes.
That does not mean every company needs a full-time CISO. It does mean every company needs access to CISO-level judgment when security decisions affect money, customers, operations, compliance, or leadership accountability.
Where cybersecurity overlaps with IT
Cybersecurity and IT overlap because they touch the same systems.
That overlap is real. Ignoring it creates duplicate tools, unclear ownership, frustrated staff, and arguments that waste executive time.
The cleaner model is this:
- IT owns stable operation of technology platforms.
- Cybersecurity owns security requirements, risk prioritization, control validation, incident coordination, and security governance.
- Business owners own the data, process, and risk decisions tied to their function.
- Leadership owns risk appetite, funding, and acceptance.
The exact RACI will vary, but the pattern should be explicit.
Identity is a common example. IT may own Microsoft 365, Entra ID, Google Workspace, Okta, endpoint accounts, group creation, and user lifecycle execution. Security should define privileged access rules, MFA expectations, access review cadence, break-glass account handling, logging requirements, and exception rules. HR and managers must supply accurate joiner, mover, and leaver information. Executives must decide how much friction the company will tolerate for stronger controls.
Endpoint management is similar. IT may own laptop imaging, patch deployment, help desk support, device replacement, and endpoint management tooling. Security should define the baseline, monitor control coverage, review exceptions, track risk from unsupported systems, and make sure endpoint telemetry supports incident response.
Backups are another shared area. IT usually owns backup platforms, scheduling, restore testing, and infrastructure. Security should define ransomware-relevant expectations, privileged access separation, logging, restore evidence, recovery prioritization, and incident playbook integration. The business should define which systems must recover first.
The overlap gets harder in cloud, SaaS, DevOps, OT, and line-of-business systems. A business unit may buy the tool, IT may integrate identity, a vendor may administer it, security may review the risk, and finance may own the contract. If the operating model does not name owners, everyone assumes someone else is watching the important part.
That is how access sprawl, data sprawl, and tool sprawl happen.
Where cybersecurity does not overlap with IT
Cybersecurity is not a catch-all budget for every uncomfortable technology problem.
Security can advise. Security can set requirements. Security can identify risk. Security can verify controls. Security can coordinate response. But many costs that touch security should not automatically be charged to the security or IT budget.
Here is the practical distinction.
A cost belongs in cybersecurity when the primary purpose is security governance, control operation, risk reduction, monitoring, detection, response, assurance, security engineering, security architecture, or security leadership.
A cost belongs in IT when the primary purpose is operating the technology environment: endpoints, networks, identity platforms, productivity suites, infrastructure, help desk, backups, business application administration, and normal lifecycle management.
A cost belongs in the business project when the business is creating the demand. If sales buys a customer engagement platform, manufacturing adds a production system, finance replaces ERP, HR changes payroll, or product launches a portal, the security work needed to review, configure, integrate, and evidence that change is part of the project cost. It should not appear later as a surprise drain on the security budget.
A cost belongs in legal, privacy, or compliance when the primary work is legal interpretation, contract drafting, privacy notice work, regulatory filing, employment action, or audit independence. Security may provide technical facts. It should not silently inherit a lawyer's job, an auditor's independence requirement, or a compliance department's entire evidence program.
Some costs are shared. That is normal. Shared does not mean ownerless.
The problem starts when every group with a messy technology decision says, "charge it to cyber." That hides the real cost of business decisions and makes the security budget look inflated.
Common examples include:
- A business unit buys software without security review, then charges remediation to security.
- A cloud migration is underfunded, then security is expected to absorb logging, architecture review, IAM cleanup, and data protection work.
- A customer contract requires evidence the sales team promised before checking whether the company can produce it.
- An insurance application exposes missing controls, then leadership treats the security budget as the only place remediation can live.
- An ERP, CRM, or HR system has messy roles, shared accounts, and weak approval workflows, then the cleanup is called a cybersecurity expense instead of system governance debt.
- A product team stores sensitive data in ways that create customer and legal exposure, then asks security to "fix compliance."
- A plant or operations team modernizes OT connectivity without funding segmentation, logging, remote access governance, and support.
Cybersecurity capacity planning should make these charge lines visible.
A CISO should be able to say: this security tool is ours, this identity platform is IT's, this access cleanup belongs to the ERP owner, this customer questionnaire is sales-driven assurance work, this CMMC evidence effort is a contract-readiness cost, and this incident response retainer is an enterprise risk expense.
