kantver - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How many security administrators does an enterprise need?

There's no magic formula for figuring out how many security administrators an organization needs, but expert Mike O. Villegas reviews the decision-making process.

I'm evaluating our internal structure and I am wondering how many network admins/security managers we need. What should we base it on -- employee to manager ration, the number of devices we use, network size or another factor?

Unfortunately, there isn't a magic formula that determines the right size staff for an organization based on the number of devices or network size. Before making any decisions about hiring or firing security administrators, consider these basic questions:

  • Is IT in house or outsourced?
  • Is information security administration, security monitoring, vulnerability testing, or policy management in house or outsourced to a managed security service provider?
  • Is the data center in house, a colocation or managed by a cloud service provider?
  • Are critical applications developed in house, hosted by a cloud service provider, commercially purchased with minimal changes required or commercially purchased with major changes required for it to work in the enterprise?
  • If information security administrators manage user provisioning and access requests, what is the size of the user community; what is the internal employee count?
  • Is IT desktop support managed internally or outsourced? Consider the number of workstations and laptops managed.
  • Is the enterprise subject to regulatory requirements that would impose additional work burden on the information security program?

These questions should be answered before you begin calculating the size of any organizational unit and deciding how many security administrators you need. There are three criteria that then need to be considered:

1. Workload: Figure out what the network engineers, system administrators and information security administrators should be performing, what their responsibilities are and what they should be performing that they currently do not.

2. Skill sets: Assess the skills sets of the staff once their job responsibilities have been determined. Decide whether or not they need new or updated cybersecurity certifications, whether they have the aptitude to learn more and if there is a staff member you want to invest in to grow into another needed position. Also consider the time it would take for them to grow into that position. You may instead need to hire externally, but that also depends on the budget.

3. Tools: Having to do more with less has always been a challenge, but technology tools give organizations the ability to do just that. Unfortunately, tools require skill sets that may not be present in the staff yet, and training comes with a cost. Decide whether the cost is worth the potential benefits.

Deciding who to hire for what positions -- and how many of each position you need -- can be done through asking many questions. Inventory the IT environment, users, applications and critical systems. Inventory the staff skill sets and map existing tools to determine if they are sufficient or the right ones to fulfill the workload requirements.

It's important to perform security assessments to identify key vulnerabilities and report on risk factors that could harm the organization. Use an established industry security framework to implement the information security program for the enterprise and prove to executive management the need for additional security administrators.

Many times, it is not sufficient to ask for additional resources without empirical evidence on how you determined your request, so taking these steps is crucial. Good luck with this. You are definitely not alone.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn how to retain your organization's talented security staff

Discover how millennials can save the security staffing shortage

Find out if untraditional hiring is right for your security team

This was last published in March 2016

Dig Deeper on Information security program management