I wanted to kick off this blog with a little more serious discussion involving security program development. Therefore, I am putting out there my thoughts on information security staffing.
“How do you determine the appropriate level of security staff I need?”
It’s amazing how many times individuals at organizations want the bullet answer to this question. They ask, “Is there a dollar per staff ratio (1million:1staff) that can be used to see if my organization has the appropriate number of staff? Is there an employee to security staff ratio (1000:1) that I should be following?”
I find this topic important because there are some fundamental items that must be assessed before determining staff for any function within the organization. For example, Let us talk about software development staff for a minute. How do you determine how much development staff you need? Can that question be answered with a ratio to IT staff? Not really, not without a good deal of additional information.
What do we need?
I’ve seen a few articles that try to calculate and answer this question. One particularly I remember was an article using the approach identifying a primary and backup individual for each device platform. In my experience, this is not practical or cost effective nor does this method use a risk based approach to security. I think methods like these are missing the key fundamentals for determining staff. What is that we need to determine the appropriate number in our organization?
Fundamentals of Staffing
In my experience, I am in the unique situation of evaluating many organizations security staffing levels. What I have determined is that organizations have more staff dedicated to information security then they really know. The problem is that the staff is not functioning together as one entity. A few fundamental items can be used to help management determine the appropriate staff levels. These fundamentals can also be used to help security function as a single entity with a common goal. The fundamentals are:
1. Scope: Scope of information security within the organization.
2. Requirements: The legal, compliance, and business requirements.
3. Budget: Total organization budget, IT budget, and security budget.
4. Roles and Responsibilities: The current and required roles and responsibilities (including the information security governance structure)
5. Time and Assessment: Current security posture, future security posture, and time to be compliant or obtain the future security posture.
6. Management Support: Executive sponsor ship and commitment.
Putting it Together
Although these are not all encompassing and nor are they a silver bullet solution. Obtaining this fundamental information in accordance with a risk assessment will help you identify the gaps in your requirements for reaching a particular security posture at a given point in time. That information prioritized by the risk can be used to staff up accordingly and reach a common goal.
Remember all processes require updating constantly. So does security staffing, whether it be with contractors or internal employees. Don’t look at the problem trying to find the correct ratio for the appropriate number of security staff. This number should be constantly changing based on the fundamentals provided above. Information security like any other ongoing process must be dynamic and constantly changing to meet the organizations needs at a given point and time.