That is not internal politics. It is accurate accounting for demand.
The CISO's job in capacity planning
The CISO's job is to turn security demand into an operating model leadership can understand.
That includes six responsibilities.
Define the service catalog
A service catalog explains what the security function does.
It should be plain enough for executives and specific enough for IT, finance, legal, and business owners. It might include security advisory, access governance, vendor security review, security architecture review, policy and standards, incident coordination, vulnerability governance, logging and detection, risk register management, executive reporting, customer assurance, CMMC readiness support, tabletop exercises, and security awareness.
It should also say what security does not do.
Security does not own every system. Security does not own every vendor relationship. Security does not own business data classification decisions without the business. Security does not approve risk in place of leadership. Security does not become the dumping ground for every delayed IT project.
Set intake rules
Capacity planning fails when work enters through side doors.
Security needs an intake path for new vendors, customer questionnaires, project reviews, exceptions, access concerns, risk decisions, incident reports, and executive requests. It does not need bureaucracy for its own sake. It needs a way to see demand before the deadline is tomorrow.
Intake should capture who is asking, why it matters, what business process is affected, what data is involved, what deadline exists, what decision is needed, and who owns the business outcome.
Map accountability
A RACI is only useful if it matches real authority.
Security can recommend that privileged access be limited. If HR cannot force timely offboarding, IT cannot remove access without manager approval, and executives tolerate exceptions forever, the RACI is decorative.
A CISO should expose those gaps. If the company wants security outcomes, the operating model must give someone authority to require the behavior.
Tie capacity to risk
Capacity is not equal to busyness.
A team can work long hours on low-value tasks and still leave the biggest risks untouched. The CISO should connect capacity decisions to the risk management program, the risk register, customer obligations, incident history, business strategy, and regulatory exposure.
If leadership funds one additional role, what risk reduces? If leadership delays a role, what risk remains? If a vendor replaces internal hiring, what responsibilities still stay inside the company?
Build the talent model
Security talent is not interchangeable.
Governance, risk, and compliance work is different from security engineering. Incident response is different from policy writing. Cloud security is different from endpoint administration. OT security is different from SaaS review. Security architecture is different from alert triage.
The NICE Framework is helpful because it describes cybersecurity work in terms of tasks, knowledge, and skills rather than vague job titles. That is the right mindset for capacity planning. Do not start with "hire a security person." Start with the work that needs to be done and the skill level needed to do it responsibly.
Present decision-ready options
Leadership rarely needs a single perfect plan. It needs credible options.
A CISO capacity plan should usually show at least three paths:
- Minimum viable: the lowest defensible model that covers critical risk and obligations.
- Right-sized: the recommended model based on business risk, growth, customer expectations, and current maturity.
- Accelerated: the model for faster growth, regulated expansion, M&A, heavy customer assurance, CMMC pressure, or known risk reduction.
Each option should name the cost, capacity, assumptions, risks reduced, risks accepted, and timing.
The artifacts that make capacity real
Capacity planning becomes useful when it produces artifacts people can act on.
These do not need to be complicated. They do need to be maintained.
Work demand register
A work demand register is not the same as a risk register. It tracks the work security is being asked to support.
Useful fields include request type, requester, business owner, deadline, impacted systems, data involved, required decision, estimated effort, assigned owner, dependency, status, and whether the work is funded as cyber, IT, business project, or shared.
This document helps leadership see why the security team feels overloaded. It also shows which business functions are creating security demand.
Security service catalog
The service catalog defines expected services and service levels.
For example, vendor security review might have a normal turnaround of ten business days once the requester supplies the required facts. Incident escalation may have an immediate path. Customer questionnaires may require sales to provide renewal value, deadline, contract context, and prior commitments before security starts. New system reviews may require architecture, data type, user roles, vendor access, and integration details.
Service levels prevent every request from becoming an emergency.
Ownership map
The ownership map names who owns systems, data, decisions, evidence, and risk acceptance.
This is where cyber and IT overlap gets disciplined. The map should cover identity, endpoints, email, backups, network, cloud, SaaS applications, logging, remote access, admin accounts, data repositories, customer evidence, vendor review, incident communication, and policy exceptions.
Budget ownership map
The budget map separates security-owned costs, IT platform costs, business-project costs, shared enterprise risk costs, and compliance or legal costs.
This is especially important for smaller and mid-sized companies where the same few people may do the work. Even if the same person executes tasks, the funding source should still reflect why the work exists.
