May 19, 2009
More on Staffing and Governance
I been tracking via this blog a good amount of search hits looking for security staffing and governance. Unfortunately when you search there is not much out on the Internet. If anyone is interested let me know and I will start an open source project off this blog to create a governance and staffing solution/program.
For those that have little or no knowledge in this area I suggest you review the Security Task Force documentation and the Educause updates located here:
Educause Information Security Governance Assessment Tool
For an open source program I would like to build of the current work, but also provide a lot more emphasis on the organizational charts and the roles and responsibilities. If your interested please let me know and we can get everyone together and create an updated model for multiple industries.
March 19, 2009
Security Survey Polls Added
The polls are open!
While visiting this site please check out the new IS Management page and contribute to the voting polls.
If you would like to see new or different polls added let me know.
June 6, 2008
Risk Based Security Plan – Whitepaper
This whitepaper has a good overview of key components of a risk based security plan, which have been put into practice on several occasions. This provides good direction with a decent amount of detail.
Site Requires Registration:
http://searchsecurity.bitpipe.com/detail/RES/1212429613_869.html
The document is about 12 pages explaining the steps for performing a risk assessment to developing a security plan to determining security budget.
May 9, 2008
Information Security Staffing – Skills Identification and Training Budget
One of the key problems a security manger must tackle is defining the budget for security training. Many awareness program guides break it out into a method similar to the following:
- Identify security roles and responsibilities
- Conduct a needs assessment
- Identify the gaps
- Develop and implement the training plan
Skills Identification
The key step here is the identification of roles and responsibilities. Identification of security roles and responsibilities is probably one of the most important fundamental aspects to a successful security program. Although, writing sample roles and responsibilities or breaking out each of the above steps is not the focus of this topic, it is important when defining the core security staff’s training to build on the role definitions by creating a skills identification table. A skills identification table will work for most organizations because it provides a quick profile of each security professional. To create a skills identification use excel or a similar program and setup a structure similar to the one shown in the table below.
List each employee in the security program in the left column and then ask each one of them to fill in their certifications and training. Columns should be added for all security certifications and training associated with employees. This information will provide the security leader with the organizations current security capabilities. It will also be easier for the security leader to assign the appropriate personnel to security issues based on their training and certifications. For career planning you could also expand this model to include a section for desired certifications, training, or expertise.
Applying to Budget
Now that each employee has provided their information the identification table can be used to help with the annual training budget. Ideally the security leader should set the annual training budget for at least one training session a year for each employee. The security leader should also take one training a year, but if cost becomes an issue then offset the security leader training by attending conferences and conventions. If possible training schedules and classes can be used to prepare for new corporate projects by attending training with specific project needs. Otherwise training should be defined with each employee based on their career goals and the goals of the organization.
Depending on the size of the core security team an average week of training may cost anywhere from $2500 to $5000 depending on location and accommodations. To define and annual budget take the number of staff and budget for the $5,000 per person annually. For example, 5 core security staff should have an annual budget of $25,000 dedicated solely to security training. Determining the actual classes beforehand will help predict the budget more accurately and possibly save costs on travel. If you are in a large organization, especially one that is decentralized the budget may increase significantly. One way to reduce the cost is to identify key security gaps, such as application security, and pay for onsite training. In this situation budgeting will have to be performed by contacting a vendor(s) to obtain pricing quotes. Keep in mind there may be an issue with taking a large amount of employees away from their regular work.
Overall there are several advantages to this staffing an budgeting approach. One immediate advantage of increasing the security training may be reduced consulting costs. Another advantage will be increased employee moral, as well as improvement of overall security.
October 16, 2007
Security Spending – How Much of IT Budget
There is an article on The Register web site claiming security spending has soared to 20% of the IT budget. This is based on a poll of 1070 organizations.
http://www.theregister.co.uk/2007/10/11/comptia_security_survey/
It is a shame the article doesn’t provide more detail. It would be nice to know the industries surveyed, size of the organizations, and all of the categories assessed. Does this review include staffing, business continuity, disaster recovery, Application security, etc.?
My experience shows that most organizations can’t account for the actual security dollars spent. When evaluating IT security within an organization, excluding physical security and business continuity, most organizations I review are in the 1% to 5% range of the IT budget with the exception of the major financial firms and a few others. These numbers are also pretty much inline with the CSI/FBI annual surveys conducted.
- What is your experience?
- Can you account for your total security budget?
- What does that budget include?
Unfortunately this area of security is still lacking in the amount of free information available to the public and many of the assessments are limited to less then 1000 respondents. I would be happy to post some links on this site if anyone has some good free resources or whitepapers.
May 8, 2007
Roles & Responsibilities in Policy
Risk Assessments almost always produce one finding consistently. The finding is lack of roles and responsibilities defined. The ISO 17799/27001 documents provide some guidance, but in many cases organizations do not know how to define clear security roles and responsibilities. Before writing this I went through about 20 different organization policy documents to see if any listed roles and responsibilities the same. In most cases I noticed three solutions.
Solution 1:
This solution did not include clearly define roles and responsibilities. These documents contained few responsibility statements that were scattered through all different areas of the main security policy or policies.
