Handbook of Information Security Management:Policy, Standards, and Organization

Previous Table of Contents Next


Expense and availability of external consultants — A major problem will be to estimate the dollar amount needed and obtain a budget for the cost of qualified consultants. Consultants are not cheap, and IPS must ensure it obtains the very best available, consistent with technical and operational requirements of the organization. Baseline estimates can be derived from project-planning templates that estimate “Full Time Equivalent’s (FTEs)” required to complete a project within acceptable timelines. Translate these into consulting hours directly on an annualized basis and attach the hours and project to the budget estimate. If senior management cuts the IPS budget request, reprioritize the remaining hours based on impact and significance. Management must appreciate that the cost must be compared both to the fully burdened cost of a regular IPS staff member (typically $100,000 or more) and that it represents transient expertise required to achieve acceptable levels of risk to the organization. The projected hours allocated to the consulting budget, should be easier to sell once these issues are understood. This process provides an opportunity to demonstrate the business acumen of the IPS manager. To fully benefit from the process, one should use the same arguments that typically result in outsource decisions, such as lower cost operations, higher ROI, etc.

Project management is paramount — To achieve predictable results in a matrix environment requires excellent project management skills combined with political savvy and superior communications abilities. If these do not sound like the typical skills developed by information security staff, then they have probably been focused too much on technology and will be jeopardizing their future success unless such skills and experience are obtained.

Determining and assigning budgetary responsibility — Internal staff matrixed to projects can be carried as part of their principal organization as the expectation is that IPS will enroll information system sponsors that have a high level of interest in completing a security project. However, matrix information systems staff which is engaged in establishing a new IPS functional responsibility, as for example the administration of an Internet security system (i.e., “firewall”), should be carefully monitored by both the sponsoring system’s organization and the IPS organization. When the task becomes a substantial portion of the daily job (say, 40% or more), then it’s time to seek a regular “full time” IPS staffer to become the principal and accountable person. The matrix staffer can then revert to secondary or backup for the primary IPS regular. Managed in this fashion the IPS staff will only grow as fast as the role justifies and the need for backup staff (vacations, sick leave, training absences, etc.) are minimized. If IPS fails to acquire a regular staff asset when a task becomes a “full time” job, they risk violating a basic principle of corporate finance, since costs will be incurred increasingly by the systems group but the efforts will be directed and controlled by the IPS group.

CONCLUSION

The “Good-Old-Days” Are Over

IPS is a challenging role that will become increasingly important to all organizations as knowledge-based economic competition becomes the norm for much of the world’s economic activity. Creating an organizational model that will facilitate rapid adaptation to the torrid pace of technical innovation and lightning changes in business strategies and operations is essential.

The twenty-first century will be “lean and mean”, and even more competitive than the twentieth. While some pundits blithely announce “the end of competition”, reality seems to argue for the reverse: intensified and continuous competition among highly adaptable, learning organizations in a global marketplace. IPS can best make a meaningful contribution in this environment through adopting a “virtual team” which will allow the goal of protecting critical information assets to be achieved in an innovative manner.


Exhibit 1.  Risk Areas and Resources


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.