Talent and skills map
The talent map lists the capabilities required, current internal capacity, vendor capacity, skill gaps, single points of failure, and succession risk.
This should include more than job titles. It should identify whether the company has access to executive security judgment, hands-on security engineering, IAM expertise, cloud review, incident response, GRC work, vendor review, OT knowledge, and customer assurance support.
Incident reserve
A capacity plan should reserve time for incidents, exercises, urgent customer requests, security exceptions, and unexpected risk review.
A team planned at 100 percent utilization is already over capacity.
Incident reserve does not mean idle staff. It means the roadmap is not built on the fantasy that nothing urgent will happen.
Twelve-month roadmap
The roadmap should connect capacity to outcomes.
A good roadmap does not say "implement security." It says which capabilities will be built, which controls will improve, which risks will reduce, which evidence will become reliable, which vendors will be reviewed, which projects require support, and which decisions need executive input.
For smaller businesses, this can be a simple quarterly plan. For larger organizations, it may become a portfolio with dependencies, staffing, project budget, and risk acceptance.
Team sizing by company stage
There is no universal staffing ratio that works for every company.
A 90-person software company with sensitive customer data, cloud infrastructure, enterprise buyers, and rapid release cycles may need more security leadership than a 300-person local services company with simpler systems. A 200-person manufacturer with CUI, OT connectivity, remote access, and customer flowdowns may need more structured security capacity than a larger company with lower obligation and lower technical complexity.
Triggers matter more than employee count.
Still, company size gives a starting point.
1 to 50 employees
At this stage, security capacity is usually leadership, discipline, and basic controls.
The company may not need a full-time security hire. It does need someone accountable for security decisions, an IT or MSP partner that executes reliably, and access to senior security judgment when decisions matter.
The practical model is often:
- Business owner or operations leader accountable for security decisions.
- IT provider or internal IT generalist for endpoint, identity, backup, and support execution.
- Fractional CISO or advisor for roadmap, risk prioritization, vendor review, policy, incident preparation, and executive decisions.
- Outsourced services where needed, such as managed endpoint protection, backup support, or MDR if the environment justifies it.
The priority is not an enterprise security department. The priority is getting the basics owned early: identity, MFA, device management, backups, data location, admin rights, vendor access, recovery contacts, and a small risk register.
This is where a minimal relationship with an advisor can prevent years of expensive cleanup. Access patterns, file sprawl, unmanaged admin accounts, vendor shortcuts, and data commingling become much harder to unwind later.
50 to 250 employees
This is where informal security starts breaking.
The company has more systems, more employees, more vendors, more customer questions, and more exceptions. IT may be busy keeping the business running. Security work gets delayed because it is nobody's full-time job.
The practical model is often:
- Named internal security owner, even if not a full-time CISO.
- MSP or IT lead with explicit security responsibilities.
- Fractional CISO or vCISO for governance, roadmap, risk decisions, leadership reporting, vendor review, and customer assurance.
- Outsourced detection, incident response retainer, or security engineering support where internal coverage is weak.
The company should have a service catalog, access review rhythm, vendor review process, incident plan, security roadmap, policy set, and evidence library.
If the company is pursuing CMMC, handling CUI, selling into regulated customers, processing sensitive consumer data, or depending heavily on SaaS and cloud systems, it may need more structure earlier. The CMMC readiness work alone can create evidence and governance demand that casual ownership will not absorb.
250 to 750 employees
At this stage, security usually needs dedicated management capacity.
The company is large enough that access changes, vendor reviews, customer questionnaires, projects, endpoint coverage, cloud review, vulnerability governance, training, incident preparation, and evidence work become recurring demand.
The practical model is often:
- Security manager, director, or full-time lead.
- Fractional or full-time CISO depending on risk, regulation, board expectations, customer pressure, and growth.
- Security engineer or IT security engineer for hands-on control work.
- GRC or assurance support for policy, evidence, customer questionnaires, vendor reviews, and risk register maintenance.
- Outsourced MDR, penetration testing, incident response, cloud review, or specialist support as needed.
The mistake at this stage is hiring one person and expecting them to be executive advisor, engineer, SOC analyst, GRC lead, auditor, trainer, architect, incident commander, and help desk escalation point.
That is not a role. That is a burnout plan.
750 to 2,000 employees
At this stage, the company usually needs a clearer security function.
