Identifying Staffing Requirements and Constraints

Once you've identified your required competencies, you have to begin looking at your staffing requirements, which match competencies with actual people in (or outside of) your organization. Look for the optimal candidates for each competency first, and then make note of the second, third, and fourth choices. Devise strategies for filling gaps, either through training, hiring, or contracting. In some cases, it may be appropriate to divide your IT security project plans into phases and shift your competencies accordingly. Sometimes you can reasonably delay hiring or training until a later phase.

Reality usually sets in once you've created your "dream team" (e.g., Jill is temporarily on assignment in Madrid, Spain; Craig is your best IPS/IDS guy, but he's out with a family situation for another month; John is your go-to guy for all Internet-related work, but he's already working overtime to get the new Web site up and running; Lisa is absolutely your best security administrator [users, access controls, auditing, log file management, and so forth], but she's recently been promoted and will be heading off to a new position at a regional office within the month.) You know the drill; your best people are not always available and yet you have a project to plan, implement, manage, and complete. Determining your staffing constraints is where you insert a bit of organizational reality into your "perfect world" security project plan, so that you can actually get your project work done.

Sometimes your staffing constraints are financial.You may need four database administrators to help design and implement database security, but you'd have to temporarily transfer them to your IT payroll and your budget doesn't have the room. Other times you may need to hire a contractor with a specific skill set or hire a new position or bring in a security consultant—all while you're being tasked with improving security for about 5 percent of your overall IT budget. While life and budgets aren't always fair, your job as IT security project manager is to find creative solutions to these problems. Brainstorm with your security project team or make a strong business case to your security project plan sponsor. Whatever you do, you'll have to live with staffing constraints and negotiate your way through the process.

This might also be a milestone or checkpoint that you can use to sit down with your security project plan sponsor and discuss your staffing needs. Since most company's budgets are not unlimited, you're probably going to have to make a few tough decisions. Best practices include going to your security project plan sponsor prepared with your staffing needs, costs, and alternatives. Don't march in with a list of demands, and don't expect your sponsor to solve your problems for you. Be prepared, and come in with various alternatives along with the risks and rewards of those alternatives. Work cooperatively and proactively with your security project plan sponsor to find acceptable solutions to the staffing and budget limitations that you might encounter.

Also keep in mind that if you cannot gather the people you need to fill critical (or required) roles or to provide required competencies, your project is at risk of failing.Though you haven't moved beyond the planning stage yet, you will be positioning your project to fail if you take off without adequate resources and simply hope that something will change down the line. As much as you might not like being the bearer of bad news, you have to work hard with your security project plan sponsor to find a reasonable solution. If your sponsor "orders" you to proceed despite your lack of critical resources, you will have a serious problem on your hands for two reasons. First, it will spell disaster for most projects and, second, you will have a serious security problem in the making. If you can't find someone competent enough to install or configure a new IDS system, you could potentially open the floodgates for hackers—not a good situation and one that will absolutely come back and fall on your shoulders.This can be a difficult situation, but unless you're going to get fired for saying, "I don't want to proceed until I have the needed resources for success," hold firm and negotiate for what you need. Don't hold a hard line—get creative, be flexible, and find the necessary middle ground to get your security project plan work accomplished successfully. The goal is to increase security from its existing state and to find out whether or not you have the right resources to help you get there.

Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook

Post a comment