Security Basics mailing list archives
RE: Sizing the Information Security Department
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Mon, 8 Sep 2008 12:01:52 -0700
I've faced a similar situation in the past. In addition to Kevin's suggestion regarding asset inventory, include roadmap timelines & current workload details as well. If you can demonstrate that current workload of your day-to-day duties is such that it leaves the company at risk for acceptable response times to crisis situations (virus outbreaks, compromises, etc) or potentially vulnerable as the "need to do" list falls behind it will go a long way towards management justification of approving headcount. There's also the "hit by a bus" factor. You may also want to consider bringing in contractors to do project-specific tasks or augment short term workload. Since generally speaking contractors are less overhead for companies (vs employees) and the costs can be pushed into CapEx expenditures, they tend to be an easier route to pursue to get management buy-in. In the scenario I faced the solution eventually was to bring in contractors for point-in-time work while training an in-house employee from another group to transfer over. Ping your Support organization (or other technically-oriented group). There may be someone interested in expanding their skillset who can help tackle the low hanging fruit & free you to attend to the more strategic aspects. Work with the Support manager ahead of time to identify a likely candidate (and get the manager to buy-in) and include that with your proposal. The more legwork and options you provide to your execs, the more likely you will be to get traction and favorable action. By outlining the business "costs" and providing a several options to address your needs you stand a much better chance of getting assistance in some form to help you. -- Erin Carroll Moderator, SecurityFocus pen-test mailing list amoeba () amoebazone com "Do Not Taunt Happy-Fun Ball" -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kevin A. Zibluk Sent: Monday, September 08, 2008 10:55 AM To: k7.fantr () gmail com Cc: security-basics () securityfocus com Subject: RE: Sizing the Information Security Department K7 - As part of your business case, are you preparing an inventory of the assets requiring protection?? Computer Networks & Systems and the information residing on these systems are just as important corporate assets as compared to more tangible assets such as buildings, materials, etc. Everyone understands why a company needs a security guard to the entrance of a building, but not everyone necessarily understands why a guard is needed for Information Security - the inventory will assist in demonstrating the need. On Thu, Sep 4, 2008 at 3:22 PM, <k7.fantr () gmail com> wrote:
Hello all. I am preparing a business case for increasing the size of the Information
Security department at the company where I work. This is a smaller company with about 700 employees. Right now, I am the security department. :) - I am asking to hire 3 security professionals to augment my load and to allow me to focus on more of the strategic needs and higher level analysis.
My question is this: Do any of you know of any published recommendations
regarding the size of a security department based on company size? Any guidance in this regard is appreciated.
Thanks in advance!
No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.19/1659 - Release Date: 9/8/2008 7:01 AM
Current thread:
- Sizing the Information Security Department k7 . fantr (Sep 05)
- Re: Sizing the Information Security Department exzactly (Sep 08)
- Re: Sizing the Information Security Department Kurt Buff (Sep 08)
- RE: Sizing the Information Security Department Kevin A. Zibluk (Sep 08)
- RE: Sizing the Information Security Department Erin Carroll (Sep 08)
- RE: Sizing the Information Security Department Kevin A. Zibluk (Sep 08)
- <Possible follow-ups>
- RE: Sizing the Information Security Department Rob Creely (Sep 08)
- Re: Sizing the Information Security Department calgary_spence (Sep 08)
- Re: Sizing the Information Security Department warpig8993 (Sep 08)