I found inspiration in a thought-provoking discussion initiated by Cathy Click, the Head of Security Awareness at FedEx. She posed a compelling question: what constitutes an ideal Security Awareness / Culture team? If the goal is to effectively mitigate human risk within an organization, who should spearhead this effort? This question resonated deeply with me, prompting me to share my perspective. While I acknowledge that not all organizations possess the resources to assemble the diverse team I envision below, striving towards this ideal is a worthy pursuit.
The Team Structure
Effective management of human risk demands a collaborative approach. Data from recent reports consistently underscores that people are now the primary targets in 75-85% of global breaches. To effectively address this pervasive risk, a dedicated team is essential.
Full-time Lead: Crucially, leadership of the program must be a full-time role. If responsibility is assigned to someone already burdened with multiple duties, the focus tends to be on compliance rather than engagement and security. Therefore, the leader of the human risk program should be fully dedicated to this mission from the outset.
Reporting to the CISO: Integration into the security team is vital. Managing human risk is an integral component of cybersecurity risk management overall. Therefore, the team should ideally report directly to the Chief Information Security Officer (CISO). This ensures alignment with broader security initiatives and facilitates a holistic approach to security through a people-centric lens.
Key Team Members
Here are the essential skills and roles that should ideally constitute the core of a human risk management team. While achieving this level of specialization across all roles may be challenging, some individuals may possess a combination of these skills.
Communications Specialist: Effective engagement with the workforce is foundational to securing them. Often, organizations appoint professionals from their Communications department to collaborate closely with the security team. These individuals translate complex security policies, tool rollouts, and updates into accessible terms. They ensure that security communications resonate with all employees, leveraging backgrounds in Marketing, Journalism, or Public Relations.
Organizational Change Expert: Understanding human behavior at an organizational level is crucial. Specialists in Organizational Change leverage insights from behavioral economics and psychology to architect security programs that align with human nature. They utilize frameworks like ADKAR to drive behavioral change across the organization.
Instructional Designer: Mastery of Adult Learning Theory is essential for developing training programs that effectively impart knowledge and skills. Instructional Designers apply methodologies such as the ADDIE framework and the Kirkpatrick Evaluation model to create engaging and impactful training experiences.
Data Analyst: Metrics are pivotal for assessing program effectiveness and demonstrating value to leadership. Data Analysts consolidate diverse data points into actionable insights, enabling informed decision-making and continuous program improvement.
Project Manager: Coordinating multifaceted initiatives requires strong project management. Project Managers facilitate collaboration across departments and ensure that initiatives are executed efficiently and on schedule.
Specialized Leads: Depending on organizational needs, additional roles may include leaders for initiatives like Security Champions programs, Phishing Simulation campaigns, or targeted training efforts such as DevSecOps education for developers.
Importance of Collaboration
Notably absent from this list is a cybersecurity expert. When focusing on human risk management, leveraging the expertise of the broader security team is paramount. Collaborating closely with cybersecurity professionals allows the human-focused team to identify and mitigate the organization’s top human risks, while the security team defines the behaviors necessary to mitigate those risks effectively.
Key Partnerships
Securing the entire workforce is an enterprise-wide endeavor that requires robust partnerships with various departments within the organization. Key collaborators include:
Security Teams: Collaboration with Cyber Threat Intelligence (CTI), Security Operations Center (SOC), and Incident Response teams is crucial. These teams provide essential data and intelligence on emerging threats and vulnerabilities, enabling targeted risk management efforts.
Human Resources (HR): HR plays a pivotal role in onboarding new employees, including security training. They contribute expertise in organizational culture, guiding efforts to embed a strong security culture throughout the organization.
Communications Department: As previously mentioned, effective communication is foundational to security awareness. Collaborating closely with the Communications department ensures that security messages are effectively conveyed and understood across the workforce.
In conclusion, I invite your feedback and suggestions for refining the Dream Team for Managing Human Risk. How can we enhance this vision further? For those interested in delving deeper into human risk management, I recommend exploring the SANS MGT433 Managing Human Risk course, which offers comprehensive insights and strategies in this critical area.
Source: https://www.sans.org/blog/building-the-human-risk-dream-team/
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
