It depends on the size and funding of your organization. But, regardless of that, there are three kinds of disciplines that you should think about within a security function: engineering, operations (including everything from eyes on screens to finding threats, to doing threat hunting, to doing forensics, incident response, etc.), and compliance governance where you deal with the legal side of security. All three should compliment each other. At Pearson, we're well funded and hence we have three separate dedicated groups for those that report it to our CISO. They have a number of people within each pillar that I've mentioned. But, at smaller organizations, you may only get funding for three or five people, you might want one of each or two engineers and one compliance person. It totally depends on the appetite and strategy of the organization. I've seen a little bit of bias in the smaller organizations towards the external. They want to make sure that their products are secure and they are interacting with vulnerabilities in the products. Internally, because it's a startup, they are consuming a lot of IT services. The security is inherent and built in there so they don't have to have a technology play there. But as they grow then it shifts into this fibroid with internal versus external and enterprise versus customer focus.
Lee is correct, it depends on the size and funding but also tolerance. If this is a new InfoSec team and you are hiring your first CISO or BISO, or ASO, (etc. on the titles) I would hire someone who is built a InfoSec office before for companies in your industry if possible and size of your business' IT operations. A healthy mix of building the InfoSec office should also include a very strong understanding of compliance and regulatory procedures that Elevoro is required to adhere to. The InfoSec group's job would be to ensure compliance to these area such as PCI, HIPAA, HITRUST, FISMA etc.... Risk management as well as vendor management are critical to understand as well as infrastructure for both on-premise or hosted. When building an InfoSec office, you will need to ensure the person running the group has a good end-to-end enterprise plan and experience as well as part evangelist for the role.
The most important fact in information security is that we need smart individuals to do the most significant parts of the job. Despite the numerous racks of servers, tons of fundings on software, or multiple threat intel "feeds" we put our resources into, they won't provide us with the slightest impediment to adversaries without the real live humans working behind the stage to run the show. There are three major factors to look up on here: One is the humans behind the operations, they should be well trained to tackle the upcoming threats. Also they need to focus on finding vulnerabilities even if the patches have been applied. (continuous monitoring). Second is the operations, enough funding needs to be provided for the activities, including the research, threat intel hunting, and for the equipments. Most of the time, equipments need to be ripped apart to understand the inside out of its functions. Constantly updating the vulnerability analysis and threat database, and keeping a watch from testing to forensics, human components are the most important loops than any highly paid software tools. Third is the compliance and policies to be followed. It makes sure the working of the team on a disciplined manner, providing an organised test criteria. Apart from these they should also focus on attending community events and forums for new trends and challenges in the industry to get constant exposure. Much like what we are doing here on this brilliant platform, Pulse, to expand on our knowledge and share what we have with other individuals seeking meaningful information.