Alyssa Miller đŠī¸â 
â@jkbecker wow, 1:1000 ratio would be horrible. I'd f'ing quit tomorrow. I was thinking more like 1:100 - 1:200 range. To put it in context you're saying 7 people to cover a company of 6,500 people?
Celarsec@alyssam_infosec @jkbecker I would love 1:1000, public sector is not even close. We are 1:5000.
JJTurner@alyssam_infosec @jkbecker Unfortunately it 's a massive 'It depends" answer because the answer really varies based on what the organisation does. Large retailers with large amounts of store staff I've worked 1:2000 when CISO, Tech companies has to be far higher. I've always based it on the number of tech related roles including staff/contractors/outsourced workers. 5-10% of those should be security. The greater the complexity or the risk increases, the greater the % should. Those ratios feel comfortable, unfortunately it rarely happens as companies see security as a waste.
Jerry@alyssam_infosec @jkbecker I have a team of 4 to cover nearly 20,000 faculty, staff, and students. So 1:1000 sounds great to me!