Calculating Security Staffing Requirements

RFG believes calculating security staffing requirements is a methodical process that requires significant planning and documentation. IT executives should identify the ownership of security responsibilities, business application requirements, and determine security risks for each application. IT executives should then ascertain the minimum staffing levels required, and ensure the enterprise is appropriately staffed to address those risk factors.

Business Imperatives:

  • The first step in planning security staffing requirements is establishing ownership of the entire security "problem." At organizations that do not already employ a chief security officer (CSO), IT executives should work with other "C-level" and line-of-business (LOB) executives to identify ownership of each element, including physical site security. CSOs should review the security infrastructure at their organizations and ensure that every issue is either owned by their own departments, or clearly assigned to a specific group.
  • IT executives should establish baseline requirements by developing business application profiles (BAPs), identifying security requirements for each application, and allocating the staffing levels needed to meet each security requirement. IT executives should also evaluate outsourcing opportunities for discrete tasks that can be more efficiently addressed by external service providers.
  • Baseline staffing calculations establish absolute minimum levels needed to address enterprise security requirements. IT executives should use this information to determine areas where the enterprise is understaffed, but avoid premature termination of employees in areas that appear overstaffed. If it is imperative to reduce headcount, IT executives should examine the daily tasks of each individual with security responsibilities and determine areas where process inefficiencies or duplication of effort exist.

In many ways, enterprise security requirements continue to place IT executives between the proverbial "rock" and "a hard place." Business partners, customers, government regulators, and the media all expect enterprises to prove their abilities to conduct business without compromising security or privacy. At the same time, budget constraints often prevent IT executives from applying every resource available to addressing those same security concerns. This quandary leads to a balancing act that can produce serious negative consequences for failures in either direction.

Although hardware and software purchases are often the biggest short-term cost items in a security solution, personnel costs dominate long-term total cost of ownership (TCO). Administrators, analysts, management personnel, and security guard expenses can all add up to such a large percentage of the enterprise's total security budget. Consequently, IT executives stand to realize the most benefit by properly allocating resources in this area to meet the enterprise's security needs.

Ownership of this decision-making process is the first personnel role that must be identified. A number of enterprises are creating new departments that focus solely on security and privacy issues. These departments are typically headed by a CSO, and in some cases a chief privacy officer (CPO). This move can relieve the IT department of the need to manage strategic planning for security and privacy issues, and assist in the budgeting process by creating a clear demarcation for security-related expenses. These IT executives can then focus on the business of security, relieving chief information officers (CIOs) and chief technology officers (CTOs) to focus on the business of IT.

IT executives should then develop BAPs to document the areas that require security planning. BAPs are the "containers" in which security requirements reside, and by beginning with this step, IT executives will be following a logical, top-down approach to security planning.

Next, for each business application, IT executives should examine risks related to contractors and business partners, e-mail and other communications channels, employee access to information, physical site security, regulations, teleworker access methods, Web applications, and wireless technologies. IT executives should break out each risk factor and its solution into a matrix such as the sample provided in Table 1.

Table 1: Sample Security Risk Factors and Solutions
Application Risk Factor Solutions
General Risks Physical theft of data Eliminate printers and removable media devices where they are unnecessary. Deploy a centralized fax server for outbound faxing, and record their contents in a log that can be reviewed if unauthorized disclosure is suspected.
General Risks Electronic disclosure of data Deploy and manage software to monitor outbound e-mail transmissions for sensitive data.
R&D Plant Theft of intellectual property. Eliminate removable media devices except where absolutely required. Deploy and manage software to monitor outbound e-mail transmissions for sensitive data.
Web Site Defacement Deploy and manage a file-based intrusion detection system (IDS) sensor to identify unauthorized file modifications.
Web Site Denial of service attacks Deploy and manage a firewall product capable of pacing inbound connections.
Databases Theft of key information and potential liability lawsuits Deploy and manage intrusion detection systems along with strong mutual authentication schemes.
Web Site Software-level security Monitor vendors' Web site and security portals for security patches, then deploy patches when available.
Web Site Electronic theft of data Deploy and manage a host- or network-based IDS sensor to identify hacker activity.

