How to Establish a Security Office In a Non-Profit Organization

Shane Molinari, MSc, PMP, CISSP, SSMBB Principal, BCM Professionals

22 June 2013

Abstract: This document will propose a candid straightforward approach for developing a successful and sustainable enterprise corporate security program for non-profit organizations in the US Central region. The strategy will reflect alignment between organizational information or corporate security office and the executive leaderships business goals and objectives, resulting in a clear risk -based security investment process

Table of Contents 1 Introduction .............................................................................................................. 1

1.1 1.2 Current State of Knowledge ............................................................................................................. 1 Proposed Future State of Knowledge .............................................................................................. 1

2 Aligning Security Strategy with Business Objectives and Goals ........................ 3

2.1 2.2 2.3 2.4 Risk Management as an Investment Strategy ................................................................................. 3 Adaptable Security for the Sake of Business ................................................................................... 4 Clear Communications to Bridge Operations and Technology ........................................................ 5 Individual Accountability ................................................................................................................... 6

3 Security Operations: Strategy to Reality ............................................................... 7 4 Security Knowledge Assets .................................................................................... 9

4.1 Sample Roles, Responsibilities, and Minimum Qualifications ....................................................... 10 Top Security Executive: Chief Security Officer ....................................................................... 10 Second Level Security Executive: Security Operations .......................................................... 10 Information Security Manager Job .......................................................................................... 11 Information Security Specialist II ............................................................................................. 12 Information Security Specialist I .............................................................................................. 13 Business Unit Security Manager ............................................................................................. 13 Business Unit Security Analyst ................................................................................................ 14

4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 4.1.7

5 Budget..................................................................................................................... 16
5.1 5.2 Overview ........................................................................................................................................ 16 Labor Cost ...................................................................................................................................... 16

6 References.............................................................................................................. 19

Page 2 of 20

Table of Figures
Figure 1-1 Security Cross Matrix Aligned with ITIL Version 3 (SABSA, 2013) .......................................... 2 Figure 2-1 Information Security Baseline Metrics Framework ................................................................... 4 Figure 3-1 Evolutionary Process Improvement Roadmap ........................................................................... 7 Figure 4-1 Security Functional Organization Chart. Dotted lines represent communication only ............. 9 Figure 5-1 US Central and Mountain Regional Security Salaries for 2012 ............................................. 17 Figure 5-2 Adjusted 2012 Security Salaries for Iowa Region .................................................................. 18

List of Tables
Table 2-2 Example of Security Metrics Aligned with Overarching Business Drivers ................................. 5

Introduction

This document will propose a candid straightforward approach for developing a successful and sustainable enterprise corporate security program for non-profit organizations in the US Central region. The strategy will reflect alignment between organizational information or corporate security office and the executive leaderships business goals and objectives, resulting in a clear risk-based security investment process (Gartner, 2005). Ultimately, the strategy will demonstrate security for the sake of business as opposed to security for the sake of security. The approach is based on respective industry standards, best practices, and proven strategies. This enables an organization to customize security processes, while maintaining a solid foundation for the security program.

1.1

Current State of Knowledge

Although most businesses have some form of risk-based investment strategies to keep their doors open, many have no formal risk-based security management program in place. As a result, the impacts realized may include: Abstract implementation suggestions that lead to inefficient risk mitigation strategies (Baker et al., 2007) Subjective threat probability determination instead of objective evaluation (Frosdick, 1997; Bandyopadhyay and Mykytyn, 1999; Baker et al., 2007) Unquantifiable security investments directly impacting expected return-effectiveness (Ittner and Larcker, 2003; Smith and Spafford, 2004) No viable executive leadership decision support needed to identify appropriate security solution cost benefits (Fenz, et al, 2011)

Consequently, the fundamental-level impacts from having a fragmented security infrastructure include failed security audits, uncontrolled business processes, and no valid accountability for business process owners.