The practical model may include:
- CISO, director of security, or senior security leader with executive access.
- Security operations owner for detection, response, vulnerability governance, and incident coordination.
- Security engineer for endpoint, identity, cloud, logging, and control improvement.
- GRC lead for policy, risk, compliance evidence, third-party risk, and customer assurance.
- IAM, cloud, application security, or OT specialist capacity depending on environment.
- Vendor support for 24/7 monitoring, incident response, testing, and specialized engineering.
The CISO's capacity-planning job becomes less about proving security should exist and more about preventing fragmentation. Tool owners, architects, IT operations, engineering, audit, legal, privacy, and business units all create demand. Without a service catalog and portfolio discipline, security gets pulled into every meeting and still misses the work that matters.
2,000 employees and above, or high-complexity environments
Larger or highly regulated organizations need specialization.
They may require separate owners for security operations, incident response, threat and vulnerability management, IAM, GRC, third-party risk, application security, cloud security, security architecture, data security, OT security, privacy/security coordination, customer assurance, and security program management.
The CISO should not simply add more layers. The goal is a security operating model that matches business complexity.
If the company has multiple locations, international operations, regulated data, acquisition activity, production environments, OT, software development, government contracting, CUI, public-company obligations, or 24/7 customer commitments, the capacity model should reflect those realities.
Growth triggers that require more capacity
Capacity should change when risk demand changes.
These triggers deserve a formal review:
- The company starts handling regulated data, CUI, FCI, payment data, health data, student data, financial data, or sensitive consumer data.
- Customer questionnaires become frequent, detailed, or tied to revenue.
- Cyber insurance applications require controls the company cannot evidence.
- The company moves from local systems to cloud, SaaS sprawl, remote work, or distributed identity.
- The company adds a new location, plant, warehouse, production line, OT environment, or remote access path.
- The company begins software development, customer portals, APIs, data integrations, or AI-enabled workflows involving sensitive data.
- Hiring, termination, contractor, and vendor account changes become frequent enough that access governance is lagging.
- The company enters CMMC, GLBA, HIPAA, SEC-facing, defense industrial base, financial services, education, or other regulated expectations.
- The company plans an acquisition, sale, private equity investment, or major customer expansion.
- Security exceptions are growing faster than they close.
- Incident response, backup restore, or tabletop exercises expose gaps nobody owns.
- Critical vulnerabilities remain open because business owners will not fund system changes.
- The same IT people are asked to deliver infrastructure projects, help desk, cloud migration, audit evidence, incident response, and security engineering at the same time.
These triggers do not always mean "hire immediately." They mean the current model should be challenged.
The answer might be a new internal role, better vendor support, a fractional CISO, a scoped engineering project, automation, policy cleanup, an access governance project, or a leadership decision to accept a risk with eyes open.
Compensation and talent levels
Cybersecurity compensation has to be discussed honestly because capacity plans fail when budgets are built on fantasy salaries.
Public labor data gives a baseline. The Bureau of Labor Statistics lists the May 2024 median pay for information security analysts at $124,910 per year, with a projected 29 percent job outlook from 2024 to 2034. BLS lists computer and information systems managers at a May 2024 median of $171,200 per year, with 15 percent projected growth.
Those numbers are not a complete CISO compensation model. They do show that security and technology management talent is not cheap, and the market is not shrinking.
Industry research points in the same direction. Gartner forecast worldwide end-user information security spending at $212 billion in 2025, a 15.1 percent increase from 2024, while noting pressure from cloud movement, threat activity, talent constraints, and security services demand. ISC2's 2025 workforce study reported that 33 percent of respondents lacked budget to adequately staff teams, 29 percent could not afford needed skills, and 72 percent agreed that reducing cyber personnel significantly increases breach risk.
The more useful lesson is not "pay whatever the market asks." It is that different levels of work require different talent.
Executive security leadership
A CISO or vCISO handles risk ownership, leadership advisory, governance, budget strategy, incident leadership, executive reporting, board communication, vendor strategy, security roadmap, and business tradeoffs.
This is senior work. A company that hires a junior analyst and calls them the CISO is not saving money. It is assigning executive accountability to someone without the authority, experience, or compensation structure to carry it.
Fractional CISO support can make sense when the company needs senior judgment but not 40 hours per week of executive security leadership. That is common for small businesses, founder-led companies, growing manufacturers, CMMC-readiness efforts, and mid-market organizations that need structure before full-time headcount.
