Security Maturity: The Role of People in Cybersecurity

People, processes, and technology, or PPT, are the three pillars of any cybersecurity strategy. As businesses seek to improve their security maturity, they need to find ways to improve upon their PPT as well.

It’s important to remember that people, regardless of whether cybersecurity is in their job description, all have a significant role to play in defending against threat actors.

Threat actors routinely leverage social engineering—from simple phishing attacks to worker impersonation—to trick employees and infiltrate businesses. On the other hand, human-powered threat hunting, Managed Detection and Response (MDR), and good cyber hygiene can help turn people into one of your biggest strengths in protecting your business.

In this blog, we break down the role of people in cybersecurity, covering the respective responsibilities, KPIs (key performance indicators), as well as training and education requirements.

Responsibilities

Businesses need to make it clear to each employee that cybersecurity is everyone’s responsibility. While there are certain people or departments that have greater accountability to defending the business, such as the CISO (Chief Information Security Officer), security engineers, and SOC (Security Operations Center) analysts, it’s imperative to set clear expectations for each employee.

Below, we provide our perspective on how these responsibilities play out across organizational levels:

Executives: The executive team is responsible for setting the business’ cyber risk tolerance and ensuring their respective departments operate within the guidelines. In both security and non-security roles, executives need to ensure the entire organization is aware of cybersecurity risks and an individual’s role in minimizing them. This includes contextualizing the why behind certain decisions. For example, why the marketing team chose one website development platform over another. Tone at the top is also important. Here, it’s about setting a vision of how good cyber hygiene and compliance with policy enables the business to achieve its mission.
Management: Management is traditionally responsible for ensuring teams operate efficiently to help achieve the vision set forth by executives. In the case of cybersecurity, this includes providing guidance, coaching, and educating front-line employees on how they can help reduce the business’ cyber risk. Frequently, they serve to amplify and enforce the cybersecurity messages, requirements, and procedures to ensure understanding and infuse a culture of security with their teams. They also need to bubble up potential issues to their superiors, such as the need for additional cybersecurity awareness training. For management, it’s important to develop a culture where their teams feel comfortable sharing, especially when it comes to informing security that they clicked a suspicious link.
Front-line employees: For front-line employees, the expression “If You See Something, Say Something” is a good rule to follow. Their primary responsibilities include reporting suspicious activity (e.g., phishing emails, social engineering attempts), complying with the IT and security teams policies, and taking regular cybersecurity awareness training as required by the company. With front-line employees, executives and management should make the serious nature of a cyber incident clear, highlighting the far-reaching blast radius it can have down to an individual level. However, it’s important that they feel supported and empowered, with the resources they need to successfully navigate these situations.

For businesses with a dedicated security team or individual, they must work across these groups and take a leading role in raising the collective cybersecurity awareness of the business while implementing the effective security controls based on the risk tolerance defined and set by the board and executive team.

Security teams + executives

When it comes to working with executives, the security team needs a seat at the table to help communicate the risks for their industry while providing clear recommendations in business language instead of technical jargon. For example, positioning how eliminating VPNs and expensive hardware firewalls with Secure Access Service Edge (SASE) can reduce capital expenditure while improving employee productivity and increasing security both in and out of the office.

At the same time, the security team needs to have a deep understanding of and appreciation for the business’ objectives, tailoring their recommendations to enable the business to safely operate while not creating unnecessary friction. By doing so, security teams gain buy-in from executives that help them better establish a culture of security across every organizational layer.

Security teams + management

For management, it’s about empowering them with the tools and resources they need to execute their responsibilities effectively. Activities here can range from conducting a cyber risk assessment on a new tool the sales team is considering to telling them about a novel way threat actors are leveraging a critical business tool and what they should tell their team. Security teams should also collaborate with management to create personalized plans for front-line employees based on their performance in cybersecurity awareness training.

Security teams + front-line employees

With front-line employees, security teams need to foster a culture where employees feel comfortable sharing suspicious activity before it becomes an issue. At the same time, it’s about building an effective curriculum to educate staff on good cyber hygiene such as strong passwords and locking laptops when not at your desk.

Security teams

Within the security team, it’s about continuous monitoring and improvement based on data to improve the security posture in alignment with the determined risk tolerance. This includes implementing new technologies to fill gaps or increase efficiency and effectiveness. It’s also about how they leverage data—inclusive of the evolving threat landscape—to do their jobs better. For example, when a new threat is identified, the people need to hunt for the threat in their environments while creating additional detections against it.

KPIs

To help measure the effectiveness of the efforts above, businesses need to set KPIs to track organizational and individual behavior. These KPIs need to relate back to the overall business objectives and the set risk tolerance. Below, we provide some ideas to help you get started:

Security posture: These metrics help identify a baseline of how prepared your business is for a cyber incident. These can include an understanding of your vendors’ security risk and security ratings to the number of users with administrative access. It can also extend out to the number of vulnerable systems and days to patch.
Security efficacy: The focus here is on how effective the security controls you put in place are working. This can include things like the number of detected / prevented intrusion attempts, the average cost per incident, and the average delay or downtime.
Mean time: These are a good way to evaluate the efficacy of a business’ threat detection and response capabilities, which commonly includes Mean Time to Detect, Mean Time to Respond, and Mean Time to Contain.
Cybersecurity awareness training: The purpose of these KPIs is to go beyond just measuring completion percentage to get to training effectiveness. While metrics such as percentage of completed trainings and failed phishing tests are a start, going beyond to include the number of reported cybersecurity incidents helps to better determine the quality of your training programs.

KPIs need to be contextual to your business and what your stakeholders care about. Whichever you choose, it’s important to position them based on what the audience cares about. For example, maybe you rolled out a new product that helped to meet cyber risk insurance requirements, resulting in a discount compared to the previous year. If presenting it to the CEO, you can highlight the cost savings related to the expense of the product and how it helped to mitigate cyber risk.

Training and education

When it comes to training, there are the table stakes items that every team across every level of the organization should take including regular cybersecurity awareness training and phishing tests. Beyond those, additional training needs to be aligned with the respective roles and responsibilities of the individual, as well as the products they work with on a regular basis.

For most executives and management, there should be ongoing education to help them understand how their respective departments can help mitigate the business’ security risk. As an example, the security team should coach accounting leadership on why their team needs to multi-factor authenticate into accounting software. There also needs to be regular reminders across communication channels on the process for vetting and selecting a new vendor, ensuring that the security team is involved in the decision-making process to avoid introducing unnecessary third-party risk.

With the security team, it should be highly customized to their respective role. A SOC analyst, for example, should be trained in how to threat hunt, run queries in the Security Information & Event Management (SIEM), and properly run a case investigation. The training for someone on a detection engineering team, however, might include more around ethical hacking, reverse engineering malware, and ways to leverage machine learning to increase detection coverage. Other roles, such as the leader of a red team, might require presentation training to ensure they know how to effectively communicate the findings.

Maturing cybersecurity programs

A mature cybersecurity program combines people, process, and technology to defend against cyberattacks. At the end of the day, your security posture is only as strong as your weakest link. If you’d like to learn more about how these three pillars interact, download our Security Maturity Model by clicking the button below.