1.2

Proposed Future State of Knowledge

In keeping with industry standards and best practices, the proposed security governance framework will deliver results along ve strategic dimensions: 1. Security strategies aligned with business objectives and consistent with applicable laws and regulations to reduce cost and increase the effectiveness of compliance 2. Security risks identified and managed to achieve business objectives to yield strategic cost savings by addressing security from a comprehensive perspective 3. Security program management design, development, and management will implement the security governance framework by utilizing a comprehensive set of managerial tools (e.g., metrics) and disciplines (e.g., risk management), along with a customizable means of communicating, to executive colleagues and other stakeholders, the value, status and impact of security
Page 1 of 20

4. Security leadership will oversee and direct activities to execute the security program transformation from asset guardian to strategic business enabler for effective change that will benefit over the long term 5. Response team protocols will support the capability to respond to and recover from disruptive and destructive security events

Figure 1-1 Security Cross Matrix Aligned with ITIL Version 3 (SABSA, 2013)

This approach will enhance the ability to establish customized enterprise-wide security solutions as a dynamic continuous process, while maintaining a solid foundation of best practices necessary to meet the legal and business requirements of the business stakeholders.

Page 2 of 20

Aligning Security Strategy with Business Objectives and Goals

The Security Office will leverage governance mechanisms to ensure that proactive security and risk control practices are directly in line with business objectives (Howe & Olsen, 2009). The approach will be successful by having the business process owners to take ownership of a relatively small number of risk management profiles respective to their operations. This will result in a positive security convergence developing a managed business process solution to address enterprise operation risks and interdependencies (ASIS, 2010). Organizations can achieve these critical goals as follows: Risk Management as an Investment Strategy Agile Security for the Sake of Business Clear Communications to Bridge Operations and Technology Individual Accountability

2.1

Risk Management as an Investment Strategy

The traditional approach to driving a one size fits all level of protection cannot be simultaneously effective and economically viable for the Security business unit. Instead, it is important to leverage risk management as an investment strategy. Using business continuity-based risk assessments will enable leadership to better understand where security capabilities in people, processes, and technologies reside across their respective enterprise, and what security needs to achieve for the organization in the future. This evolutionary tactic will facilitate greater budgetary controls for our security services to our internal clients while providing effective and efficient corporate protection over the long term. Ultimately, this will facilitate leadership to optimally account for process-based risk levels with the added cost benefit of prevention versus reaction to security issues. Further, security managements capability maturity will quickly evolvebeyond fundamentally integrated information security and physical securityas connected disciplines. For example, an enterprise portfolio management tool could be used to support the respective operational changes. Changing the assumptions and inputs to model annual plans and what if scenarios that could then help develop forward visibility into how, when, and in what combinations and sequences one can focus on new security capabilities. In this regard, the software tool can standardize analysis models and forecast impacts to the organization resulting from changes in the business or technology environments.

Page 3 of 20

2.2

Adaptable Security for the Sake of Business

Collectively, the organizational business objectives form the single most important driver of the security strategy. Basing the enterprise security policies and protocols on the organizational business needs, will demonstrate clear and continual support for the business strategic goals and objectives, enabling security leadership to better defend their respective security plans and the budgets they require (Martin et al, 2011). This goal can be achieved by leveraging process improvement methodologies, metrics, and key performance measures to meet the organizations bottom line requirements and enable real assessment of the security protocols and processes effectiveness and value.

Business Value
People Process Infrastructure Technology Compliance

Figure 2-1 Information Security Baseline Metrics Framework

The users of security evidence include system and software developers, operational system managers, risk managers and the executive and organizational leadership. Decision support, monitoring and prediction assessments benefit from security metrics: Strategic Support: Security assessments can aid different kinds of decision making (e.g., program planning, resource allocation) Quality Assurance: Audits can be used to eliminate vulnerabilities, measure adherence to standards (e.g., ISO), identify, track, and analyze security flaws Tactical and Operational Oversight: Monitoring & reporting of the security posture can determine compliance with the security requirements (e.g., policy, procedures and regulations), gauge the effectiveness of security controls and manage risk, provide a basis for trend analysis, and identify specific for improvement Establish a Baseline for Monitoring & Improvement: An organization that understands its security posture, likely understands its level of security risk Assess the Effectiveness of Controls & Gaps Thereof: How well are implemented controls working? What are the gaps? What are the risks associated with the gaps? Help With Decision Making: What are real and potential shortcomings? How closely are objectives being met? Is there a needed change of direction? Risk Identification: What assets need protection? What is their value? What threats and vulnerabilities exist to the assets? What chances for exploitation exist? What is the likely impact? Risk Management: Risk assessment (i.e., extent of exposure to threats), controls (i.e., what countermeasure to identified risks), and control assessment (i.e., how effective are those controls?) Identify Priorities: resource deployment based on risk level to assets.