Security management
A security manager or director turns the roadmap into operating cadence. They coordinate work, manage vendors, track risk, review exceptions, support audits, coordinate projects, and keep IT, security, and business owners aligned.
This role is often the first full-time security leadership role in a mid-sized organization.
Security engineering
Security engineers build and maintain controls. They may work across identity, endpoint, logging, cloud, email security, vulnerability management, network controls, automation, and incident response tooling.
Do not assume an IT generalist can absorb all engineering work indefinitely. IT overlap is real, but security engineering requires dedicated time and security-specific judgment.
Security operations and incident response
Analysts and responders review alerts, investigate suspicious activity, maintain detection workflows, escalate incidents, document findings, and support recovery.
Many smaller companies should outsource 24/7 monitoring rather than pretend a single internal person can cover it. Outsourcing does not remove the need for an internal owner. Someone still needs to know what the provider sees, how incidents escalate, which systems matter, and whether findings become business decisions.
GRC and assurance
GRC work includes policies, evidence, risk registers, vendor reviews, customer questionnaires, control mapping, audit preparation, and exception tracking.
This work is often dismissed until a customer, insurer, regulator, acquirer, or CMMC requirement asks for proof. Then it becomes urgent.
A company that underinvests in GRC may still have decent technical controls, but it will struggle to prove them, maintain them, and connect them to risk decisions.
Specialist roles
Cloud security, IAM, application security, OT security, third-party risk, data security, and security architecture may require specialist capacity.
CyberSeek's career pathway is useful for seeing how role families differ by skills, certifications, tasks, and salaries. The practical point is simple: if the company has specialist risk, it needs specialist access. That access might be internal, fractional, project-based, or vendor-supported.
Common capacity planning problems
Most security capacity problems are predictable.
Tool budget without owner capacity
Buying a tool does not create capacity.
A company can buy endpoint detection, vulnerability scanning, SIEM, cloud security tooling, GRC software, password management, DLP, email security, and awareness training and still fail if nobody owns configuration, review, tuning, evidence, exceptions, and follow-through.
Tool spend without owner capacity becomes shelfware or alert noise.
Security buried under IT with no authority
Security can report into IT and still work if authority is clear. It fails when security is treated as a lower-priority help desk function while leadership expects executive-risk outcomes.
If security cannot challenge risky IT decisions, enforce standards, escalate business risk, or get leadership decisions, it is not a security function. It is an IT task list with a security label.
Every business problem charged to cyber
This is one of the most expensive hidden problems.
A sales deadline, product launch, plant upgrade, acquisition, customer commitment, software purchase, or privacy issue creates security work. That does not automatically mean the security budget should absorb every cost.
The budget should show the business demand that created the work.
No incident reserve
A company that schedules every security and IT person at full utilization is assuming there will be no incidents, urgent customer requests, audit surprises, vendor failures, executive escalations, or urgent risk decisions.
That assumption is false.
Incident reserve is not waste. It is operational realism.
Compliance season crush
Some organizations ignore evidence all year and then expect the security team to produce policies, screenshots, tickets, access reviews, risk decisions, control narratives, and exception records in a few weeks.
That is not capacity planning. It is panic scheduling.
Evidence should be maintained as part of operations. CMMC, customer assurance, insurance, and audit work become much easier when the program is evidence-ready before the request arrives.
MSP equals security
MSPs can be valuable. Some are strong security partners. Others are mainly IT operations providers.
The problem is not the MSP model. The problem is assuming "they handle IT" means "we have security leadership."
The business still needs someone to set requirements, evaluate risk, review vendor performance, make security decisions, maintain the roadmap, and explain consequences to leadership.
The one-person unicorn
Many companies try to hire one person who can do CISO strategy, security engineering, incident response, GRC, vendor review, cloud architecture, help desk escalation, training, vulnerability management, and executive reporting.
That person either does not exist, costs more than the company planned, or burns out.
Capacity planning should split work by level and type. Some work needs senior judgment. Some needs hands-on engineering. Some needs process discipline. Some needs outsourced monitoring. Some needs business owner accountability.
Metrics that hide capacity problems
Activity metrics can create false comfort.
Number of alerts reviewed, tickets closed, phishing emails reported, policies published, vendors reviewed, or vulnerabilities scanned may show effort. They do not automatically show whether capacity matches risk.
