Hidden C/S: Job Descriptions
This post is part of a series about aspects of cybersecurity which are not obvious, especially to newcomers.
This post is about the cybersecurity aspects of the humble job description.
What does cybersecurity have to do with job descriptions? To answer that question, let us go down the cybersecurity chain from start to finish.
(1) Senior management signs off on a cyber asset as critical, which means that the asset is to be protected from at least one specific risk. This is Identify in the NIST CSF.
(2) Someone in the cybersecurity program (CSP) assigns a "control" to that risk for that asset. This is Protect in the NIST CSF. This step includes agreeing on what constitutes proof that the control is effective.
(3) Monitoring that control becomes part of someone's job. This is Detect in the NIST CSF.
(4) Sharing the results of that monitoring, the evidence which makes your CSP evidenced-based, with a supervisor becomes part of the same someone's job on which their performance is judged.
(5) Summaries of that evidence joins all the other management reporting used to keep senior management in the loop.
Job descriptions are how we accomplish item 3 above. It is tempting to just tell someone to keep an eye on things, and then to assume that their supervisor will check on the eye-keeping and that the supervisor's manager will confirm the checking, but this is not how the real world works.
In the real world, which is why we have HR departments, people repeat actions if those actions are reinforced. If we want people to keep monitoring the CSP, then monitoring needs to be part of their job description and then part of their performance review. This is another reason we at Pythia Cyber say that technology is only half the story. The other half, like Soylent Green, is people.
Figuring out how does what is only part of the requirements of creating a CSP: crossing the boundary from cybersecurity to HR is also a big part. Pythia Cyber can help.
Comments
Post a Comment