One of the key problems a security manger must tackle is defining the budget for security training. Many awareness program guides break it out into a method similar to the following:
- Identify security roles and responsibilities
- Conduct a needs assessment
- Identify the gaps
- Develop and implement the training plan
The key step here is the identification of roles and responsibilities. Identification of security roles and responsibilities is probably one of the most important fundamental aspects to a successful security program. Although, writing sample roles and responsibilities or breaking out each of the above steps is not the focus of this topic, it is important when defining the core security staff’s training to build on the role definitions by creating a skills identification table. A skills identification table will work for most organizations because it provides a quick profile of each security professional. To create a skills identification use excel or a similar program and setup a structure similar to the one shown in the table below.
List each employee in the security program in the left column and then ask each one of them to fill in their certifications and training. Columns should be added for all security certifications and training associated with employees. This information will provide the security leader with the organizations current security capabilities. It will also be easier for the security leader to assign the appropriate personnel to security issues based on their training and certifications. For career planning you could also expand this model to include a section for desired certifications, training, or expertise.
Applying to Budget
Now that each employee has provided their information the identification table can be used to help with the annual training budget. Ideally the security leader should set the annual training budget for at least one training session a year for each employee. The security leader should also take one training a year, but if cost becomes an issue than offset the security leader training by attending conferences and conventions. If possible training schedules and classes can be used to prepare for new corporate projects by attending training with specific project needs. Otherwise training should be defined with each employee based on their career goals and the goals of the organization.
Depending on the size of the core security team an average week of training may cost anywhere from $2500 to $5000 depending on location and accommodations. To define and annual budget take the number of staff and budget for the $5,000 per person annually. For example, 5 core security staff should have an annual budget of $25,000 dedicated solely to security training. Determining the actual classes beforehand will help predict the budget more accurately and possibly save costs on travel. If you are in a large organization, especially one that is decentralized the budget may increase significantly. One way to reduce the cost is to identify key security gaps, such as application security, and pay for onsite training. In this situation budgeting will have to be performed by contacting a vendor(s) to obtain pricing quotes. Keep in mind there may be an issue with taking a large amount of employees away from their regular work.
Overall there are several advantages to this staffing and budgeting approach. One immediate advantage of increasing the security training may be reduced consulting costs. Another advantage will be increased employee morale, as well as improvement of overall security.