Better capacity metrics include aging of high-risk exceptions, percentage of projects reviewed before purchase, number of overdue access reviews, incident response exercise findings, time to remove departed-user access, percentage of critical systems with tested restore evidence, customer questionnaire cycle time, control evidence freshness, open risks by owner, and work demand by business unit.
A 90-day approach to capacity planning
A company does not need a year-long consulting project to get control of capacity.
A practical 90-day effort can produce a usable operating model.
Days 1 to 30: find the actual demand
Start with facts.
Review IT tickets, security alerts, vendor requests, customer questionnaires, insurance requirements, audit requests, risk registers, policy exceptions, privileged access, open vulnerabilities, current projects, cloud changes, incident history, backup testing, endpoint coverage, identity groups, SaaS applications, and pending contracts.
Interview IT, finance, legal, HR, operations, sales, product, engineering, executive leadership, and any MSP or security vendor.
The goal is not to judge every gap immediately. The goal is to understand what work exists, where it comes from, who owns it, what deadlines drive it, and what risks it supports.
Produce:
- Work demand register.
- Current-state ownership map.
- Initial budget ownership view.
- List of recurring security services currently performed.
- List of promised but unfunded security obligations.
- Critical single points of failure.
Days 31 to 60: define the operating model
Turn the facts into structure.
Build the security service catalog. Define intake paths. Clarify which work belongs to IT, cyber, legal, compliance, HR, finance, product, operations, vendors, and business owners. Create or refresh the risk register. Identify incident response capacity. Identify work that should stop, move, be outsourced, be automated, or be funded by a business project.
This is where many companies find budget distortion. The security budget may be carrying business projects. IT may be carrying compliance evidence. GRC may be asking for data that no system owner maintains. Vendors may be paid for tools nobody reviews. The org chart may say one thing while the real work happens somewhere else.
Produce:
- Service catalog.
- RACI or ownership model.
- Budget ownership map.
- Risk register updates.
- Incident reserve recommendation.
- Vendor responsibility map.
- Immediate cleanup priorities.
Days 61 to 90: present options and commit decisions
Build the decision package.
Show the current capacity, required capacity, gaps, risks, and recommended path. Include minimum viable, right-sized, and accelerated options. Name which roles are internal, which are vendor-supported, and which are advisory. Include hiring sequence, vendor changes, compensation assumptions, budget ownership, project funding needs, and risks accepted if leadership chooses not to fund certain work.
Produce:
- Twelve-month capacity roadmap.
- Staffing and vendor plan.
- Budget scenarios.
- Executive decision log.
- Quarterly review cadence.
- Metrics dashboard focused on demand, backlog, risk, and control evidence.
The important part is commitment.
A capacity plan that does not change ownership, budget, intake, staffing, vendor scope, or risk acceptance is only a report.
How to handle different budget realities
Capacity planning has to work across budgets. A small company cannot pretend to be an enterprise. An enterprise cannot pretend small-company informality will scale.
Very limited budget
Focus on ownership, critical controls, and advisory clarity.
Name the security owner. Require MFA. Control admin accounts. Manage devices. Back up critical systems. Know where sensitive data lives. Maintain a basic risk register. Have an incident contact list. Review vendors before purchase. Get periodic senior security guidance so the company does not build bad patterns.
This is where Trawvid Sec's small-business security approach fits. The goal is not enterprise overhead. The goal is avoiding preventable chaos.
Moderate budget
Build rhythm.
Add a fractional CISO or security lead, strengthen MSP or IT accountability, add outsourced monitoring where justified, formalize vendor review, keep evidence current, build a quarterly roadmap, run tabletop exercises, and track risks by owner.
This is the budget range where right-sized governance creates a lot of value. The company may not need a large team, but it does need a repeatable model.
Growing or regulated budget
Add dedicated roles and specialization where demand proves the need.
Hire security management or engineering capacity. Add GRC support. Clarify CMMC, customer, insurance, and regulatory evidence expectations. Fund identity cleanup, logging, endpoint coverage, backup maturity, cloud review, and incident response readiness as program work, not leftovers.
If OT or manufacturing systems are involved, capacity planning should account for production realities. The 90-day OT and IIoT roadmap is a useful companion for that environment because plant uptime, vendor remote access, segmentation, and evidence needs change the staffing conversation.
Enterprise or high-complexity budget
Build a portfolio.
