Security Estimation – How to estimate for a security assessment.

Photo by Mikhail Nilov on

During my early years in the information security domain, one of the first problems I faced was estimating any activity’s effort. Sometimes, this estimation is more complex as the work involves all the other departments. For example, the server team, network team, etc.

Here is a basic framework that I use, and I also have trained my team on the same. In another post, I will share the detailed excel sheet and how to do an estimation.

In the first of many series, we will cover the estimation for a generic security assessment. To estimate a security assessment effort, consider the following steps:

  1. Define the scope: Assess the scope of the security assessment, such as the systems, applications, and infrastructure to be tested.
  2. Assess resources: Identify the resources required for the assessment, such as personnel, equipment, and tools.
  3. Evaluate complexity: Consider the complexity of the systems and applications being assessed and the potential risk to the organization.
  4. Use industry standards: To guide the assessment, use industry standards and methodologies, such as the NIST Cybersecurity Framework or the OWASP Top 10.
  5. Review past assessments: Review previous security assessments to identify any recurring issues and areas of improvement.
  6. Consider time constraints: Consider any time constraints or deadlines for the assessment, such as an upcoming audit or regulatory deadline.
  7. Develop a budget: Estimate the budget required for the assessment, including personnel, equipment, and tool costs.
  8. Review and adjust: Regularly review and adjust the assessment plan based on actual results and experience.

Always keep some contingency (~ 5 – 10%, depending on the information available) to plan better.






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: