Data Centers and Points of Presence

Security department sizes and composition are impacted by several factors. These factors are number of data centers and Points of Presence (POPs), the industry, the company culture, whether the company is international and number of employees.

The first is the number data centers and points of presence. The cost of the security stack increases for each Point of Presence, but the number of data centers also speaks the complexity of the network. Of course, the more POPs, the more budget to pay and maintain the hardware and the more people will be needed to run everything.

Don't use plagiarized sources. Get Your Custom Essay on
Data Centers and Points of Presence
Just from $13/Page
Order Essay

The next factor is the industry. The type of industry will directly impact the composition and size of the department. A Defense sector company for instance would very likely have a larger Security Operations Center and Security Incident Response Team than say a college of similar size. The Defense sector simply has a greater threat and more regulations.

Company culture usual has an impact on what type of work is done within IT and what is done within the IT Security group. There really is no rule as to where everything should be located, so it’s usually a result of decisions made years before and no one coming up with a compelling enough reason to change it. Almost all IT Security departments have responsibility for Policy, Security Awareness, Risk Management and Incident Response. Most IT groups have responsibility over managing firewalls, even though the security department usually comes up with the standards. Most companies also have Identity and Access Control reporting somewhere in IT, although that trend is changing. I will list other common groups that could report in either or maybe even under someone else like a Chief Risk Officer. Vulnerability Management, Vendor Risk Management, Customer Assurance, Could Security, Security Architecture, Mergers and Acquisitions, Regulatory Compliance, Privacy & Physical Security.

And this isn’t and exhaustive list. There are many ways to form a department to accomplish all the work required. Some industries will even have product specific security teams that report within a business unit and not to the corporate IT or IT Security team. There are pros and cons to every department configuration, but the goal should be to make sure that all the security needs are being met in a proactive and mature (not ad hoc) fashion and that no team is responsible for something another team has authority over and that all teams with any security responsibility are communicating effectively with the others. Regardless of company or department composition, a Security Council is recommended.

When it comes to the guidance for how large a department should be and how much budget they should manage, there is some industry guidance. value-creation.html

For our purposes, we will use an average Fortune 500 company and we will round down to keep the math simple. IT spend will be 3% of Revenue. Revenue for our company will be $10 Billion dollars.

There is a lot of information out there about how much IT Security spend should be as a percentage of the IT budget. I found articles claiming that the average was as high as 10%. From personal experience, only financial institutions spend as much as 10% and most Fortune 500 companies are a lot closer to 3- 5%. For our purposes because I want to make it realistic, we will use 5% of IT spend. The last piece of the puzzle is that most IT Security departments spend 70% of their budget on labor.



Average salary for an individual contributor in IT Security is $80,000, realizing you will have some junior folks making less and one or two senior folks making more. An average manager will make $120,000 and the CISO will likely be a director or low paid VP, averaging around $200,000.

An average ratio of individual contributor to manager is 5-7 people. The CISO will have as many direct reports as necessary but it of the company requires a lot of teams, you may even see one or two senior managers or possibly even a director over 2-3 managers.

The other factors to consider for our mythical company will be that there are 12,000 employees, two data centers and two POPs. It is also publicly traded and only domestic, spread across a dozen states, one of which is California.

The last descriptive piece is that this is a manufacturing company that makes widgets but does not handle direct sales. They do have very cool widgets and spend a lot of money on R&D to make sure they have the coolest widgets on the market.

The important thing to remember is that there is no wrong answer, but you will need to make a best guess for department composition and staffing levels.


and taste our undisputed quality.