Equally, it must be understood that strategy development is not an annual exercise. It is a continuous process that must evolve as the needs of the business change. To ensure the strategy supports change,
Page 4 of 20

this information and analysis will need to be translated into an actionable, repeatable, and reportable strategy that identies the business case supporting project creation, project prioritization, and investment optimization while also generating a strategic implementation roadmap. The table below is a simplified example of how to align general security metrics with overarching business drivers.

BUSINESS DRIVERS SECURITY MEASURE OR METRIC Security cost as a percentage of total company revenue The number of safety hazards proactively identified and eliminated annually Percentage of critical information assets or functions residing on systems that are currently in compliance with approved system architecture The number of failed or ineffectual business unit responses to issues identified as control weaknesses that result from fraud prevention analysis, investigations or other feedback COST MGT. X X RISK MGT. ROI VALUE X X X X LEGAL REQ. POLICY REQ. LIFE SAFETY INTERNAL INFLUENCE

Table 2-1 Example of Security Metrics Aligned with Overarching Business Drivers

2.3

Clear Communications to Bridge Operations and Technology

It must be clearly understood that what, where, and how security must be communicatedwithin the respective organizationand how the forms of communication will need to vary depending on which security constituent is being targeted. That means the security champions must be supported by a methodology that provides a broad number of reporting choices in how they will sift, lter, roll up and summarize security information in a manner customizable for different audiences. Utilizing risk-related communications in a simple and straightforward manner will help bridge technology and operational security with business executives to express and articulate the security-criticality of specific enterprise assets and business processes.

Engagement

Awareness

Intelligence

Page 5 of 20

2.4

Individual Accountability

It is hard to overstate the importance of effective security awareness and communication. The challenge is to gain buy-in at every level of our organization to understand how security supports and impacts organizational processes, assets, efciency, and our operating objectives. Communication about security is not just an administrative function. Rather it is an integral component of how to provide tangible value to customers, employees, and stakeholders. Driving security policies, by using risk-based terminology with business acumen, will ensure process owners keep and maintain their respective risk mitigation strategies for the enterprise organization. Taking the perspective of having internal clients with respect to Security (or other processes) will yield internal market forces that will help align risks with benefits holding individual business managers accountable for any failures in security or continuity. For example, methodologies used for efficiency, response, and recovery also enable the development of crisp reporting capabilities that support roll-up activity summaries. These processes will allow security leadership to screen, drill down, or manipulate views into the security strategy to better support the teams ability to customize communications for different security information audiences.

Page 6 of 20

Security Operations: Strategy to Reality

Time is a precious commodity. Defining organizational parameters that conform to control frameworks such as COBiT and ASIS or standards such as ISO 17799 and COSO are not sufcient by themselves. They can help describe what information security must achieve, but they do not explain how security capabilities contribute value to the organization (Molinari, 2010). Leveraging an integrated process approach to construct the security governance framework will ensure goals are achieved the right way the first time. Delving deeper, as an integral part of enterprise governance, security leadership, organizational structure, and processes will endure and extend the organization's strategies and objectives (Molinari, 2008). However, it is critical that efforts be an evolutionary approach, to build sustainability into the governance procedures and processes. This will help to gain cultural and formal buy-in from both individual team members and senior executive leadership respectively. To ensure the success of transitioning the security strategy into a working project roadmap, the improvement process illustrated below should be followed:

Identify Needs
Raise awareness and obtain management commitment Define scope Define risks Define resources and deliverables Plan the Program

Envision Solution
Assess actual performance Define target for improvement Analyze gaps and identify improvements

Plan Solution
Define the supporting projects Develop improvement plan

Implement Solution
Implement improvements Monitor implementation performance Review the Programs effectiveness

Operationalize Solution
Build sustainability Identify new governance requirements

Figure 3-1 Evolutionary Process Improvement Roadmap

1. The security plan solution components will be actionable at multiple levels: (a) Project roadmap (b) Dynamic communication framework and (c) Structured security management framework

