Security Journey ExpertStarted in July 2020
An investigation of the feasibility of a new security role: The Security Journey Expert.
The first idea was to research whether the 'customer journey methodology' of marketers can be used to make employees more security-conscious, so that security incidents attributable to human behaviour can be reduced. During the explore phase of the project this idea has expanded to an investigation of the feasibility of a new security role: The Security Journey Expert (SJE). This person looks at human behavior in business processes for causes of security vulnerabilities, so that security incidents attributable to human behavior can be reduced.
Activities in the Proof of Concept phase: In the PoC phase the team investigated the viability of this new role by performing a dry run on the work of the Security Journey Expert. We looked at the employee recruitment process within financial organizations from a behavioural point of view and focused on (potential) user-generated incidents. As a results we gained insight into this new role and crafted a draft version of a competence profile.
Results of the extended PoC phase: A limited freedom of movement due to Covid-19 prevented us from observing behavior as it takes place; one of the prerequisites for performing the job of an SJE. It was therefore decided to extend the PoC phase and research how an SJE can be implemented in organizations, and whether it should be a role (which can be added to someone's current job) or a function (which implies introducing a new job). We compared several scenarios against criteria for success, e.g. growth potential, impact, organizational feasibility, and desirability and concluded that we should start by adding this new role to an existing function. From there the role can eventually progress into a function of its own.
Activities in the Pilot phase: In the next phase of the project, in close collaboration with a sponsoring department of at least one of the participating organizations, the PCSI team wants to (internally) search and select a suitable candidate. When he or she is acquired, the team plans to continue with an actual implementation of the role by means of a use case, e.g. mortgaging or ‘know your customer’ (depending on the sponsoring team). The PCSI team will ‘coach’ the SJE. A hybrid way of working (both at home and on premise) is taken into account. This pilot provides an excellent opportunity to assess the extent to which this role contributes to less security incidents in practice.
This project is part of the trend
Money laundering gets growing attention
With new ways of money laundering, e.g. the use of social media and targeting the youth, it is becoming even harder for banks to identify money laundering fraud.