Governance: Roles, Responsibilities, and Authorities: GV.RR: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners 

Cybersecurity roles and responsibilities aren’t a “good way” to enable accountability,   They’re the only way.   

GV.RR: Roles and responsibilities related to cybersecurity risk management are established and communicated: Defined 

For many organizations, accountability is a four-letter word because: how dare anyone ensure that individuals take responsibility for their actions?!   Unfortunately, accountability is key to implementing appropriate cyber security.   It is the only way that you can do it.   And accountability is impossible if you haven’t outlined people’s roles and responsibilities. 

Defining roles and responsibilities is like explaining what red looks like.   Roles and responsibilities are so integral to our environment that it can be hard to separate them from the background.   Let’s try anyway, because professionals love accountability. 

Let’s start with “responsibilities.”.   They should map to tasks.   It may very well be that a responsibility is expressed as a group of tasks, for example, “lead the SOC analysts.”   But all of the tasks that make up leadership (relationship-building, teaching, etc.) are implied.   Be wary of broad expressions of responsibilities, like “ensure results”because they might lead to trouble.   They allow others to expand your role without consulting you.   See why we like accountability? 

Improved decision making, reduced risk, and improved performance are benefits of ensuring accountability for cybersecurity and it begins with setting clear expectations with well-defined cybersecurity roles and responsibilities.   This ensures that everyone knows what is expected, and will help to reduce the potential for stress and conflicts when the roles and responsibilities are implemented in a fair and consistent manner.    

With that said, let’s tackle “roles.”   Generally, a role is a collection of responsibilities.   Be careful though.   Roles are always subject to change because responsibilities can be detached from a role or attached.   Over time, companies tend to attach work to roles because the staff occupying roles become more competent.   Make sure your compensation keeps up with the work that you’re doing.    

There’s a familiar trope in cybersecurity: “Security is everyone’s responsibility.”   While it has an element of truth here, it is also fodder for the inevitable conflict whenever there has been an incident.   This is because “everyone” isn’t exactly a role or a responsibility.   Here’s a list of constituencies that’ll you’ll need to consider: 

  • cybersecurity
  • data owners, 
  • asset owners, 
  • third parties (incidents often start with external parties) 
  • business nerds (aka senior management)
  • [drumroll]. . .everybody else not covered above. 

Organizations define and allocate these roles based on their needs, in some cases one individual or group may be responsible for multiple functions and in some cases these functions are outsourced.   However, in all cases, senior management is ultimately responsible for security of the organization: aka accountable.   Keep in mind, senior management can delegate cybersecurity responsibility to the but they always remains accountable.    

Users of the systems also have responsibilities for cybersecurity.   Individuals who use information and systems are responsible for following security procedures and reporting security problems.    Users of information are responsible for informing application owners and cybersecurity professionals of their needs for confidentiality, integrity, and availability of information.    

GV.RR: Cybersecurity roles and responsibilities are coordinated and aligned: In the news  

We don’t need to look very far to find news stories highlighting the (dire) need for clear roles and responsibilities in cCybersecurity.   First, cyberattacks are becoming more advanced and more frequent.   That isn’t just because criminals are becoming more enterprising.   It is also because we aren’t doing enough to counter them —which almost goes without saying, but leads to the next step in the analysis.   Cybersecurity specialists are precious.  

Cybersecurity professionals are in high demand; according to The Wall Street Journal, there aren’t enough qualified candidates.  Given the demand and limited availability of qualified and experienced candidates, it is even more important to have well- defined roles and responsibilities for cybersecurity professionals as this can support the onboarding, education,. and training of employees.    

GV.RR: Cybersecurity roles and responsibilities are coordinated and aligned: Failed: What am I going to see?  

Even in the normal course of business, leading cybersecurity practitioners can feel like herding cats.   It just comes with the territory when you work with smart and creative people.   But without rules and responsibilities, you’ll enjoy a special type of chaos: (1) policies that don’t reflect reality; (2) low trust between colleagues; and (3) obliviousness to even the basic nuts and bolts for how business should be done. 

Policies are pretended into implementation.

The best cybersecurity controls are worthless if a responsible group or individual has not been defined and made aware of their responsibility to implement controls.   This isn’t exactly uncommon by the way.   It is much easier to write a policy than it is to find someone to volunteer to do all the work associated with it.   So if the organization has defined and documented best -in -class standards and clear requirements for cybersecurity within the organization through policy, but nobody is responsible for performing them, you almost have the worst of both worlds.    

On the one hand, upper management types, auditors, etc. read through the standards and get a sense of comfort.   But since none of the work is being done, you’re not making progress so much as making a bet.   The bet is that you won’t be working there when it is discovered that the policies are pretend,.   bBecause if you aren’t making that bet, you have to ask yourself: when powerful people experience negative surprises, does that help my career? 

Nobody uses the refrigerator in the breakroom. 

