Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/Develop and create the cybersecurity plan/Determine resource needs

From LIMSWiki
Jump to navigationJump to search

5.6 Determine resource needs

Figure 1- Cybersecurity Funding at IRS, Fiscal Years 2014 Estimated, 2015 Actual, 2016 Enacted, and 2017 Requested (Dollars in Millions) (28979530692).jpg

5.6.1 Determine whether sufficient in-house subject-matter expertise exists, and if not, how it will be acquired

Businesses come in many sizes, and not all have the in-house expertise to take the deep dive into cybersecurity. To be fair, the size of a business isn't the only determiner of IT resources. Hiring practices and hosting decisions for both software and IT (e.g., software as a service [SaaS] and infrastructure as a service [IaaS] vs. local hosting) may also impact the level of cybersecurity expertise in the business. Regardless, it's doubtlessly imperative to have some type of expertise involved in assisting with the implementation of your organization's cybersecurity plan. You probably have already addressed this during part two and three of making the cybersecurity plan, but now is an excellent time to double check that aside from any short-term expertise you're tapping into while formulating your plan, ensure you have long-term support for the implementation and monitoring of the plan's components.

5.6.2 Estimate time commitments and resource allocation towards training exercises, professional assistance, infrastructure, asset management, and recovery and continuity

The realities of business dictate that time is indeed valuable.[1] For a business to meet its primary goals, an investment of time and resources are required by those involved in the business. For a clinical laboratory, that means laboratorians performing analyses, making quality control checks, managing test results and reporting, and more. How much time do they truly need to commit in any given week to developing cybersecurity skills? And beyond the individual level, how much time does the business as a whole want to commit? With a need for training, infrastructure management, policy development and management, and recovery and continuity activities, your business has a lot to consider. These and other questions must be asked in relation to the realistic amount of resources available to the business and its personnel.

Here are a few additional questions to ask, as suggested by NARUC[2]:

  • "What level of staff time should [a business] dedicate to learning about cybersecurity and developing skills necessary to achieve stated goals?"
  • "Do staff need to become subject-matter experts, or is it enough that they are familiar with the language and terms?"
  • "Do any staff need one-time training, ongoing training, certifications, or security clearances?"
  • "Does the [business] have enough personnel to build and maintain relationships with [cybersecurity stakeholders]?"

5.6.3 Review the budget

Of course, the realities of business also dictate that money is a key component to business operations. That means budgeting that all-important resource. What share of the overall budget will cybersecurity take, as proposed vs. what can realistically be allotted? This is where that previously conducted gap assessment and risk assessment comes into play again. You ended up identifying critical gaps in your current infrastructure and prioritizing cyber risks based on threat, vulnerability, likelihood, and impact. Those assessments guided your goals and objectives. Does your budget align with those goals and objectives? If not, what concessions must be made? If you're a small retail shop, antivirus software and firewalls may be enough. And as editor Cristina Lago notes in her 2019 article for CIO: "Be realistic about what you can afford. After all, you don’t need a huge budget to have a successful security plan. Invest in knowledge and skills."[3]


  1. Cakmak, J. (11 January 2019). "Time is Money, Money is Time, and What That Means for Tech". Techonomy. Techonomy Media, Inc. Retrieved 21 March 2023. 
  2. Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. Retrieved 21 March 2023. 
  3. Lago, C. (10 July 2019). "How to implement a successful cybersecurity plan". CIO. IDG Communications, Inc. Retrieved 21 March 2023.