I would also start to look at what the business requirements are. One FTE is going to cover 40 hours out of a 168 hour week (assuming no leave). Does someone need to monitor things (like your IDS/IPS) during non-business hours?
In a much larger org, we have dedicated teams for AV, desktop patching, network patching, server patching (Windows and *nix), event monitoring/correlation, incident response and so on. This is all driven by either (a) SLAs/OLAs and (b) patching cycles. We work from those requirements to work out how many people we need, based on how quickly we need to turn things around. Cheers Ken From: David Lum [mailto:[email protected]] Sent: Wednesday, 20 July 2011 9:04 PM To: NT System Admin Issues Subject: RE: Security IT to employee ratio Thanks ASB, that's kind of what I was afraid of and as always you suggest good steps. Dave From: Andrew S. Baker [mailto:[email protected]] Sent: Wednesday, July 20, 2011 4:00 AM To: NT System Admin Issues Subject: Re: Security IT to employee ratio You will be hard pressed to find such a document, given all the variables, nor is that a useful way to go about justifying the headcount that might be needed. Rather, put together a list of all the activities that are needed to successfully maintain the security posture in your specific environment. Allocate some estimation of the time needed for each function, then add it all up. (Also take the liberty of delegating some portions of it to other technology departments, as necessary). This will tell you what the level of staffing *should* be for your environment, and by adding work to other people's plates, you'll automatically get their "support" for additional headcount. :) Of course, expect management to disagree on some of the items in your list, AND in the time allocated -- especially if they can keep it the way it is by shaving a few numbers and whacking a few tasks. ASB http://about.me/Andrew.S.Baker Harnessing the Advantages of Technology for the SMB market... On Wed, Jul 20, 2011 at 1:05 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: Is there a document anywhere that can give me an idea of something along the lines of a general "recommended active IT security staff per employee ratio"? By "active IT security" I mean in-the-trenches people doing the legwork to get the last 3-5% of systems (at 400+ systems nothing is ever 100% in perfectly automated sync) fully compliant and up-to-date, keep astride of the IDS detections and tracking down which are false positives and which are actual alerts, etc. It has occurred to me that with 450 employees that there should probably be more than one FTE handling everything from IDS to keeping patches and AV current on all systems, employee training, etc... Heck I bet I can use one FTE that does NOTHING but track down and mitigate the non-compliant systems for AV and patching alone. David Lum Systems Engineer // NWEATM Office 503.548.5229<tel:503.548.5229> // Mobile 503.267.9764<tel:503.267.9764> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
