Security Basics mailing list archives
Re: Sizing the Information Security Department
From: calgary_spence () msn com
Date: Mon, 8 Sep 2008 09:51:55 -0600
There is no specific ratio of security staff-to-employee for any company, as their needs are all different. I think this is entirely dependant on your company's security strategy and short and long-term goals. Since it sounds like you would be the person planning this strategy, I would make sure that your department's goals are realistic and affordable, but effective. I think we all know that no company can achieve total security of it's information in 1 year, and that it takes years to achieve all your sterategic security goals, and your team's size should be commensurate with your strategy. There are a lot of variables to consider when developing this strategy and choosing the number and types of employees for your team. I would start by asking other security professionals in your industry what they have done, and try to learn from their successes and mistakes. Also, the amount and nature of the information you need to protect must be considered. If your CEO places very high value on the confidentiality, integrity and availability of your company's information assets, then you should be given adequate budget to develop the plan and the resources needed. Just hiring some security professionals and expecting them to get to the task of securing information is unrealistic. Developing a security road map for the next two years with specific, measurable, achievable, risk-driven and timely goals will impress the executives and give you the budget and resources you need to achieve them. (I say risk-driven instead of realistic... all your security-related decisions must involve some kind of risk analysis) I once worked for a company of about 1100 and we have 7 in InfoSec. The company downsized to about 400 employees and we were left with 2 in InfoSec. Now I work for a company of over 5000 and there are probably 150 employees/contractors in InfoSec. I think the big difference is not the number of employees, but the business requirements to protect information and the need for industry compliance. You can better determine these requirements by discussing it with your senior management, compliance officers, legal team, customers, shareholders and your industry peers. I would also look to the 10 domains of the CISSP CBK to define your roadmap. Any time I've been stuck saying, "What do I do next?", I look at some of the best practices listed in the CBK and try to figure out which ones would work best for the situation. I hope this helps, Cheers.
Current thread:
- Sizing the Information Security Department k7 . fantr (Sep 05)
- Re: Sizing the Information Security Department exzactly (Sep 08)
- Re: Sizing the Information Security Department Kurt Buff (Sep 08)
- RE: Sizing the Information Security Department Kevin A. Zibluk (Sep 08)
- RE: Sizing the Information Security Department Erin Carroll (Sep 08)
- RE: Sizing the Information Security Department Kevin A. Zibluk (Sep 08)
- <Possible follow-ups>
- RE: Sizing the Information Security Department Rob Creely (Sep 08)
- Re: Sizing the Information Security Department calgary_spence (Sep 08)
- Re: Sizing the Information Security Department warpig8993 (Sep 08)