Page 7 of 20

2. The security strategy will be prepared in business, rather than technical terms. The content of the strategy will be communicated in a straightforward manner that non-technical executives will nd easy to understand. It is crucial to understand that business relevance and insightinto what is required to move the security organization aheadmatter far more than technical detail. 3. Incorporating input from group and individual knowledge assets will further help develop the strategy, via process identification and risk assessment. When complete, the strategic assessment will include a written in-depth analysis of the current security posture, as well as a recommended implementation roadmap. Depending on the scope of the respective initiative, the strategy should then be used to identify and focus resources to best align security with key business and regulatory compliance objectives. Equally important, ensure the analysis information can be re-purposed for other efforts such as validating existing and future funding levels. The objective is to gain short-term wins with long-term benefits. This can be achieved by having proactive security organization instead of a reactionary security organization. Proactive security requires early identication of the business and technical requirements that can give the security organization the necessary edge to be exible and adaptable enough to provide holistic services, meeting both immediate need and providing structure for future growth. Whereas, reactive security provides no scope for growth or adaptation and will amount only to expensive reghting.

Page 8 of 20

Security Knowledge Assets

Chief Executive Officer

Chief Security Officer

Audit and Compliance

Application security

Test Security

(OPTIONAL) Security and Continuity Operations Lead

Enterprise Risk Manager

Information Security Manager

Business Unit Security Manager

Information Security Specialist

Business Unit Security Analyst (2nd Phase Roll-On)

Information Security Specialist (2nd Phase Roll-On)

Information Security Specialist (2nd Phase Roll-On)

Figure 4-1 Security Functional Organization Chart. Dotted lines represent communication only

Page 9 of 20

4.1 4.1.1

Sample Roles, Responsibilities, and Minimum Qualifications Top Security Executive: Chief Security Officer

4.1.1.1 Job Description

This is the most senior executive security position in the organization with direct line responsibility. This position has overall accountability for developing, and directing the organization security program. Directs staff in identifying, developing, implementing and maintaining security processes across the organization to reduce risks, respond to incidents, and limit exposure to liability in all areas of financial, physical, network/information technology and personal risk. Through subordinate managers, coordinate and implement site security, operations and activities to ensure protection of executives, managers, employees, physical and information assets, while ensuring optimal use of personnel and equipment. Develops and delivers service in response to criminal financial loss, counterfeiting, crimes against persons, sabotage, threats, emergencies, illegal acts, and property or environmental crimes. Accountable for state-of-the-art technology solutions and innovative security management techniques to safeguard the organization's assets and correct security vulnerabilities with new and legacy IT systems. May be responsible for ensuring the safety of all network and information system environments for the corporation and operating business units. Incumbent may be responsible for network/IS technical security architecture, network and system designs, implementation and management of systems and programs for the prevention of system hacking and virus protection. Develops standards and policies worldwide for compliance with government rules, regulations, laws and treaties regarding security requirements for import and export of products. Directs the approach, deployment and execution of the most sensitive investigations. Develops relationships with high-level law enforcement and international counterparts to include in-country security and International Security agencies, intelligence and private sector counterparts worldwide.

4.1.1.2 Qualification Guidelines

Masters degree or international equivalent in an area of study relevant to this position and more than 20 years experience with a major corporation and/or law enforcement, intelligence or private sector security organization or Bachelors degree or international equivalent in an area of study relevant to this position and more than 25 years experience with a major corporation and/or law enforcement, intelligence, public or private sector security organization. Has demonstrated experience and exposure in the international security arena. Professional certifications required (e.g., CISM, CISSP, CISA, CRISC).

4.1.2

Second Level Security Executive: Security Operations

4.1.2.1 Job Description

This is the most senior security management position of a major operating unit (sector, group or large division) level. This position can have security accountabilities for the operating unit. Directs the development and implementation the operating units security policies and programs. Directs staff in identifying, developing, implementing and maintaining security processes across the operating unit to reduce risks, respond to incidents, and limit exposure to liability in order to reduce

