Identify Cybersecurity Staffing Levels

Typical cybersecurity staffing levels for a small business vary, but many rely on a hybrid model involving a fraction of an internal IT role alongside outsourced managed security services. Benchmarks often show a small percentage of total staff dedicated to IT, with security being a subset.

To calculate the cybersecurity staff as percent of employees, divide the raw number of internal cybersecurity staff by the total number of employees in the organization, then multiply by 100.

CyberSecure Canada control 4.4.3.5 staffing levels requirement states that organizations must identify their internal staffing levels for cybersecurity both as raw numbers and as a percentage of total staff.

CyberSecure Canada does not mandate a specific security team size benchmark by company size, but requires organizations to document their current cybersecurity headcount to ensure leadership makes informed risk and resourcing decisions.

When determining internal IT security staffing numbers reporting, include personnel whose primary role is dedicated to security, such as Security Operations Center (SOC) analysts, IT security engineers, Governance, Risk, and Compliance (GRC) specialists, and Incident Response (IR) team members.

Organizations should use a cybersecurity resource planning template, resource allocation plan, or official company organization chart to formally record the raw number of security personnel alongside the calculated cybersecurity staffing ratio.

CyberSecure Canada specifically asks organizations to identify their internal staffing levels. While managed security providers and contractors are critical to the security posture, the raw numbers reported for this specific metric typically focus on internal employees.

Organizations should maintain an updated company organization chart, resource allocation plans, or HR reports demonstrating the exact cybersecurity headcount and percentage calculations as evidence for auditors.

Organizations should review and update their cybersecurity staffing levels at least annually during budget and resource planning, or whenever significant changes occur in the organizational structure.

Organizations often use industry reports detailing the security team size benchmark by company size, comparing their IT security staffing metrics and KPIs against peers to justify requests for additional cybersecurity headcount to the board.

A common challenge is keeping headcount evidence (org charts, resourcing plans, HR exports) current and audit-ready. Tools like WatchDog Security's Compliance Center can map this control to required artifacts, track ownership and review cadence, and centralize the latest approved staffing evidence so reporting stays consistent across audit cycles.

Headcount numbers are most useful when they are tied to the risks they are meant to reduce (e.g., incident response coverage gaps or vulnerability backlog). Tools like WatchDog Security's Risk Register can link staffing metrics to risk statements, treatment plans, and leadership reporting so resourcing discussions are grounded in measurable exposure and outcomes.