· Dayo Adetoye (PhD, C|CISO) · Reducing Friction and Accelerating Innovation  · 5 min read

Beyond the Firefighting:

Enable Risk Improvement through Proactive Capacity Planning.

Security teams are often trapped in reactive cycles, firefighting incidents instead of addressing root causes or improving resilience. Gain strategic insight that helps you elevate your team's impact by unlocking time for proactive risk reduction and long-term improvement.

Security teams are often trapped in reactive cycles, firefighting incidents instead of addressing root causes or improving resilience. Gain strategic insight that helps you elevate your team's impact by unlocking time for proactive risk reduction and long-term improvement.

Question:

  • What percentage of your team’s time is dedicated to reducing future risk?
  • Can you estimate the likelihood that your team has the capacity for substantial improvement work?

Premise:

  • Security teams are often trapped in reactive cycles, firefighting incidents instead of addressing root causes or improving resilience.
  • Effective capacity planning can break this cycle, enabling teams to invest time in risk improvement while maintaining operational excellence.

Value Proposition:

This article introduces a simple yet effective method for calculating and estimating capacity, offering actionable insights to optimize resource allocation and prioritize work. By leveraging this approach, your team can transition from reactive firefighting to proactive planning, reducing long-term risks and enhancing security outcomes.

Ready to Dive In?

Jump straight to our free calculator below to estimate your team’s proactive capacity.

Why Teams Get Stuck in Firefighting Mode

Tech Debt Theater

In the theater of tech debt, reactive work is both the actor and the stage - capacity planning is the exit door.

  • Limited time for proactive initiatives such as patching, automation, and process improvement. These are the types of projects that capacity planning can support, making it crucial to break the cycle of technical debt that fuels reactive workloads.
  • High volume of reactive work driven by constant incidents.
  • Lack of visibility into team capacity and workload dynamics.

Calculating Proactive Capacity

Proactive Capacity represents the portion of a team’s resources available for forward-looking initiatives that reduce future risks and drive strategic improvements, rather than being consumed by reactive tasks. Estimating the probability of sufficient proactive capacity is essential to ensure your team can meet long-term security objectives.

Here’s how proactive capacity is calculated:

Proactive Capacity
Proactive Capacity=1Reactive Workload (Hours)Team Capacity (Hours)\text{Proactive Capacity} = 1 - \frac{\text{Reactive Workload (Hours)}}{\text{Team Capacity (Hours)}}

Where:

  • Reactive Workload: The total time spent on reactive tasks (e.g. incident response, architecture review or pen-testing), measured in hours.
  • Team Capacity: The total available working time, adjusted for factors like vacations, sick leave, and other commitments.

Estimating Reactive Workload

Reactive workload represents the total time spent addressing unplanned, and other expected incoming events. It is calculated as:

Reactive Workload
Reactive Workload=Work-Event Arrival Rate×Work-Event Effort Time\text{Reactive Workload} = \text{Work-Event Arrival Rate} \times \text{Work-Event Effort Time}

Where:

  • Work-Event Arrival Rate (WAR): The frequency of new events requiring team attention, typically measured in events per day or week.
  • Work-Event Effort Time (WET): The average time spent processing and resolving each event, including all associated activities, measured in hours.

This formula highlights the relationship between how often events occur and the effort required to manage them. Understanding these factors enables teams to quantify their reactive workload and identify opportunities for optimizing time allocation.

Estimating Team Capacity

Team capacity reflects the total available working time, adjusted for real-world factors like vacations, sick leave, and other commitments. Recognizing that uncertainty is inevitable, we incorporate a confidence level to account for variability in these estimates. Use the calculator below to experiment with different values and observe how they influence your team’s capacity.

Proactive Capacity Calculator

This calculator performs a Monte Carlo simulation of your team’s reactive workload and team capacity, allowing you to estimate your team’s proactive capacity and the likelihood that your team has the capacity for substantial improvement work.