Security capacity should be planned by domain, service level, risk, business dependency, and roadmap. The CISO should manage executive priorities, not only department headcount. This is where architecture, GRC, IAM, SecOps, IR, AppSec, cloud, third-party risk, and data security need clear ownership.
Enterprise capacity planning should also include retention. The ISC2 workforce study reported that 88 percent of respondents experienced at least one significant cyber consequence due to skills deficiency. IANS and related industry coverage also point to retention pressure and compensation variation by role, industry, size, and complexity. If the company relies on hard-to-replace talent, capacity planning must include career path, backup coverage, training, and succession.
How Trawvid Sec fits
Trawvid Sec helps companies build practical security capacity without turning the work into performative overhead.
This is especially useful when the business is too complex for ad hoc security ownership but not ready for a large internal security department.
We can help by:
- Mapping security demand across IT, business projects, compliance, customer assurance, incident readiness, and executive risk.
- Building a service catalog that says what security does and does not own.
- Separating true cyber costs from IT platform costs, business-project costs, and legal or compliance costs.
- Creating a right-sized roadmap for small businesses, manufacturers, growing companies, CMMC readiness, regulated environments, and mid-market teams.
- Reviewing whether the company needs a fractional CISO, named security owner, internal hire, vendor support, or a combination.
- Building practical artifacts: risk register, ownership map, vendor responsibility map, incident readiness plan, evidence library, and quarterly security leadership cadence.
- Helping leadership decide what to fund, what to defer, what to outsource, and what risk is being accepted.
This is not managed security provider work, legal advice, insurance brokerage, CPA work, or a promise that risk disappears. It is security leadership and advisory work so the company can make better decisions about capacity before the lack of capacity becomes an incident, a customer problem, an acquisition issue, or a blocked growth plan.
Summary
Cybersecurity capacity planning is how a company stops pretending that security work will somehow fit into whatever time, budget, and people are left over.
A useful plan starts with the work. It separates run work, change work, assurance work, incident capacity, and leadership work. It names where security overlaps with IT and where it does not. It prevents business projects from quietly dumping cost into cyber. It shows when the company needs advisory support, internal staff, vendor capacity, specialist help, or executive risk acceptance.
The CISO perspective matters because capacity planning is not only about doing more. It is about doing the right work at the right level with the right owner.
For a small company, that may mean a lean operating rhythm, an MSP with clear expectations, and fractional CISO guidance.
For a growing company, it may mean a named security owner, dedicated engineering or GRC support, outsourced monitoring, and a roadmap tied to customer and regulatory demand.
For a larger or high-complexity company, it may mean specialized teams, portfolio management, executive reporting, and formal budget ownership across security, IT, business units, legal, compliance, and operations.
The point is not to make cybersecurity look bigger.
The point is to make it accurate.
Accurate capacity planning shows what the business is asking security to do, what capacity actually exists, what risks are being reduced, what costs belong where, and what leadership is choosing when it funds, delays, outsources, or accepts the work.
Related reading
Keep going on this topic
Cyber Diligence Before You Sell Your Business
Seller-side cyber diligence helps founders protect valuation, reduce deal friction, and show buyers the business can be trusted and integrated.
Shared tags: Security Program, vCISO Advisory, Governance, Risk Management
Cyber Diligence for Acquiring Companies
Acquirer-side cyber diligence helps buyers price risk, set deal conditions, avoid inherited surprises, and plan secure post-close integration.
Shared tags: Security Program, vCISO Advisory, Governance, Risk Management
How to Build a Cybersecurity Risk Register That Actually Gets Used
A practical guide to building, maintaining, and prioritizing a cybersecurity risk register that supports real business decisions.
Shared tags: Security Program, vCISO Advisory, Governance, Risk Management
Need a next step?
Turn the article into a practical plan.
Build a right-sized security operating modelReferences
Sources
- NIST Cybersecurity Framework 2.0
- NIST NICE Framework SP 800-181 Revision 1
- NIST IR 7621 Revision 1 Small Business Information Security
- NIST SP 800-61 Revision 3
- NIST IR 8286 Revision 1
- BLS - Information Security Analysts
- BLS - Computer and Information Systems Managers
- Gartner - Information Security Spending Forecast 2025
- ISC2 - 2025 Cybersecurity Workforce Study
- CyberSeek - Cybersecurity Career Pathway
- IANS - Cybersecurity Staff Compensation Report
- ITPro - IANS Cybersecurity Talent Report Coverage