Page 10 of 20

financial loss to the organization. Identifies significant security risks, designs and implements strategies and programs to prevent and reduce loss of the organizations assets. Establishes appropriate standards and risk controls associated with intellectual property within the operating unit. Directs, coordinates and implements site security, operations and activities to ensure the protection of executives, managers, employees, physical and information assets, while ensuring optimal use of personnel and equipment. Develops and delivers preventative programs and services to protect against criminal financial loss, counterfeiting, crime against persons, sabotage, threats, emergencies, illegal acts, and property or environmental crimes. Researches and deploys state-of-the-art technology solutions and innovative security management techniques to safeguard the operating units assets. Directs the approach, deployment and execution of investigations, and directs team based systems development efforts. Develops and manages the capital and expense budget for the units worldwide security operations. Develops close relationships with high-level law enforcement and international counterparts to include incountry security and International Security agencies, intelligence and private sector counterparts worldwide. Briefs executive management on status of security issues. Develops a consensus position within an organization climate of diverse operational activities and oftenconflicting regulations imposed by agencies with regulatory jurisdiction. Provides leadership direction to the management and professional staff within the organization unit.

4.1.2.2 Qualification Guidelines

Master's degree or international equivalent in an area of study relevant to this position and more than 15 years experience with a major law enforcement, intelligence, public service or private sector security organization or Bachelor's degree or international equivalent in an area of study relevant to this position and more than 20 years experience with a major law enforcement, intelligence, public or private sector security organization. Has demonstrated experience and exposure in the international security arena. Professional certifications required (e.g., CISM, CISSP, CISA, CRISC).

4.1.3

Information Security Manager Job

4.1.3.1 Job Description

Plans, develops, and directs the computer and information security function under senior management direction. Responsible for the business strategies associated with the computer and information security function within the organization. Accountable for overall planning, directing and organizing activities of the computer and information security function, and ensure its effective operation. Implements the policies, procedures and systems required for maintaining and enhancing the overall computer and information security organizational mission. Responsible for the research, design, development and implementation of computer security/protection technologies for the organizations information and process systems/applications. Accountable for the computer security for classified information security and communications security. Researches, contacts and selects vendors to develop technical solutions for site computer security needs, and presents recommendations to senior management.
Page 11 of 20

Develops, maintains and audits the analytical and technical aspects of major computer security subsystems. Maintains the integrity of computer workstations, servers, local area networks, upgrading systems and software for the company. Responsible for selecting, testing and the secure installation and operation of cryptographic equipment, secure transmission of classified information and sensitive unclassified information and protection of cryptographic principles and methods. Responsible for identifying and mitigating threats and vulnerabilities associated with compromising electromagnetic emanations from equipment used to process classified information. Develops and provides technical support, training and timely computer system data recovery to end-users. Directs the investigation of computer security incidents, and develops facility protection plans. Directs complex surveillance of computer protection measures, and creates measurement tools for system vulnerability assessments. Keeps senior management informed on major accomplishments, issues and concerns. Develops, trains and directs computer and information security personnel within the organization.

4.1.3.2 Qualification Guidelines:

Masters degree in Computer Science or other studies relevant to this position and more than 6 years experience in a major corporation and/or law enforcement, intelligence, public service or private sector security organization or Bachelors degree in Computer Science or other studies relevant to this position and more than 10 years experience with a major law enforcement, intelligence, public or private sector security organization. Has had some exposure in the international security arena. Certified Information Systems Security Professional (CISSP) or equivalent required.

4.1.4

Information Security Specialist II

4.1.4.1 Job Description

Works is performed under general supervision. Follows established procedures. Work is reviewed systematically through completion for adequacy in meeting objectives. With guidance, conducts research, design, development and implementation of computer security and protection technologies for organizations information and process systems/applications. Assists in the research and implementation of computer security for classified information security and communications security. Works with vendors to develop technical solutions for site security needs. Maintains integrity of computer workstations, servers, and local area networks by maintaining user accounts and recommending upgrades to systems and software required. Responds to client requests, and prepares security plans and reports based on client needs. Supports the secure installation and operation of cryptographic equipment, secure transmission of classified information and sensitive unclassified information and protection of cryptographic principles and methodologies. Provides technical support to system users to include hardware configuration, installation, diagnostics, testing, problem resolution, and system maintenance and data recovery. Assists in the investigation of computer security incidents, and may recommend corrective actions. Acts as alternate team lead on small computer security incidents.

Page 12 of 20

Conducts technical evaluations of hardware, software and installed systems and networks. Conducts certification testing of installed systems to ensure protection strategies are properly implemented.

