I'm evaluating our internal structure and I am wondering how many network admins/security managers we need. What...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
should we base it on -- employee to manager ration, the number of devices we use, network size or another factor?
Unfortunately, there isn't a magic formula that determines the right size staff for an organization based on the number of devices or network size. Before making any decisions about hiring or firing security administrators, consider these basic questions:
- Is IT in house or outsourced?
- Is information security administration, security monitoring, vulnerability testing, or policy management in house or outsourced to a managed security service provider?
- Is the data center in house, a colocation or managed by a cloud service provider?
- Are critical applications developed in house, hosted by a cloud service provider, commercially purchased with minimal changes required or commercially purchased with major changes required for it to work in the enterprise?
- If information security administrators manage user provisioning and access requests, what is the size of the user community; what is the internal employee count?
- Is IT desktop support managed internally or outsourced? Consider the number of workstations and laptops managed.
- Is the enterprise subject to regulatory requirements that would impose additional work burden on the information security program?
These questions should be answered before you begin calculating the size of any organizational unit and deciding how many security administrators you need. There are three criteria that then need to be considered:
1. Workload: Figure out what the network engineers, system administrators and information security administrators should be performing, what their responsibilities are and what they should be performing that they currently do not.
2. Skill sets: Assess the skills sets of the staff once their job responsibilities have been determined. Decide whether or not they need new or updated cybersecurity certifications, whether they have the aptitude to learn more and if there is a staff member you want to invest in to grow into another needed position. Also consider the time it would take for them to grow into that position. You may instead need to hire externally, but that also depends on the budget.
3. Tools: Having to do more with less has always been a challenge, but technology tools give organizations the ability to do just that. Unfortunately, tools require skill sets that may not be present in the staff yet, and training comes with a cost. Decide whether the cost is worth the potential benefits.
Deciding who to hire for what positions -- and how many of each position you need -- can be done through asking many questions. Inventory the IT environment, users, applications and critical systems. Inventory the staff skill sets and map existing tools to determine if they are sufficient or the right ones to fulfill the workload requirements.
It's important to perform security assessments to identify key vulnerabilities and report on risk factors that could harm the organization. Use an established industry security framework to implement the information security program for the enterprise and prove to executive management the need for additional security administrators.
Many times, it is not sufficient to ask for additional resources without empirical evidence on how you determined your request, so taking these steps is crucial. Good luck with this. You are definitely not alone.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn how to retain your organization's talented security staff
Discover how millennials can save the security staffing shortage
Find out if untraditional hiring is right for your security team
Dig Deeper on Business Management: Security Support and Executive Communications
Mike O. Villegas asks:
How does your organization make its security staffing decisions?
0 ResponsesJoin the Discussion
Related Q&A from Mike O. Villegas
BYOD isn't a new trend, but tablet security policy is increasingly important as users choose them over laptops for work. Expert Mike O. Villegas ...continue reading
A security incident response plan is key to preparing for a data breach, but to be effective, the plan needs to be well tested. Expert Mike O. ...continue reading
Many organizations use a risk-based framework to help manage their cybersecurity program. Expert Mike O. Villegas discusses the development and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.