Where Do Security Awareness Programs Belong on the Org Chart?
Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here.
For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?
While I was attending a security awareness conference in 2017, day 1 kicked off with a keynote that discussed the incident response process/program. The speaker had a couple of key points that resonated with me and have stuck. The first point was related to responding to your annual penetration test – do build your program to align with their findings, they will ALWAYS get in, it’s their job, etc. The second point was aligning your security awareness program to your incident response team.
Should you report to Training and Compliance or Incident Response?
Having spent a number of years in the security awareness role and networking with peers who have similar responsibilities, I can tell you that the reporting alignment is all over the place. Some report into the GRC department, some into the Learning or Training department (typically under the HR function), and some into the security program directly under the CISO. Some organizations will have a first line of defense – the teams with the tactical responsibility of defending against threats to the organization. They may also have a second line of defense – the teams that provide oversight or governance for the security program. This alignment tends to be more present in highly regulated industries.
You also find that security awareness professionals have varying experience and skillsets. You will see all these differences when you search for a job posting in security awareness – including the title. In some organizations the function may be a part-time job, just one of the many responsibilities assigned to the person sitting outside the CISO’s office. Other organizations have taken the time to build a robust program, making administration a full-time job – maybe even one that requires a team and a budget allowing the team to lower risk by addressing behaviors.
If you read part 1 of this series, you will recall the recommendation to go ask your Security Operations or Incident Response team about their top incidents tickets. If your strategy is to address behaviors corresponding to REAL threats, then it stands to reason that the awareness function should be aligned as closely as possible to the department that responds to those threats. Here’s a visualization (purely an example) of the types of risks your program might address:
A robust security awareness program should include the resources – money and people – needed to make the program successful. If you have a compliance team that manages the regulatory and audit requirements, by all means, allow them to manage the annual training requirement for cybersecurity. Just make sure you’re able to review and provide input on the topics being covered, so the program aligns to the current threat landscape. When the auditors or regulators ask you about it, you’re covered.
Cybersecurity threats and behaviors are not black and white. They are constantly changing. Most cybersecurity frameworks and regulations simply state that you should have a security awareness program. Such statements are a little vague, but that’s a good thing. Without the constraints of specific elements – newsletters, posters, phishing annual training, squishy balls shaped like phish, stickers, a security awareness portal, etc. – you get to define what to include in your program, based on the threats and behaviors you need to address.
The metrics can help you find the right home.
One last item that helps decide where to position the security awareness role in the organization – metrics. When the role is aligned with the governance, risk management, and compliance side of the organization, metrics relate to completing the training or to how many users clicked a link or opened an attachment. When the role is aligned with the security program, metrics focus on end results like reducing risk and reducing time to contain an incident, which in turn leads to reducing time to remediate an incident. Instead of focusing on the number of clicks you would focus on reports: how many users reported the message, so the SOC can respond to and mitigate the attack.
Wherever your security awareness program lives within your organization, if you’re clear on the metrics you can communicate better. You can market the program and its goals to your business audience, translate technical/cybersecurity concepts in ways anyone can understand – and most importantly, tell people the actions you want them to take.
If you’re just getting started on building your security awareness program, there are plenty of free resources available to you when you’re on a shoestring budget:
Recommended reading: If you’re looking to expand your knowledge on how to create powerful moments in your security awareness program, I suggest reading The Power of Moments by Chip Heath and Dan Heath.