PCSI round table ‘Security-Journey-Expert role for a strong security culture’
On June 30, 2022, a variety of Dutch experts in the field of cybersecurity awareness, behavior and culture joined PCSI in a round table dinner to discuss the results of the project ‘Security Journey Expert’. This projects has defined a new role in the security profession, as part of a strategic, human-centric approach to security, that can play an important role in reducing and preventing user-generated incidents.
The Security Journey Expert (SJE) analyses processes from a human behavioral point of view, in order to detect potential threats and their root-causes. Resulting in process or technical improvement suggestions and behavioral interventions to ultimately lower cybersecurity risks. The SJE role has been piloted at ING, providing positive insights on the business value, and the project is now in the PCSI Exploit stage. The goal of this stage is to ensure that the project results will make impact on a larger scale and will continue to be used once the project has ended. The round table dinner was hosted with PCSI partners, experts of multinationals, security awareness service providers and university researchers, with the objective to facilitate a discussion on the new concept the Security Journey Expert.
For this, the project team prepared a few statements and questions, that the participants discussed during the several meal courses in three groups. The outcome of the discussions from the three different table groups are summarized below.
Statement I: If the technology is in order, you don’t need a security journey expert
All participants were in strong disagreement with this statement. Still a large part of security incidents is caused by human behaviour and therefore the focus should be on preventing incidents that are triggered by that behaviour. This is not only about changing the behaviour of people, but also about developing technology and processes in such a way that people will be guided into secure behaviour. The SJE can play an important role in improving security through the interaction of people and technology/processes.
Participants agree that this new role should – in a positive, trustful way – focus on helping and facilitating people in their work. It should stay away from controlling, checking and the compliance aspects of security. It could also be a temporary role within organizations, once the organisation reaches a sufficient level of maturity. The importance of anthropological skills were acknowledged, since observing people in their natural habitats is an important part of the work.
Statement II: The Security Journey Expert is indispensable in a large organizations with a mature security stance. In smaller organizations it should be a job for HR
All participants agree that the SJE role can be valuable in a large organisation with high security risk profile that continuously work on their resilience. For small organisations, embedding such a role seems less feasible and can be considered more of a task. As for medium sized organisations, a SJE role can be a good idea, but not necessarily in the HR department. Important is that the SJE role is a dedicated role, done by someone with the right competences (about behavioural psychology, education and digital marketing communication) that has the mandate in an organisation to drive change. Preferably it should be part of the CISO or IT team, reporting results to the management board.
The advantage of having a SJE also depends on the risk profile of an organisation. E.g. if there is a lot of manual labour and few processes that handle information (e.g. transportation company), the SJE role seems not really necessary. It can bring most value to organisations that processes large amounts of (valuable) information. Also it is suggested to chance the name* of the SJE role into Security Improvement Coach or Champion (SIC) or Security Performance Coach (SPC) as long as it covers the positive objectives of the role. “Or the guy that tunes the Formula 1 racing car of Max Verstappen; analysing metrics and listening how to make it faster, safely.”
Statement III: The Security Journey Expert should be adopted by a professional association (e.g., cyberveilig Nederland, PvIB), there should be a training and a certification scheme such as CISSP or CISM
Participants think this could be a good idea, since certification is an important qualifier in the security domain. However, the need for a certification could also pose a speed bump, making it even more difficult to find qualified people. And this role is more about skills than technical knowledge. When considering certification, we could start at national (Dutch) level, but ultimately it would make more impact in an international context (e.g. if picked up by organizations like SANS). Implementing a certification scheme is a quite heavy process, we should start with detailing out the exact competences needed and documenting successful use-cases.
A place to start would be at the Platform voor Informatie Beveiliging (PvIB), that already has defined competence profiles for security roles. The SJE role could be complementary here. The Security Academy already has a training called ‘security awareness officer’, which could be a good starting point to create a training module for the SJE. This training should offer specific SJE competences, but the people that aim to do this training should be selected on already available experience and competences in the area of human behavior.
Closing question: How do we take this concept further/to the market? And Who/ What is needed for this?
Create a Return On Investment calculation for the SJE
First question is: (How) do we justify the Return on Security Investment for the SJE role? How to measure the impact and effectiveness of such role in a tangible way? Can PCSI facilitate (additional) Behavioural Economics research (incl. opportunity costs) in a hands-on way?
As one concrete follow-up action Achmea indicated they are very willing to do an additional pilot to extend verification of the value of the role. Because only a small pilot was done, a pilot in other use-cases in another organization, is a good next step. Achmea will test the role and its return on security investment on a prolonged period of time and evaluate the results.
Pilots could also be organized for smaller organizations that do not have a strict focus on compliance such as financials and large multinationals. PCSI can look into its own eco-system and ask if there is any interest to make the SJE business case more concrete.
Make sr. Business Managers aware of their responsibility in Secure Behavior
It is important for organizations to understand this is a ‘business problem’ and not necessarily an IT or security problem. Therefore, business leaders should be involved in next steps, as they are the ones that should empower the SJE to increase security behavior. PCSI might be able to help creating more awareness for that target group by exploiting a content campaign for several media.
Further specify the SJE role and its toolkit
Another concrete action is to discuss with PvIB a new competency profile for the SJE role. Therefore PvIB will be invited to the next Security Academy Unlocked event, in which the SJE will be presented and discussed on a broader group of security experts.
‘The toolkit should be like Batman’s toolkit with a cuddle tool and a hammer, i.e. a mix of interventions. Or use the metaphor of the gadgets that Q designed for James Bond’. As long as it is positive, straight and usable.
Make the SJE role accessible to all organizations in society (incl. not-for-profit)
Many smaller and not-for-profit organizations cannot afford to hire such role. Can PCSI facilitate in creating a Social Security Enterprise with ‘Robin Hood model’ to offer SJE’s to companies like charities or not-for profit organizations?
Thanks to all the participants of the event for sharing their thoughts so openly. To be continued!
*a few days after this round table session, the decision was made to rename the Security Journey Expert into Security Behavior Coach (SBC). We will use this title from now on.
Share this page