More on Staffing and Governance

I have been using this blog to track a good amount of search hits looking for security staffing and governance.  Unfortunately when you search there is not much out on the Internet.  If anyone is interested let me know and I will start an open source project off this blog to create a governance and staffing solution/program.

For those that have little or no knowledge in this area I suggest you review the Security Task Force documentation and the EDUCAUSE updates located here:

EDUCAUSE Information Security Governance Assessment Tool

For an open source program I would like to build of the current work, but also provide a lot more emphasis on the organizational charts and the roles and responsibilities.  If you are interested please let me know and we can get everyone together and create an updated model for multiple industries.

Security Breach Resources

Pulling security breach trends for different industries the past few months I came across a few good sources to help anyone that needs specific data.

Two sites I found with an abundance of information were: hosts a chronological list of breaches several years back until present date with a brief description of the breach and the number of records affected. hosts the actual breach notification letters that have been sent out.

For statistics and trends use these resources.


In general it looks like breaches frequency is about the same in 2007 and 2008.  Problems seem to be related to basic items such as laptop theft, data left unencrypted, and your usual intruder attack.

IT Security Spending 10% of IT Operating Budget

10% of IT budget seems high.  It would be nice if someone provided an industry breakdown.  I can’t imagine that certain industries are even close to this number.  Resource links to the posting are below.

Information Security Staffing – Skills Identification and Training Budget

One of the key problems a security manger must tackle is defining the budget for security training.  Many awareness program guides break it out into a method similar to the following:


  1. Identify security roles and responsibilities
  2. Conduct a needs assessment
  3. Identify the gaps
  4. Develop and implement the training plan


Skills Identification

The key step here is the identification of roles and responsibilities.  Identification of security roles and responsibilities is probably one of the most important fundamental aspects to a successful security program.  Although, writing sample roles and responsibilities or breaking out each of the above steps is not the focus of this topic, it is important when defining the core security staff’s training to build on the role definitions by creating a skills identification table.  A skills identification table will work for most organizations because it provides a quick profile of each security professional.  To create a skills identification use excel or a similar program and setup a structure similar to the one shown in the table below.



List each employee in the security program in the left column and then ask each one of them to fill in their certifications and training.  Columns should be added for all security certifications and training associated with employees.  This information will provide the security leader with the organizations current security capabilities.  It will also be easier for the security leader to assign the appropriate personnel to security issues based on their training and certifications.  For career planning you could also expand this model to include a section for desired certifications, training, or expertise.


Applying to Budget 

Now that each employee has provided their information the identification table can be used to help with the annual training budget.  Ideally the security leader should set the annual training budget for at least one training session a year for each employee.  The security leader should also take one training a year, but if cost becomes an issue than offset the security leader training by attending conferences and conventions.  If possible training schedules and classes can be used to prepare for new corporate projects by attending training with specific project needs.  Otherwise training should be defined with each employee based on their career goals and the goals of the organization.


Depending on the size of the core security team an average week of training may cost anywhere from $2500 to $5000 depending on location and accommodations.  To define and annual budget take the number of staff and budget for the $5,000 per person annually.  For example, 5 core security staff should have an annual budget of $25,000 dedicated solely to security training.  Determining the actual classes beforehand will help predict the budget more accurately and possibly save costs on travel.  If you are in a large organization, especially one that is decentralized the budget may increase significantly.  One way to reduce the cost is to identify key security gaps, such as application security, and pay for onsite training.  In this situation budgeting will have to be performed by contacting a vendor(s) to obtain pricing quotes.  Keep in mind there may be an issue with taking a large amount of employees away from their regular work. 


Overall there are several advantages to this staffing and budgeting approach.  One immediate advantage of increasing the security training may be reduced consulting costs.  Another advantage will be increased employee morale, as well as improvement of overall security.

Security Spending – How Much of IT Budget

There is an article on The Register web site claiming security spending has soared to 20% of the IT budget.  This is based on a poll of 1070 organizations.

It is a shame the article doesn’t provide more detail.  It would be nice to know the industries surveyed, size of the organizations, and all of the categories assessed.  Does this review include staffing, business continuity, disaster recovery, Application security, etc.?

My experience shows that most organizations can’t account for the actual security dollars spent.  When evaluating IT security within an organization, excluding physical security and business continuity, most organizations I review are in the 1% to 5% range of the IT budget with the exception of the major financial firms and a few others.  These numbers are also pretty much in line with the CSI/FBI annual surveys conducted.

  • What is your experience? 
  • Can you account for your total security budget? 
  • What does that budget include?

Unfortunately this area of security is still lacking in the amount of free information available to the public and many of the assessments are limited to less than 1000 respondents.  I would be happy to post some links on this site if anyone has some good free resources or whitepapers.