Case Analysis Review the attached case
Use the attached guideline document to outline your case analysis.
Only the bolded titles of the guideline document should be written into your case analysis. The remaining items are cues for what information is to be considered and collected during the interview process.
Review the attached example of a Biopsychosocial Case Analysis to inform your Security department sizes and composition are impacted by several factors. These factors are number of
data centers and Points of Presence (POPs), the industry, the company culture, whether the company is
international and number of employees.
The first is the number data centers and points of presence. The cost of the security stack increases for
each Point of Presence, but the number of data centers also speaks the complexity of the network. Of
course, the more POPs, the more budget to pay and maintain the hardware and the more people will be
needed to run everything.
The next factor is the industry. The type of industry will directly impact the composition and size of the
department. A Defense sector company for instance would very likely have a larger Security Operations
Center and Security Incident Response Team than say a college of similar size. The Defense sector simply
has a greater threat and more regulations.
Company culture usual has an impact on what type of work is done within IT and what is done within
the IT Security group. There really is no rule as to where everything should be located, so it’s usually a
result of decisions made years before and no one coming up with a compelling enough reason to change
it. Almost all IT Security departments have responsibility for Policy, Security Awareness, Risk
Management and Incident Response. Most IT groups have responsibility over managing firewalls, even
though the security department usually comes up with the standards. Most companies also have
Identity and Access Control reporting somewhere in IT, although that trend is changing. I will list other
common groups that could report in either or maybe even under someone else like a Chief Risk Officer.
Vulnerability Management, Vendor Risk Management, Customer Assurance, Could Security, Security
Architecture, Mergers and Acquisitions, Regulatory Compliance, Privacy & Physical Security.
And this isn’t and exhaustive list. There are many ways to form a department to accomplish all the work
required. Some industries will even have product specific security teams that report within a business
unit and not to the corporate IT or IT Security team. There are pros and cons to every department
configuration, but the goal should be to make sure that all the security needs are being met in a
proactive and mature (not ad hoc) fashion and that no team is responsible for something another team
has authority over and that all teams with any security responsibility are communicating effectively with
the others. Regardless of company or department composition, a Security Council is recommended.
When it comes to the guidance for how large a department should be and how much budget they
should manage, there is some industry guidance.
For our purposes, we will use an average Fortune 500 company and we will round down to keep the
math simple. IT spend will be 3% of Revenue. Revenue for our company will be $10 Billion dollars.
There is a lot of information out there about how much IT Security spend should be as a percentage of
the IT budget. I found articles claiming that the average was as high as 10%. From personal experience,
only financial institutions spend as much as 10% and most Fortune 500 companies are a lot closer to 3-
5%. For our purposes because I want to make it realistic, we will use 5% of IT spend. The last piece of the
puzzle is that most IT Security departments spend 70% of their budget on labor.
Average salary for an individual contributor in IT Security is $80,000, realizing you will have some junior
folks making less and one or two senior folks making more. An average manager will make $120,000 and
the CISO will likely be a director or low paid VP, averaging around $200,000.
An average ratio of individual contributor to manager is 5-7 people. The CISO will have as many direct
reports as necessary but it of the company requires a lot of teams, you may even see one or two senior
managers or possibly even a director over 2-3 managers.
The other factors to consider for our mythical company will be that there are 12,000 employees, two
data centers and two POPs. It is also publicly traded and only domestic, spread across a dozen states,
one of which is California.
The last descriptive piece is that this is a manufacturing company that makes widgets but does not
handle direct sales. They do have very cool widgets and spend a lot of money on R&D to make sure they
have the coolest widgets on the market.
The important thing to remember is that there is no wrong answer, but you will need to make a best
guess for department composition and staffing levels.