More on Staffing and Governance

I have been using this blog to track a good amount of search hits looking for security staffing and governance.  Unfortunately when you search there is not much out on the Internet.  If anyone is interested let me know and I will start an open source project off this blog to create a governance and staffing solution/program.

For those that have little or no knowledge in this area I suggest you review the Security Task Force documentation and the EDUCAUSE updates located here:

EDUCAUSE Information Security Governance Assessment Tool

For an open source program I would like to build of the current work, but also provide a lot more emphasis on the organizational charts and the roles and responsibilities.  If you are interested please let me know and we can get everyone together and create an updated model for multiple industries.

Risk Based Security Plan – Whitepaper

This whitepaper has a good overview of key components of a risk based security plan, which have been put into practice on several occasions.  This provides good direction with a decent amount of detail.

Site Requires Registration:

The document is about 12 pages explaining the steps for performing a risk assessment to developing a security plan to determining security budget.

Information Security Staffing – Skills Identification and Training Budget

One of the key problems a security manger must tackle is defining the budget for security training.  Many awareness program guides break it out into a method similar to the following:


  1. Identify security roles and responsibilities
  2. Conduct a needs assessment
  3. Identify the gaps
  4. Develop and implement the training plan


Skills Identification

The key step here is the identification of roles and responsibilities.  Identification of security roles and responsibilities is probably one of the most important fundamental aspects to a successful security program.  Although, writing sample roles and responsibilities or breaking out each of the above steps is not the focus of this topic, it is important when defining the core security staff’s training to build on the role definitions by creating a skills identification table.  A skills identification table will work for most organizations because it provides a quick profile of each security professional.  To create a skills identification use excel or a similar program and setup a structure similar to the one shown in the table below.



List each employee in the security program in the left column and then ask each one of them to fill in their certifications and training.  Columns should be added for all security certifications and training associated with employees.  This information will provide the security leader with the organizations current security capabilities.  It will also be easier for the security leader to assign the appropriate personnel to security issues based on their training and certifications.  For career planning you could also expand this model to include a section for desired certifications, training, or expertise.


Applying to Budget 

Now that each employee has provided their information the identification table can be used to help with the annual training budget.  Ideally the security leader should set the annual training budget for at least one training session a year for each employee.  The security leader should also take one training a year, but if cost becomes an issue than offset the security leader training by attending conferences and conventions.  If possible training schedules and classes can be used to prepare for new corporate projects by attending training with specific project needs.  Otherwise training should be defined with each employee based on their career goals and the goals of the organization.


Depending on the size of the core security team an average week of training may cost anywhere from $2500 to $5000 depending on location and accommodations.  To define and annual budget take the number of staff and budget for the $5,000 per person annually.  For example, 5 core security staff should have an annual budget of $25,000 dedicated solely to security training.  Determining the actual classes beforehand will help predict the budget more accurately and possibly save costs on travel.  If you are in a large organization, especially one that is decentralized the budget may increase significantly.  One way to reduce the cost is to identify key security gaps, such as application security, and pay for onsite training.  In this situation budgeting will have to be performed by contacting a vendor(s) to obtain pricing quotes.  Keep in mind there may be an issue with taking a large amount of employees away from their regular work. 


Overall there are several advantages to this staffing and budgeting approach.  One immediate advantage of increasing the security training may be reduced consulting costs.  Another advantage will be increased employee morale, as well as improvement of overall security.

New Foundstone Blog

Its about time!  Foundstone Professional Services has been added to the Avert Labs research blog.  So now the makers of all the free hacking tools are accessible online.  Check it out there are already some great posts.

I’ve also added it as a Blogroll.