Security Basics: Re: Sizing the Information Security Department

[calgary_spence () msn com]

There is no specific ratio of security staff-to-employee for any company, as their needs are all different.  I think 
this is entirely dependant on your company's security strategy and short and long-term goals.  Since it sounds like you 
would be the person planning this strategy, I would make sure that your department's goals are realistic and 
affordable, but effective.  I think we all know that no company can achieve total security of it's information in 1 
year, and that it takes years to achieve all your sterategic security goals, and your team's size should be 
commensurate with your strategy.  
There are a lot of variables to consider when developing this strategy and choosing the number and types of employees 
for your team.  I would start by asking other security professionals in your industry what they have done, and try to 
learn from their successes and mistakes.  Also, the amount and nature of the information you need to protect must be 
considered.  If your CEO places very high value on the confidentiality, integrity and availability of your company's 
information assets, then you should be given adequate budget to develop the plan and the resources needed.
Just hiring some security professionals and expecting them to get to the task of securing information is unrealistic.  
Developing a security road map for the next two years with specific, measurable, achievable, risk-driven and timely 
goals will impress the executives and give you the budget and resources you need to achieve them. (I say risk-driven 
instead of realistic... all your security-related decisions must involve some kind of risk analysis)
I once worked for a company of about 1100 and we have 7 in InfoSec.  The company downsized to about 400 employees and 
we were left with 2 in InfoSec.  Now I work for a company of over 5000 and there are probably 150 employees/contractors 
in InfoSec.  I think the big difference is not the number of employees, but the business requirements to protect 
information and the need for industry compliance.  You can better determine these requirements by discussing it with 
your senior management, compliance officers, legal team, customers, shareholders and your industry peers.  I would also 
look to the 10 domains of the CISSP CBK to define your roadmap. Any time I've been stuck saying, "What do I do next?", 
I look at some of the best practices listed in the CBK and try to figure out which ones would work best for the 
situation. I hope this helps, Cheers.