Solution 2:
Solution 2 was the most consistent across all documents reviewed. This solution usually defined three specific roles and responsibilities. These are information owner, information custodian, and information user. Each of these three roles had several statements defining their responsibilities, while there were additional statements scattered through all different sections of the policy document.
Solution 3:
Solution 3 was more consistent on policy documents that are broken up into smaller documents or much shorter in overall length. This solution usually had specific roles such as Firewall Administrator, CSO, System Administrators, Compliance Officer, Audit, etc. In most cases each of these roles had several bulleted responsibilities listed.
What Works?
The best solution is the one that works within your organization and causes less confusion. If risk assessments are performed regularly then make sure the roles and responsibilities are written address the risk assessment requirements. Two methods usually work.
The first is to combine solution 2 and 3 and write a separate roles and responsibilities document or section of the overall policy. This way there are many roles and responsibilities defined, which are easy to find because they are listed all in one place.
The second is to use solution 2 near the beginning (or in a separate policy document) of the policy document then in each different section of the policy (or each smaller policy document) write a roles and responsibilities sub section with more detailed roles.
March 22, 2007
Perspectives on Obtaining Management Support
Looking to obtain management support! It’s not always easy. Many organizations security officers are always looking to obtain more management support and funding for their programs. This can be a difficult task, so what I have done below is list a few perspectives that work within different organizations.
Compliance – The number one way to get management support is from compliance regulations such as GLBA, HIPAA, SOX, and PCI. If management doesn’t already know what they need to do then educate them and you will get support and funding to implement parts of the program.
Third Party Review – This can be as simple as doing a risk assessment or by hiring skilled ethical hackers to show weakness in the organizations information systems. The main point is that management tends to listen more to third parties then internal security staff. Some times there is nothing new that comes out of these assessments that the CISO/CSO doesn’t already know. However, third parties have a different presentation and reputation that give them credibility.
Return on Security Investment – For more mature programs, whereas security devices and security testing are integrated into the daily process, return on security investment is the best motivator for management to provide additional support to the program. Metrics must be measured in these organizations and statistics must be gathered constantly. Metrics should be measured to show that particular practices such as doing a code review will actually save the company money vs. the current application testing process used within the organization. Statistics from industry studies must be presented to management providing solid proof that particular security practices will actually save more money over time.
The Proposed Program – For newer security programs, whereas a CISO/CSO has recently been assigned (yes these organizations still do exist) and the security team is very small, a formal proposal and plan must be presented to management. In this situation, the newly appointed CISO has a difficult job especially if the individual does not have an information security background. A detailed plan must be developed and this plan must include education for management about the need for security. The plan needs to explain in detail both short and long term plans for implementing different security controls based on risk assessment. The key to implementing the plan is to bundle security with other ongoing and new projects. It is much easier to take a little money here and there vs. asking for the entire budget. Also, adding to each project will be beneficial later because you have already started integrating security with the different practices already in place.
March 5, 2007
Security Program Development: Fundamentals of Staffing!
I wanted to kick off this blog with a little more serious discussion involving security program development. Therefore, I am putting out there my thoughts on information security staffing.
The Question
“How do you determine the appropriate level of security staff I need?”
It’s amazing how many times individuals at organizations want the bullet answer to this question. They ask, “Is there a dollar per staff ratio (1million:1staff) that can be used to see if my organization has the appropriate number of staff? Is there an employee to security staff ratio (1000:1) that I should be following?”
I find this topic important because there are some fundamental items that must be assessed before determining staff for any function within the organization. For example, Let us talk about software development staff for a minute. How do you determine how much development staff you need? Can that question be answered with a ratio to IT staff? Not really, not without a good deal of additional information.
What do we need?
I’ve seen a few articles that try to calculate and answer this question. One particularly I remember was an article using the approach identifying a primary and backup individual for each device platform. In my experience, this is not practical or cost effective nor does this method use a risk based approach to security. I think methods like these are missing the key fundamentals for determining staff. What is that we need to determine the appropriate number in our organization?
Fundamentals of Staffing
In my experience, I am in the unique situation of evaluating many organizations security staffing levels. What I have determined is that organizations have more staff dedicated to information security then they really know. The problem is that the staff is not functioning together as one entity. A few fundamental items can be used to help management determine the appropriate staff levels. These fundamentals can also be used to help security function as a single entity with a common goal. The fundamentals are:
1. Scope: Scope of information security within the organization.
2. Requirements: The legal, compliance, and business requirements.
3. Budget: Total organization budget, IT budget, and security budget.
4. Roles and Responsibilities: The current and required roles and responsibilities (including the information security governance structure)
5. Time and Assessment: Current security posture, future security posture, and time to be compliant or obtain the future security posture.
6. Management Support: Executive sponsor ship and commitment.
Putting it Together
Although these are not all encompassing and nor are they a silver bullet solution. Obtaining this fundamental information in accordance with a risk assessment will help you identify the gaps in your requirements for reaching a particular security posture at a given point in time. That information prioritized by the risk can be used to staff up accordingly and reach a common goal.
Remember all processes require updating constantly. So does security staffing, whether it be with contractors or internal employees. Don’t look at the problem trying to find the correct ratio for the appropriate number of security staff. This number should be constantly changing based on the fundamentals provided above. Information security like any other ongoing process must be dynamic and constantly changing to meet the organizations needs at a given point and time.
