Headcount = ƒ(alerts, time to resolve)
20 events/day to investigate with average time to resolve of 2 hours requires 40/8 = 5 headcount.
To reduce the headcount number needed to effectively work security events:
- Decrease security events with better protection
- Increase quality of events and detect real issues
- Reduce the amount of time to investigate events