Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IT Department Size

from [chuck] Network Security [Permanent Link]
Subject: RE: IT Department Size
Date: Thu, 27 Oct 2005 18:12:48 -0800 
I quite agree with Steven. It has been my experience that the ratio,
whatever it is, is valid for your company, whatever it is. Which is
another way of saying there is no such thing, or, at least, not a
meaningful thing. Once you determine what is right for your company, then
you know what it is for your company, but not anyone else's. The number
might allow you to project staffing needs several years ahead with
reasonable accuracy - for your company. However, a 1:250 ratio for one
company will likely not hold for another company, even if it is similar
in size, structure, and industry.

So much depends on so many variables - brand of hardware/software, age of
same, geographical distribution of assets, nature of business,
legal/regulatory requirements, types and extent of business
relationships, experience level of technical staff, experience level of
employees, and on and on, that it's impossible to categorically state a
ratio and have it be anything more than vapor-stats. Older equipment
running a diversity of software by lesser-experienced technical staff for
inexperienced users might require a 1:50 ratio. But, even new hardware
might require a lot of tending, if it runs some quirky software for
rookie users. A company with numerous branch offices (such as banks,
sales, fast food, etc), will need more people to cover the geographic
area. It just all depends.

The best starting place is a nice, round, even number, which is then
quickly adjusted up or down, depending on the horrified gasps of the
senior management or the agonized screams of the end-users (some of which
may be senior management). Try 1:100 or 1:200, and see where that gets
you. Remember that the number will still not be really meaningful,
though, as you did not ask what the best structure was, you simply asked
for numbers (you're not an accountant, by any chance, are you?). If you
have three rookie PC Technicians working for one experienced Network
Administrator, you might have four staffers but be able to get the work
done of six. Or, the Network Administrator might be flooded with
difficult support calls and four might not be enough. It still
just depends.

What I can say is that a company that is highly technically oriented
might require more IT staff than one with simpler technical needs,
especially at the beginning. This is because the company will still
be building it's computing infrastructure, and needs the additional staff
to get things built and supported. Remember that the more technical a
company's needs are (computers, networks, security, VoIP,
videoconferencing, IT staff that does phones too, etc), the more staff it
will need. It seems also true that the ratio increases as the company
grows, so a company that needed a 1:150 ratio at one time might need
1:250 when it is five times it's original size.

Chuck Hutchings  CISSP, CISA, CISM
Information Security Consultant



  ----- Original Message -----
  From: "Steven Allison (DHL US)"
  To: Rami.Prescott@frostbank.com,
  security-management@securityfocus.com
  Subject: RE: IT Department Size
  Date: Wed, 26 Oct 2005 07:54:31 -0700

Rami, The rule of thumb to your question is. "it depends." It depends on
the actual size of your organization. A 1:250 ratio may work for a
company with 1000 employees but for a company of 500,000 employees, the
ratio is more like 1:5000. It depends on the risk level of your company
and industry. An IT or financial based company (MCI, AT&T, American
Express, VISA, Wells Fargo Bank, etc.) would require a better
administrator:person or administrator:system ratio than a company such a
DHL (shipping company). It depends on what regulations you must adhere to
and how many personnel it takes to ensure compliance (regardless of
number of systems or personnel in the company). I'm quite sure the group
here could expand on any of my points or add 50 more. What I think you
need to do is assess the level of risk your organization and what it
takes to fulfill your ~sigh~ Business Continuity Plan.  Staffing is such
a sticky issue. If you ask the manager how many personnel he needs to
fulfill his obligation to the organization, it will be far more than the
VP three levels above him thinks. There is no clear answer to your
question and it only looks like I've raised more questions for you. But
sometimes, the travel is half the fun of getting to the destination...or
not.

Best Regards,

Steven R. Allison, CISSP
Information Security Manager, Americas Region

DHL Express
8701 E. Hartford Dr.
Scottsdale, AZ. 85255

Phone:   480-375-6490
Cellular: 480-226-2495
FAX:      480-375-7039
Steven.Allison@dhl.com

"You have enemies? Good. That means you have stood up for something,
sometime in your life."
- Winston Churchill


  --------------------------------------------------------------------

  From: Rami.Prescott@frostbank.com
  [mailto:Rami.Prescott@frostbank.com]
  Sent: Tuesday, October 25, 2005 1:32 PM
  To: security-management@securityfocus.com
  Subject: IT Department Size


  Would anyone know of a good place to find information on how large a
  system administrator/ network engineering department should be?

  The general rule of thumb I've heard is 1 system
  administrator/network engineer for every 250 users.  Is this
  generally true in practice?

  We define system administrator/network engineer as someone who has
  5-10 years experience in all OS and who is responsible for the
  operating system and hardware.

  Thank you,
  Rami Prescott
  IT Audit
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IT Department Size, Thornton Daniel R CONT NPRI
Next by Date:  Re: IT Department Size, Subscriptions
Previous by Thread:  RE: IT Department Size, Thornton Daniel R CONT NPRI
Next by Thread:  Senior Management Buy-in (HOW DO YOU OVERCOME?), Steven Allison (DHL US)
Indexes:  [Date] [Thread] [Top] [All Lists]