RE: Sizing the Information Security Department

["Erin Carroll" <amoeba () amoebazone com>]

I've faced a similar situation in the past. In addition to Kevin's
suggestion regarding asset inventory, include roadmap timelines & current
workload details as well. If you can demonstrate that current workload of
your day-to-day duties is such that it leaves the company at risk for
acceptable response times to crisis situations (virus outbreaks,
compromises, etc) or potentially vulnerable as the "need to do" list falls
behind it will go a long way towards management justification of approving
headcount. There's also the "hit by a bus" factor. 

You may also want to consider bringing in contractors to do project-specific
tasks or augment short term workload. Since generally speaking contractors
are less overhead for companies (vs employees) and the costs can be pushed
into CapEx expenditures, they tend to be an easier route to pursue to get
management buy-in.

In the scenario I faced the solution eventually was to bring in contractors
for point-in-time work while training an in-house employee from another
group to transfer over. Ping your Support organization (or other
technically-oriented group). There may be someone interested in expanding
their skillset who can help tackle the low hanging fruit & free you to
attend to the more strategic aspects. Work with the Support manager ahead of
time to identify a likely candidate (and get the manager to buy-in) and
include that with your proposal. The more legwork and options you provide to
your execs, the more likely you will be to get traction and favorable
action. 

By outlining the business "costs" and providing a several options to address
your needs you stand a much better chance of getting assistance in some form
to help you.


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba () amoebazone com
"Do Not Taunt Happy-Fun Ball"







-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Kevin A. Zibluk
Sent: Monday, September 08, 2008 10:55 AM
To: k7.fantr () gmail com
Cc: security-basics () securityfocus com
Subject: RE: Sizing the Information Security Department

K7  -

As part of your business case, are you preparing an inventory of the assets
requiring protection??
Computer Networks & Systems and the information residing on these systems
are just as important corporate assets as compared to  more tangible assets
such as buildings, materials, etc.   Everyone understands why a company
needs a security guard to the entrance of a building, but not everyone
necessarily understands why a guard is needed for Information Security - the
inventory will assist in demonstrating the need.





On Thu, Sep 4, 2008 at 3:22 PM,  <k7.fantr () gmail com> wrote:
> Hello all.
>
> I am preparing a business case for increasing the size of the Information
Security department at the company where I work. This is a smaller company
with about 700 employees. Right now, I am the security department. :) - I am
asking to hire 3 security professionals to augment my load and to allow me
to focus on more of the strategic needs and higher level analysis.
> My question is this: Do any of you know of any published recommendations
regarding the size of a security department based on company size? Any
guidance in this regard is appreciated.
> Thanks in advance!

No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.169 / Virus Database: 270.6.19/1659 - Release Date: 9/8/2008
7:01 AM