When it comes to information security, midsize organizations face many of the same threats as larger companies do. Yet they rarely have the luxury of hiring full-time IT security specialists. But with a more selective hiring strategy, investment in security training, and targeted outsourcing, you can help overcome budget limitations and foster a more secure organization. In Summary:| • | Conduct a detailed analysis of your strengths, weaknesses, and ongoing security requirements, and then cross-check the results against staffing needs. | | • | Develop a security staffing plan that identifies specific organizational requirements. | | • | Make sure that there's someone to oversee security, whether it's the chief information officer, chief operating officer, or chief financial officer. |
Security experts say that many midsize companies have inadequate IT security. At the heart of the problem is staffing. While a company may have an outstanding IT department made up of individuals who have a basic understanding of security issues, the complexity of today's security environment demands specialized skills and knowledge. Developing a strategy for filling niche needs — while not overtaxing staff — is essential. It's possible to build a more secure organization even on a tight budget. Smaller midsize firms (typically with fewer than 200 employees) often manage risk by imbuing staff members with a general knowledge of viruses, spyware, e-mail security, Internet and network security, and encryption. Larger midsize companies (with more than 750 employees) might invest in a dedicated security officer and one or two specialized IT security roles covering key areas such as applications or networking. Companies of all sizes can benefit from selective outsourcing. This article covers ways to maximize money, time, and resources when developing IT security staffing strategies. Assess your IT staff for security knowledge"The first step is to identify the areas where the organization is deficient," says Shaun McAravey, president and chief technology officer of SoftSource Consulting, a Portland, Ore.-based IT and security consulting firm and a Microsoft Gold Certified Partner. One approach is to use a numerical rating model that ranges from 1 to 3 (corresponding to low, medium, and high risk) and compare threats with existing IT skill levels to identify gaps. For example, a company might find that it is at high risk for data theft but lacks the resources to manage application security or protect databases.
Regardless of the approach, the analysis and resulting staffing plan must serve business needs. It is worth investing in an outside consultant to assess the state of security across various functions and groups in your company. Develop or hire a senior leader to oversee security requirementsIdeally, a company would hire a chief security officer (CSO) to manage security tasks, technology, strategy, skills training, and business alignment. Unfortunately, best intentions and reality often collide. But that doesn't mean that you can't appoint an executive to oversee security in addition to his or her other business responsibilities. (In many cases, midsize companies expect the CIO or IT director to manage security.) For those companies with enough money to hire a dedicated security officer, finding a suitable candidate requires creativity. It may be necessary to use a recruiting firm that specializes in IT and security to get this done. If you choose to conduct a search on your own, hire a security consultant or other expert during the interviewing process to help confirm your selection of top candidates. Alternatively, some staffing agencies can offer a part-time CSO, notes John H. Price, executive vice president of Certified Security Solutions, a Kirkland, Wash., consulting firm and Microsoft Gold Partner. No matter your company size, appoint someone — even if it's an outside consultant — to execute the security staffing plan and manage the security strategy. Hire selectively and build fields of knowledge and expertiseAlthough smaller companies typically employ IT generalists who divide up security tasks, larger organizations should hire and develop employees to fit specialized security roles. For example, an organization might find an individual knowledgeable about application security practices and another who is well versed on intrusion detection or computer forensics. Consider using a temporary staffing agency or specialized recruiting firm to help find quality candidates. This approach can offer flexibility and often simplifies short-term projects. Before looking outside, however, be sure to thoroughly investigate what's in your own backyard. Look for opportunities where you can build on existing knowledge and skills, says Keith Echols, executive vice president of w3r Consulting, a Southfield, Mich., consulting firm and Microsoft Gold Partner. For instance, the CIO might appoint someone who is knowledgeable about network security to handle mobile computing and applications, while a staffer with authentication expertise could deploy solutions for document management. Training and education are especially important here. Identify areas of common security knowledge that all IT staff members need, such as basic authentication methods, recognizing intrusions and attacks, and physical security requirements. Then, identify specialized security skills required by network engineers, systems administrators, application developers, and others. Provide ongoing training and obtain certificationsMidsize businesses face enormous challenges in developing the right skills and knowledge, especially in the ever-changing field of information security. Adding to their woes, they're under pressure from large enterprises that frequently lure talented IT professionals away from smaller companies, says Christian Byrnes, vice president and team manager for the IT consulting firm Gartner. Nevertheless, it's important to provide regular training so that your IT staffers can update their security skills. Certifications can play an important role in your education strategy. Resources include the SANS Institute, Certified Information Systems Security Professional, (ISC)2, Microsoft Training, Microsoft Press books, and Microsoft Certifications. Many Microsoft Gold Certified Partners offer courses on a wide range of security topics; you can search for partners in your area. Finally, Byrnes suggests developing an internal searchable knowledge base — even if it consists only of Microsoft Office Word files. By documenting security incidents, requirements, technologies, and internal best practices, you can pass on valuable knowledge to future security staff. Develop a sourcing strategyEven with ample budgets, advanced IT skills — particularly ones in high demand, such as security — can be difficult to find. As a result, security outsourcing (in the form of consultants or hosted services) is a rapidly growing area. According to SoftSource's McAravey, the most appropriate tasks for outsourcing include security assessments, training, external auditing, testing, and the implementation of physical infrastructure. Echols recommends capturing at least some of the knowledge from these domain experts and building it into your security plans and knowledge base. There's no question that midsize businesses face formidable challenges in managing security staffing. By emphasizing up-front analysis, developing a business-aligned staffing strategy, and focusing on training and development, however, you can create a more sophisticated IT security practice without breaking your budget. "You don't succeed by accident," McAravey says. "The most successful organizations understand how important staffing is in building a successful security strategy." Samuel Greengard is a West Linn, Ore., writer who specializes in business and technology. He contributes regularly to the Microsoft Midsize Business Center.
| |
