(CIO Magazine, Network World Fusion, National Institute of Standards and Technology)

Scenario: You have a security emergency that requires all your IT staff to drop everything they're doing and help diagnose a virus and disinfect your network. You limit the damage caused by the virus, but an important e-business project falls behind schedule. Although you have prevented a major disruption to business operations, your boss fires you for poor performance on the important e-business project. This situation could have been avoided if you had a security staffing strategy.

What is a Security Staffing Strategy?
A security staffing strategy is like having a list of fire marshals or CPR-trained staff - when there's an emergency, you know who to call. A security staffing strategy goes beyond an Incidence Response Team of part-time security staff to include people who can backfill the important non-security projects the part-time Incidence Response team is working on.

Why is Creating a Security Staffing Strategy Important?
Planning who does what in the event of an incident lets you stay on top of both important security and business issues.

How this Saves Money
Instead of letting security or business projects suffer, either of which can cost your company millions, a security staffing strategy identifies the most important issues and plans adequate personnel to manage them in any situation.

Action Plan
Formulate a security staffing strategy by doing the following:

1. Build a corporate security strategy first. This is necessary to determine what your company's requirements are, which types of skills you need, and how many people you'll staff both full-time and part-time. A rule of thumb is that for every 20 IT staff members you have, you should have one full-time security expert. See Info Tech's decision guide titled "Security Management Decision Guide" for more information about creating a security strategy.
2. Consider outsourcing your initial security needs assessment to an expert security firm. When you're completely new to the field, some experts can rapidly move you up the learning curve.

Staff your security team based on individual responsibilities, not general "security responsibility." These responsibilities include:

• Responding to incidents
• Assessing vulnerabilities
• Detecting intrusions
• Creating policies and procedures

Recruit creatively. Start by asking for full-time volunteers among current staff. Alternatively, towns with military bases nearby are good sources for skilled external security candidates.

Be sure to conduct background checks for all candidates you consider for sensitive security positions. When interviewing, ask how they would respond to different scenarios your company might encounter (e.g. There's a lot of suspicious activity going on in the firewall - what action would you take?) Security staff must have a degree of paranoia but also be trustworthy since they will have access to all your company's data.

Retain security staff by offering training and public recognition for excellent work. If the staff is relatively inexperienced, start with basic security training, but develop more specialized skills (e.g. firewall administration, virus handling) later. Internships at "veteran" security companies are another good way to train new security staff.

If you have part-time security staff that will assist during incidents, have a backfilling plan. This plan will do the following:

• Identify which part-time security people you'll call in to deal with security incidents.
• Identify non-security IT staff that will cover the most important projects that the part-time security staff are responsible for when they're dealing with a security crisis. The goal is to have every project of high importance being adequately staffed at all times, while lower-priority projects can be delayed during staffing crises.

Bottom Line
Most of the time, business issues will take precedence over security issues. However, when there's a security crisis, important business issues will take a back seat, which will cost your company time and money. Both security and business-related technology projects are important enough to have staffing strategies.