Maximizing security awareness team success through organizational structure

Most companies assign their security awareness team to be a part of the IT department, but is that the best place for it? IT people aren’t trained in all the skills needed to run a successful cyber security awareness program and expecting them to can be harmful to your organization. 

I don’t have all the answers for restructuring your specific organization for optimal security success, without learning more about it. 

But there are some good starting points and best practices… So that’s why I asked some experts to give their input in our latest Cyber Security Awareness Forum. 

Meet our panel:

Tyler Sweaney (TS) – Tyler is a Cybersecurity Specialist Account Manager at Global CTI, a Management Service Provider that’s focused on servicing our customers in California.

Ryan Healey-Ogden (RH)– Ryan is Click Armor’s Business Development Director. He also teaches at the University of Toronto College Cybersecurity Bootcamp. 

And I’m Scott Wright (SW), CEO of Click Armor, the Gamified Security Awareness Platform and Security Awareness Services Company. 

We also had two guest panelists (consultant Jemma Davis, and Sr. Dir. of education and awareness, IT/Cyber  Manal R.) who joined later in the discussion and added some great insights from their own experiences.

RH: Everyone has a different learning style and there are things that HR professionals know how to do, like accommodate and work with and motivate people. But, you do need that understanding, like Tyler said, from an IT perspective because you have to understand what the common attack vectors are and how these attacks will actually be executed. So then you can explain it to users in a productive manner and support them. It’s about finding that balance between HR and IT. 

SW: And I think being “too IT-oriented” is actually a reason why a lot of people find security awareness boring. The people that are speaking to them or the message that they’re getting from a system perspective is so generic and too technical, because it’s coming from the technical people.

What factors should determine where responsibility for security awareness programs are to be delegated?

TS: You have to figure out what your goals are. That’s where this all comes from, being intellectually honest with what you’re looking for. Are you just seeking to tick a box for insurance? On the flip side, maybe you want to actually mitigate risks in a way that’s effective, that conveys this information in a way that sticks with our employees and becomes a part of their habits.

Then you ask: Can this person or team implement strategies that are needed to reach this goal? Will they be able to get the budget and do they have the skills? Both the technical skills to understand the training and interpersonal skills to get through to people.

Your options will vary depending on the size of the organization. As you get bigger, you get more specialized roles. But, with smaller, medium sized businesses, it’ll probably fall to the person that’s doing IT. If they are the only person that understands it, then that’s where it has to happen. 

RH: I’d start with a risk assessment. If you run a proper risk assessment on your organization, you’re going to understand what your goals and weaknesses are, which then takes you into my second key deciding factor which would be industry. 

Because if you’re in a more technical industry, I would shift that responsibility a little bit more to the IT side. If you’re more in a customer service role, like a call center, I would drive it through HR

What can be done, from a management perspective, to improve the security awareness team’s effectiveness within an organization?

RH: Try to build out a proper communication plan. There has to be something in place, communicated to the organization to try and get buy-in before anything starts. 

Also cross-functional, cross-functional, cross-functional. Everyone has a different perspective, life experience and understanding of what’s going on. So, make your security team as cross-functional as possible. 

TS: I’ll second everything Ryan said. It all starts with a cybersecurity and business risk assessment and then aligning whatever your organizational goals are and then coming up with a plan. 

The one thing I’d add: You can have the best communication plan, but if people don’t feel comfortable asking questions, then your security culture will crumble. That’s where getting that top level buy-in comes in. If the CEO cares then they’re able to really implement that culture from the top down. If leadership doesn’t want this, then it’s not going to happen.

RH: Speaking of security culture, we need to normalize it like other types of training. I don’t need to be a subject matter expert in order to understand and follow the training for vacation policy or harassment. But, when people see security training they think it’s outside of their pay grade. We need to make it more relatable and normalized. 

Nobody wants to feel stupid, right? That’s where that human element comes in. People have to know if they have a question, they aren’t going to get into trouble. We’re just going to learn. 

TS: I think it also stems more from that bubble around the IT team. You have very technical people that would rather be working on the computer and then you require them to use the soft skills they didn’t sign up to use. And that’s where finding the right person, the right organizational structure, and culture really comes out.

If not under IT, then where?

RH:  The Chief Awareness Officer is a new position I’ve started to see out there where it is a blend of both HR and IT. Or you can put the awareness training in the hands of a committee and that committee has cross-functional support from HR and IT. 

TS: A dedicated C-suite spot might be the natural progression because it’s going to have to fall under someone’s purview. As the threats grow, that’s inevitable.

SW: I think it does sometimes come down to either a cross-functional role or a role at the very top. As Ryan said, having a Chief Risk Officer or Chief Information Security Officer that isn’t totally IT oriented is probably the ideal.

One of the other things I’ve worked with a lot in the Canadian government is the concept of what used to be an IT Security Coordinator and now is a Designated Official for Cyber Security. They have a cross-functional reporting structure where on one hand they report into the IT organization or the CIO, and they report to the Chief Security Officer. 

RH: Someone in the audience mentioned they set up a Human Cyber Risk Council with members from HR, Communications,  Fraud and Threat Hunting and they meet bi-weekly. That is proper cyber hygiene.

TS: They nailed it. Having a council, that’s the optimal thing. You’re getting everyone, from every field and discipline. The only worry for me is that you want to make sure you’re all on the same page.

That’s where, like Ryan said, a risk assessment comes into play. It’s a business risk, not just cyber risk. It’s all about how they impact the business and the business’s security, the bottom line.

–

With the insights from the panel, it is clear that building an organization’s security awareness team isn’t a simple task – but worth the effort. Focusing on HR/IT balance, higher-level manpower, and thorough risk assessments, your organization will have a far better chance of reaching your goals while maintaining compliance. To learn more of our thoughts on organizational structure and building cyber security teams, check out the full recording here.

 

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.