One of the key problems a security manger must tackle is defining the budget for security training.  Many awareness program guides break it out into a method similar to the following:

1. Identify security roles and responsibilities
2. Conduct a needs assessment
3. Identify the gaps
4. Develop and implement the training plan

Skills Identification

The key step here is the identification of roles and responsibilities.  Identification of security roles and responsibilities is probably one of the most important fundamental aspects to a successful security program.  Although, writing sample roles and responsibilities or breaking out each of the above steps is not the focus of this topic, it is important when defining the core security staff’s training to build on the role definitions by creating a skills identification table.  A skills identification table will work for most organizations because it provides a quick profile of each security professional.  To create a skills identification use excel or a similar program and setup a structure similar to the one shown in the table below.

List each employee in the security program in the left column and then ask each one of them to fill in their certifications and training.  Columns should be added for all security certifications and training associated with employees.  This information will provide the security leader with the organizations current security capabilities.  It will also be easier for the security leader to assign the appropriate personnel to security issues based on their training and certifications.  For career planning you could also expand this model to include a section for desired certifications, training, or expertise.

Applying to Budget 

Now that each employee has provided their information the identification table can be used to help with the annual training budget.  Ideally the security leader should set the annual training budget for at least one training session a year for each employee.  The security leader should also take one training a year, but if cost becomes an issue than offset the security leader training by attending conferences and conventions.  If possible training schedules and classes can be used to prepare for new corporate projects by attending training with specific project needs.  Otherwise training should be defined with each employee based on their career goals and the goals of the organization.

Depending on the size of the core security team an average week of training may cost anywhere from $2500 to $5000 depending on location and accommodations.  To define and annual budget take the number of staff and budget for the $5,000 per person annually.  For example, 5 core security staff should have an annual budget of $25,000 dedicated solely to security training.  Determining the actual classes beforehand will help predict the budget more accurately and possibly save costs on travel.  If you are in a large organization, especially one that is decentralized the budget may increase significantly.  One way to reduce the cost is to identify key security gaps, such as application security, and pay for onsite training.  In this situation budgeting will have to be performed by contacting a vendor(s) to obtain pricing quotes.  Keep in mind there may be an issue with taking a large amount of employees away from their regular work. 

Overall there are several advantages to this staffing and budgeting approach.  One immediate advantage of increasing the security training may be reduced consulting costs.  Another advantage will be increased employee morale, as well as improvement of overall security.

There is an article on The Register web site claiming security spending has soared to 20% of the IT budget.  This is based on a poll of 1070 organizations.

http://www.theregister.co.uk/2007/10/11/comptia_security_survey/

It is a shame the article doesn’t provide more detail.  It would be nice to know the industries surveyed, size of the organizations, and all of the categories assessed.  Does this review include staffing, business continuity, disaster recovery, Application security, etc.?

My experience shows that most organizations can’t account for the actual security dollars spent.  When evaluating IT security within an organization, excluding physical security and business continuity, most organizations I review are in the 1% to 5% range of the IT budget with the exception of the major financial firms and a few others.  These numbers are also pretty much in line with the CSI/FBI annual surveys conducted.

• What is your experience? 
• Can you account for your total security budget? 
• What does that budget include?

Unfortunately this area of security is still lacking in the amount of free information available to the public and many of the assessments are limited to less than 1000 respondents.  I would be happy to post some links on this site if anyone has some good free resources or whitepapers.