4.1.4.2 Qualification Guidelines

Bachelors degree in Computer Science or other studies relevant to this position and more than 4 years experience with a law enforcement, intelligence, public or private sector security organization. Certified Information Systems Security Professional (CISSP) or equivalent required.

4.1.5

Information Security Specialist I

4.1.5.1 Job Description

Works under close supervision. Performs tasks from detailed instructions and established procedures. Work is reviewed for soundness of technical judgment and for following the defined policies and procedures. Under direction of senior staff, evaluates, designs and develops computer security/protection technologies for company information and process systems/applications. May assist in the implementation of computer security for classified information security and communications security. Maintains integrity of computer workstations, servers, and local area networks by maintaining user accounts and recommending upgrades to systems and software required. Responds to client requests, documenting and reporting any security incidents. Provides technical support to system users to include hardware configuration, installation, diagnostics, testing, maintenance and data recovery. Investigates routine computer incidents under direction of a senior specialist. Assists in conducting technical evaluations of hardware, software and installed systems and networks. Conducts routine certification testing of installed systems to ensure protection strategies are properly implemented.

4.1.5.2 Qualification Guidelines

Bachelors degree in Computer Science or other studies relevant to this position and a minimum of 2 years of experience with a law enforcement, intelligence, public or private sector security organization. Certified Information Systems Security Professional (CISSP) or equivalent required or pending.

4.1.6

Business Unit Security Manager

4.1.6.1 Job Description

Works under consultative direction toward predetermined goals and objectives Assignments are usually self-initiated. Determines and pursues courses of action necessary to obtain desired results, and makes recommendations and changes to departmental policies and procedures. Performs the full range of security functions such as; inspections, identification of vulnerabilities, assessment of risks. Makes recommendations of appropriate and required security measures, techniques and methods to assure and improve the protection of personnel, activities and facilities of the organization. Work is checked through consultation and agreement, rather than formal review of supervisor.

Page 13 of 20

Develops and implements policies, procedures, standards, training and methods for identifying and protecting information, personnel, property, facilities, operations, or material from unauthorized disclosure, misuse, theft, assault, vandalism, product tampering, espionage, sabotage, or loss. Reviews security project designs and contacts on-site progress assessments to insure design specifications meet the security needs. Performs security risk assessments based on vulnerability criteria to determine appropriate levels of protection and security necessary for the site. Recommends and coordinates the acquisition, installation or replacement of equipment designed to increase efficiency of security operations at facilities. Assists in the evaluation of state-of-the-art products and techniques related to computer hardware and software. Receives and evaluates all security related incidents and makes recommendations to preclude recurrence. Independently plans and conducts sensitive and complex security assessments and briefs senior management on the status of these investigations. Leads large-scale security inspections and risk assessments. Evaluates the latest products and techniques in communications and other technical equipment. Represents the organization in intra and inter-company committees. Provides leadership to less experienced Unit Managers and Unit personnel.

4.1.6.2 Qualification Guidelines

Bachelors degree in an area of study relevant to this position and more than 8 years experience with a major law enforcement, intelligence, public or private sector security organization. Certification preferred.

4.1.7

Business Unit Security Analyst

4.1.7.1 Job Description

Works under general supervision. Follows established procedures. Work is reviewed for soundness of technical judgment and overall adequacy. With guidance performs the full range of security functions such as; inspections, identification of vulnerabilities, assessment of risks and recommendation of appropriate and required security measures, techniques and methods to assure and improve the protection of personnel, activities and facilities of the organization. Participates in the development and implementation of policies, procedures, standards, training and methods for identifying and protecting information, personnel, property, facilities, operations, or material from unauthorized disclosure, misuse, theft, assault, vandalism, product tampering, espionage, sabotage, or loss. Reviews security project designs and conducts onsite progress assessments to insure design specifications meet the security needs. Performs security risk assessments based on vulnerability criteria to determine appropriate levels of protection and security necessary for the site. Participates in the acquisition of new equipment designed to increase efficiency of security operations at facilities. Coordinates the installation or replacement of the facilities security equipment. Participates in the evaluation of the state-of-the-art products and techniques related to computer hardware and software. Conducts comprehensive review and analysis of facility security plans for compliance with existing

Page 14 of 20

policies and procedures. Receives and evaluates all security related incidents and makes recommendations to preclude recurrence. Based on incidents, trends and surveys, recommends corrective action. Prepares written or narrative reports of facility assessment findings. May act as lead person or technical expert on small to medium projects.