Source: Robert Frances Group

This matrix will obviously be extensive, but this information is valuable not only for staffing considerations but also as a basis for discussions with LOB executives and department managers. Further, where applicable, this material can serve as a concrete indication to auditors and regulators that all active security concerns are being appropriately addressed by the enterprise. This matrix should thus be treated as a living document, and updated on a regular basis to reflect changes in application security requirements.

Finally, IT executives should identify the appropriate tasks and time requirements for each. Because time expenditures for a given task depend largely on business processes, political issues surrounding cases requiring decisions, product selection, and so forth, IT executives should identify a baseline from enterprise-wide averages, rather than relying on figures published in industry studies. This material will serve as a cross-reference to the first matrix to identify staffing requirements to fully meet the security needs of the enterprise. Table 2 below provides a sample of such a matrix.

Table 2: Sample Staffing Requirements for Security Solutions
Solution Staffing Requirement per Deployment
Outbound e-mail monitorTwo administrators, 6 hours each, deploymentOne administrator, 2 hours per week, system management

One manager, 8 hours per week, review trapped messages

File-based IDS sensor One administrator, 1 hour, deployment

One administrator, 4 hours per week, review and authorization of reported changes

Host-based IDS sensor One administrator, 1 hour, deployment One administrator, one security analyst, 4 hours, configurationOne administrator, 2 hours per week, management

One security analyst, 8 hours per week, incident analysis

Security patch management One administrator, 2 hours per week, monitoring Two administrators, 4 hours each per week, installation

Two administrators, 30 hours per year each, baseline patch level audit

Network-based IDS sensor One administrator, 2 hours, deploymentOne administrator, one security analyst, 8 hours, configurationOne administrator, 4 hours per week, managementOne security analyst, 30 hours per week, incident analysis

Outsourced, 40 hours per year, security audit

Source: Robert Frances Group

In many cases, it may make sense to break down elements in the second matrix. For example, experience may show that security patch management is more time-consuming on a given operating system than on others, or that a given vendor's IDS sensor takes less time manage on a regular basis. Business application requirements may still require the usage of those products, but failure to spell out changes in recurring time expenditures would lead to inaccuracy in staffing requirements calculations.

The combination of the above matrices can help produce a baseline number for time requirements. To this number, IT executives should add some margin to compensate for employee sick time, interruptions in work tasks, meetings, vacations, and other factors. An additional margin should be added to address spikes in demand, such as holiday season demands for retailers.

In most cases, this baseline should be treated as a minimum staffing level required to meet the security needs of the enterprise. In cases where current staffing levels do not meet those requirements, IT executives should work with other C-level executives and LOB managers to decide whether to modify application deployments to reduce demands, or hire new security personnel.

Outsourcing certain security functions may also be a viable option. IT executives should be careful with this method, because it could leave enterprise security levels at the mercy of an external vendor. Outsourcing could also increase the workloads required to satisfy auditors and regulators that security needs are being adequately addressed. Further, many managed security providers (MSPs) have yet to develop viable business models and may end up abandoning their businesses at some point. Also, outsourcing will not generally solve security issues that relate to internal business processes. However, outsourcing can produce satisfactory results for issues such as firewall and intrusion detection system management, network vulnerability assessments, and so forth.

In any event, IT executives should avoid using these baseline numbers as justification for reducing headcount until enterprise security requirements are properly identified and evaluated for accuracy and overall completeness. These numbers represent bare minimums to meet current requirements, and will not allow the enterprise to meet increased security needs in the future, or address spikes in intrusion attempts or data theft rates. If headcount reduction is desirable, IT executives should explore options to move security personnel to other IT-related tasks, as these individuals are often better trained than the average technician, and finding qualified and experienced personnel is a difficult task no matter what state the economy is in.

RFG believes performing security staffing calculations is a worthwhile task even if no staffing changes are planned, because the planning process will identify key risk factors, and identify inefficiencies in security management tasks today. IT executives should establish ownership for each responsibility, create BAPs to describe business application requirements, and develop a matrix of risk factors and solutions for each application. IT executives should then use internal averages to create a matrix identifying minimum workload requirements, for each solution, and use those calculations to ensure the department is properly staffed to efficiently address the long-term security needs of the enterprise.

RFG analyst Chad Robinson wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Mr. Robinson.

Copyright © 2003 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)