I'm evaluating our internal structure and I am wondering how many network admins/security managers we need. What...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
should we base it on -- employee to manager ration, the number of devices we use, network size or another factor?
Unfortunately, there isn't a magic formula that determines the right size staff for an organization based on the number of devices or network size. Before making any decisions about hiring or firing security administrators, consider these basic questions:
- Is IT in house or outsourced?
- Is information security administration, security monitoring, vulnerability testing, or policy management in house or outsourced to a managed security service provider?
- Is the data center in house, a colocation or managed by a cloud service provider?
- Are critical applications developed in house, hosted by a cloud service provider, commercially purchased with minimal changes required or commercially purchased with major changes required for it to work in the enterprise?
- If information security administrators manage user provisioning and access requests, what is the size of the user community; what is the internal employee count?
- Is IT desktop support managed internally or outsourced? Consider the number of workstations and laptops managed.
- Is the enterprise subject to regulatory requirements that would impose additional work burden on the information security program?
These questions should be answered before you begin calculating the size of any organizational unit and deciding how many security administrators you need. There are three criteria that then need to be considered:
1. Workload: Figure out what the network engineers, system administrators and information security administrators should be performing, what their responsibilities are and what they should be performing that they currently do not.
2. Skill sets: Assess the skills sets of the staff once their job responsibilities have been determined. Decide whether or not they need new or updated cybersecurity certifications, whether they have the aptitude to learn more and if there is a staff member you want to invest in to grow into another needed position. Also consider the time it would take for them to grow into that position. You may instead need to hire externally, but that also depends on the budget.
3. Tools: Having to do more with less has always been a challenge, but technology tools give organizations the ability to do just that. Unfortunately, tools require skill sets that may not be present in the staff yet, and training comes with a cost. Decide whether the cost is worth the potential benefits.
Deciding who to hire for what positions -- and how many of each position you need -- can be done through asking many questions. Inventory the IT environment, users, applications and critical systems. Inventory the staff skill sets and map existing tools to determine if they are sufficient or the right ones to fulfill the workload requirements.
It's important to perform security assessments to identify key vulnerabilities and report on risk factors that could harm the organization. Use an established industry security framework to implement the information security program for the enterprise and prove to executive management the need for additional security administrators.
Many times, it is not sufficient to ask for additional resources without empirical evidence on how you determined your request, so taking these steps is crucial. Good luck with this. You are definitely not alone.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn how to retain your organization's talented security staff
Discover how millennials can save the security staffing shortage
Find out if untraditional hiring is right for your security team
Dig Deeper on Business Management: Security Support and Executive Communications
Related Q&A from Mike O. Villegas
A security portfolio shouldn't be used as an alternative to a reporting structure, but it can still be beneficial to enterprises. Expert Mike O. ...continue reading
A virtual CISO is a good option for smaller organizations that want stronger security leadership, but don't have the budget. Expert Mike O. Villegas ...continue reading
Security vendor hype is a problem CISOs often have to deal with. Expert Mike O. Villegas discusses some ways to cut through the hype and make smart ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.