4.1.7.2 Qualification Guidelines

Bachelors degree in an area of study relevant to this position and more than 6 years experience with a major law enforcement, intelligence, public or private sector security organization. Certification preferred.

Page 15 of 20

5
5.1

Budget
Overview

Majority of large organizations ($100-$500M annual revenue)including not-for-profit and education institutionsspend approximately 7%-10% of IT budget and a range of 1.7% to 3.6% of operational budgets on security with expectations to increase expenditures in the following year (Controller, 2011; Security, 2011; Rose & Hayes, 2013). For example, if the annual revenues are approximately $300M, the conservative end of the data reflects an approximate annual budget of $5.1M (1.7% X $300M). If an organization is half-way through the 2013 fiscal yearand an iterative approach to building the security organization, the initial estimates should remain conservative to request $2.5M for start-up capital. The monies would be used to: Establish the security program Build the functional organization (facilities, personnel, equipment, and training) Launch enterprise security policies

This approach is supported by current cost data that reflects the following distribution of funds: Labor Costs (Staff and Consultants) 64% General Materials, supplies, and services (training, phones, computers, travel) 11% Equipment maintenance and service contracts 15% Security equipment / devices purchases 10% (Controller, 2011)

Once started, it will be important to continue using a design/methodology/approach to best determine an efficient and effective strategy for information security spending. This should start with a whole-systems view of the security spending decision that encompasses people, technology, and economics. This initial methodology will help identify a model that can be used in a practical manner to select a rational approach to estimate spending (Stewart, 2012). Once mature, the security budgeting process should then migrate to a well-established rational economic process used for budgeting capital investments applies cost benefit analysis using the net present value (NPV) model with an overarching intent to determine a return on information security investments (ROISI) (Gordon & Loeb, 2006; Gordon et al, 2008; Gartner, 2002).

5.2

Labor Cost

The table below depicts for the US Central and the eastern Mountain regional security-based salaries for 2012. West North-Central (e.g., Iowa) East North Central (e.g., Illinois) East South Central (e.g., Tennessee) West South Central (e.g., Texas) Mountain (e.g., Colorado)
Page 16 of 20

Does Not Include Executive Salaries Experience (Years) 1-9 10-19 20-29 Education Bachelors Masters Certifications None CISSP PCI CPP Environment Non-Profit Int'l Locations Average

Bottom 10% Talent (X $1000)

Average Talent ( X $1000)

Top 10% Talent (X $1000)

50 55* 55*

97 120 135

155 190 225

55 60

122 135

200 225

50 75 60 60

109 139 116 130

175 190 190 225

60 75 68

152 167 160

300 300 300

* Depicts salary for non-degreed and non-certified physical security professionals

Figure 5-1 US Central and Mountain Regional Security Salaries for 2012

Note the above numbers demonstrate a median increase of two percent up from 2011 (average 3.5%). Also note that the table does not include executive salaries due to extreme variations in payment structures (e.g., perquisites, long-term incentives). However, it is important to understand that economics in one state may vary from another, even if both are in the same region. For example, security personnel salary findings for the Iowa region reflect an average 17% lower than their neighboring regions: East North Central (e.g., Illinois) East South Central (e.g., Tennessee) West South Central (e.g., Texas) Mountain (e.g., Colorado) (ASIS, 2012)
Page 17 of 20

In keeping with the above example, the table below reflects the adjusted security salaries for the Iowa region.

Does Not Include Executive Salaries Experience (Years) 1-9

Bottom 10% Talent (X $1000)

Average Talent ( $1000)

Top 10% Talent (X$1000)

42 46* 46*

81 100 112

129 158 187

Compensating for 17% Reduction

10-19 20-29 Education Bachelors Masters Certifications None CISSP PCI CPP Environment Non-Profit Int'l Locations Average

46 50

101 112

166 187

42 62 50 50

90 115 96 108

145 158 158 187

50 62 56

126 139 132

249 249 249

* Depicts salary for non-degreed and non-certified physical security professionals

Figure 5-2 Adjusted 2012 Security Salaries for Iowa Region

Using the same approach for executive security officer salaries ranged from $336K to $367Kcompared to neighboring regions, using tools such as Salary.com and Glassdoor. Note these salaries exclude incentive payments (e.g., stock options), given is a non-profit private company.