Proactive Capacity
Chances of Achieving Proactive Capacity Target
Proactive Capacity Target (%)
(want to meet or exceed target)
Proactive Capacity Exceedance Curve
How likely will the team meet or exceed proactive capacity target?
005050100100Proactive Capacity (%)0.00.00.50.51.01.0Exceedance Probability
Legend
  • Proactive Probability Exceedance
  • Proactive Capacity Target
Team Characteristics
Team Size
Working hours per day
(excl. breaks, meetings etc.)
Average days per year
(excl. vacations, sick days etc.)
Confidence
(in the estimated average days )
Team Capacity Distribution
How many hours of work (per annum) are you likely to get from your team?
002K2K5K5K7K7K10K10K12K12K14K14KCapacity (hours)0.00.02.02.04.04.0Probability Density
Reactive Workload
Work-Event Arrival Rate
(per day)
Arrival Rate Confidence
Average Work-Event Effort Time
(in hours)
Effort Time Confidence
Reactive Workload Distribution
How many hours (per annum) does your team spend on reactive tasks?
2K2K4K4K6K6KReactive Workload (hours)0.000000.000000.000200.000200.000400.00040Probability Density

Supporting Decision-Making

By understanding the factors that affect your team’s proactive capacity, you gain insight into the “levers” you can pull to optimize your team’s effectiveness at managing your organization’s future risk.

For example, a high work-event arrival rate may indicate the need for intervention to address the root cause of frequent events. Introducing an effective patch management process can reduce the occurrence of vulnerabilities, while implementing a robust Secure Development Lifecycle (SDLC) program can proactively address security flaws earlier in the development process, reducing event volume.

If the real driver of low proactive capacity is the time it takes to process work events, opportunities to improve this metric may include:

  • Automation: Leveraging tools to streamline repetitive or time-consuming tasks.
  • Process Improvements: Simplifying workflows or removing bottlenecks in existing procedures.
  • AI Integration: Deploying AI to assist with threat detection, triage, and decision-making.
  • Outsourcing: Delegating specific tasks to external partners, such as Managed Security Service Providers (MSSPs), to free up internal resources.

Bringing It All Together

Understanding and quantifying your proactive capacity allows you to make data-driven decisions that balance the demands of today’s reactive workload with the need to build resilience and reduce future risk.

By regularly measuring your team’s proactive capacity and modeling its drivers, you can:

  • Identify Improvement Opportunities: Pinpoint specific areas where changes will have the most significant impact on capacity.
  • Justify Resource Investments: Use data to advocate for additional headcount, tooling, or external support.
  • Proactively Manage Risk: Ensure that your team has enough bandwidth to focus on forward-looking initiatives, such as improving processes, automating tasks, and building organizational resilience.

Proactive Capacity isn’t just a metric—it’s a strategic tool for transforming how your team operates and ensuring your organization stays ahead of emerging threats. By shifting focus from firefighting to proactive risk reduction, you position your security program as a driver of long-term success.

Call to Action

Start by measuring your team’s current proactive capacity. Use the insights gained to create a plan for improving efficiency and tackling the root causes of a low proactive capacity. Remember, the goal isn’t perfection—it’s continuous improvement that empowers your team to make meaningful progress toward reducing risk and enhancing security outcomes.

Share:
Back to Blog

Related Posts

View All Posts »
Supercharging Security Ops:

Supercharging Security Ops: How CISOs Can Leverage GenAI to Accelerate Innovation, Boost Productivity, and Do More with Less. (Coming soon ...)

In today's digital landscape, CISOs face the dual challenge of defending against sophisticated threats while promoting innovation and efficiency. Traditional security measures often create friction, hindering progress. Enter Generative AI technologies like Large Language Models (LLMs) and Retrieval-Augmented Generation (RAG). These tools offer CISOs a way to revolutionize security operations, enhancing protection while accelerating innovation and boosting productivity. This shift allows security leaders to evolve from gatekeepers to enablers of organizational growth, achieving more with limited resources in an increasingly complex digital world.

Trust on the Line:

Trust on the Line: Modeling the Financial Impact of Cybersecurity Failures.

Cybersecurity failures extend beyond technical recovery, with their most damaging effects often felt in customer trust and business growth. This article examines how to model the financial impact of security incidents, focusing on how trust erosion leads to down-sell, churn, and missed growth opportunities. By using analytical tools like Monte Carlo simulations, business leaders can quantify the long-term repercussions of cybersecurity events and make more informed decisions to protect both reputation and revenue.

Reimagining Human Risk:

Reimagining Human Risk: How to Measure and Manage it.

Your biggest security threat isn't malware—it's Mark from Accounting. Human risk in cybersecurity is a dynamic challenge that directly impacts organizational resilience and profitability. From employees and contractors to partners, human behaviors and errors are often the catalysts for breaches and business disruptions. This article explores how to measure and manage human risk, focusing on actionable insights, predictive modeling, and risk indicators that help organizations stay ahead. By turning the human element from a vulnerability into a strength, leaders can build a more secure and resilient business foundation.