Re: Sizing the Information Security Department

["Kurt Buff" <kurt.buff () gmail com>]

I'm unaware of even recommended staffing levels for general sysadmins,
though a couple of people have made a stab at it - see
http://www.verber.com/mark/sysadm/how-many-admins.html for what I
consider the best attempt.

The answers are far too dependent on you and your institution's unique
circumstances, such as industry sector, corporate culture, security
stance, etc., to be able to make a firm recommendation based simply on
numbers of employees.

I, for instance, am the lead network administrator at a company of
almost 300 people, and my duties encompass many things, including
security, network administration, system administration printer
support and desktop support - both directly and by supervision of my
team mates.

That's not to say that I don't think that I should be full time on
security - I could easily justify that - in my own mind - but making
the business case it much harder.

Best of luck.

On Thu, Sep 4, 2008 at 3:22 PM,  <k7.fantr () gmail com> wrote:
> Hello all.
>
> I am preparing a business case for increasing the size of the Information Security department at the company where I 
> work. This is a smaller company with about 700 employees. Right now, I am the security department. :) - I am asking 
> to hire 3 security professionals to augment my load and to allow me to focus on more of the strategic needs and 
> higher level analysis.
>
> My question is this: Do any of you know of any published recommendations regarding the size of a security department 
> based on company size? Any guidance in this regard is appreciated.
>
> Thanks in advance!