Page 18 of 20

References

American Society for Industrial Security (ASIS). (2010). Convergence of Security Risks: Addressing the Security Dilemma in Todays Age of Blended Threats. Retrieved January 13, 2013 from http://www.asisonline.org/education/docs/SecurityRiskConvergence.pdf American Society for Industrial Security (ASIS). (2012). 2012 U.S. Salary Survey Salary Results. Security Management, November 2012, 56-60. Baker, W. and L. Wallace (2007) Is Information Security under Control? Investigating Qu ality in Information Security Management, IEEE Security and Privacy (5), Piscataway, NJ: IEEE Educational Activities Department, pp. 3644. Fenz, S., Ekelhart, A., & Neubauer, T. (2011). Information Security Risk Management: In Which Security Solutions Is It Worth Investing? Communications Of AIS, 28329-356. Frosdick, S. (1997) The Techniques of Risk Analysis Are Insufficient in Themselves, Disaster Prevention and Management (6), pp. 165177. Gartner. (2002). Winning Asset Management Strategies. Retrieved from www.gartner.com/research/attributes/attr_47450_115.pdf Gordon, L. A., & Loeb, M. P. (2006). Budgeting Process for Information Security Expenditures. Communications Of The ACM, 49(1), 121-125. Gordon, L. A., Loeb, M. P., Sohail, T., Tseng, C., & Zhou, L. (2008). Cybersecurity, Capital Allocations and Management Control Systems. European Accounting Review, 17(2), 215-241. doi:10.1080/09638180701819972. Herath, H. B., & Herath, T. C. (2008). Investments in Information Security: A Real Options Perspective with Bayesian Postaudit. Journal Of Management Information Systems, 25(3), 337-375. Howe, J. S., & Olsen, B. C. (2009). Security Choice and Corporate Governance. European Financial Management, 15(4), 814-843. doi:10.1111/j.1468-036X.2009.00510.x Ittner, C.D. and D.F. Larcker (2003). Coming Up Short on Nonfinancial Performance Measurement, Harvard Business Review (81), Philadelphia, PA: Wharton School, University of Pennsylvania, http://view.ncbi.nlm.nih.gov/pubmed/14619154 (current Jan. 30, 2011). Martin, C., Bulkan, A., & Klempt, P. (2011). Security excellence from a total quality management approach. Total Quality Management & Business Excellence, 22(3), 345-371. doi:10.1080/14783363.2010.545556 Molinari, S. (2008). Bridging the Gap Between Enterprise Business and IT. Retrieved from http://www.scribd.com/doc/45833126/20080326-SMolinari-Bridging-the-Gap-Between-EnterpriseBusiness-and-IT Molinari, S. (2010). Don't Put All of Your Eggs In One Basket - The Use of Multiple Processes to Prevent Project Failure. Retrieved from http://www.scribd.com/doc/45832284/20100510-SMolinari-MTSThe-Use-of-Multiple-Processes-to-Prevent-Project-Failure
Page 19 of 20

SABSA. (2013). Sherwood Applied Business Security Architecture. Retrieved from http://www.sabsainstitute.com/members/sites/default/inlinefiles/SABSA%20Service%20Management%20Matrix%202009.jpg Swartz, N. (2005). Gartner: Security Is Strategic, Not Technical. Information Management Journal, 39(6), 14. Rose, A. & Hayes, N. (2013). Understand Security And Risk Budgeting For 2013 Benchmarks: The S&R Practice Playbook. Forrester 2013. Stewart, A. (2012). Can spending on information security be justified? Evaluating the security spending decision from the perspective of a rational actor. Information Management & Computer Security, 20(4), 312-326. doi:10.1108/09685221211267675. The Controller's Forum. (2011). Is Your Security Budget Big Enough for Today's Risks? Controller's Report, 2011(10), 3-5. What Security Executives Want And How They're Trying to Get It. (2011). Security Director's Report, 11(7), 1-11.

Page 20 of 20