Without clearly defined expectations it will be impossible to enforce accountability.   Think about it.   The janitor down the hall has a job description.   If you took him a laptop and told him to have the most recent vuln report on your desk by noon, you’d be—a lunatic.   But the principle shouldn’t be lost when instead of the janitor you demand the vuln report from the compliance group, because when someone accepts a task that they don’t feel that they should really be responsible for, it breeds resentment and promotes stress. 

Over time, people quit trusting each other. They become suspicious of reviews or audits.   The smart money is on saying, “not my job” rather than “let me think about it a minute.”   In this environment everyone assumes that someone else will handle the requirements. If everyone says, “not me” and there is a lot of finger- pointing, it’s a clear indicator that roles and responsibilities have not been clearly defined and communicated.  

What RACI? 

The gold standard for understanding roles and responsibilities is the “RACI”.   RACIs work on the principle that every task has something in common.   Once you learn it, you’ll never have to re-learn it because yeah-that’s right, they snuck everything into a mnemonic. 

In functional organizations, each task has a person who is “responsible,”,accountable,”,consulted,”, and “informed.”.   If there aren’t any RACI’s defined when you talk to individuals in the organization, or they aren’t even aware of what a RACI is, that’s a problem.   

RACIs obliterate accountability problems. 

RACIs cut through “not my job” like a light sabers through battle droids because of one (awesome) attribute.   You can’t have a RACI without observing a key rule:   Others can support (and often do), but for every task, only one person can be responsible, .  That’s rightthere must be one clear neck to choke!    

Often, RACIs are communicated via diagrams that describe how everyone is expected to interact with the task.   They often looks like the one below.

 Analyst Supervisor Manager Executive 
Perform User Access Review     
Gather Data 
Approve Roles  

R = Responsible, A = Accountable, C = Consulted, I = Informed 

GV.RR: Cybersecurity roles and responsibilities are coordinated and aligned:   Are stellar. . .what does it look like? 

When roles and responsibilities are coordinated and aligned you really should get the sense that you’re working inside a well-oiled machine.   Tasks flow into and out of action and there’s a sense that things are humming along.   Job descriptions are accurate and comprehensive and the organization takes roles into account when it comes to things like training. 

Job descriptions aren’t just “other duties as assigned” pasted into a word doc. 

Cybersecurity control only work when roles and responsibilities are defined.   There should be a link from the descriptions to your governance documents; for example, procedures should call out roles (rather than people) and policies should express requirements in terms of roles.  

There are also clearly documented consequences when individuals do not fulfill their responsibilities, e.g., re-training, counseling, etc.   

Below is an example of the way roles and responsibilities can be identified in a simple table format: 

Title Role Responsibilities  
Chief Information Security Officer Senior Cybersecurity Leader  Implement and oversee the organization’s cybersecurity program Align cybersecurity and business objectives Promote a culture of cybersecurity Effective utilization of cybersecurity budget 

User education and training is relevant because it is based on roles.

Role-based user education and awareness is a security practice which provides various levels of training to individuals based on their roles in the organization.   This ensures that users are aware of the security risks they will face in their daily work and how to mitigate those risks.    

The benefits of role-based user education and awareness, include improving the overall security posture of the organization with reduced costs and time required for security training.   This approach ensures that individuals only attend the training relevant to them, which improves employee morale and productivity. It’s also important to clearly communicate why an individual is assigned to the role-based training requirement to achieve these outcomes.   This approach also improves compliance as it is aligned with industry standards and regulations.    

To implement role-based user education and awareness, begin with a training plan based on a matrix of roles and responsibilities together with training necessary for each role.   Some third-party training partners now also offer personalized training based on employees’ roles.   In practice, organizations may use surveys of participants, the NICE Framework [SP800-181], or supervisor determinations to assign role-based training to employees.   Training completion is also managed and tracked within a learning management system. 

Remediating or implementing GV.RR: Cybersecurity roles and responsibilities are coordinated and aligned: 

Ultimately, performance should be measured against the defined responsibilities.   This begins with identifying performance metrics which should measure the success of the completed tasks associated with the defined responsibilities.   Before the performance metrics can be implemented, conduct a gap analysis to identify areas where roles and responsibilities are not clearly identified, and then define and communicate it to the organization.    

Tools such as the RACI matrix, work breakdown structures (WBS), project management software, or knowledge management systems can help with defining and communicating roles and responsibilities.   Don’t forget to monitor and review the roles and responsibilities on an ongoing basis using transparent performance metrics.   Role-drift can happen over time, in which employees pick up responsibilities without anyone realizing it, so you have to reconcile your documentation with what is actually going on in the organization.. 

GV.RR: Cybersecurity roles and responsibilities are coordinated and aligned: Other sources of authority. 


COBIT5 APO01.02, APO10.03, APO13.02, DSS05.04 

ISO27001:2013 A.18.1.1-5 

NIST 800-53 Rev 4: All controls.

Resources for the journey. 

Building a Cybersecurity Culture in Organizations by Corradini

Accountability for Information Security Roles and Responsibilities” by Catarino and Vasconcelos via Isaca

Writing Cybersecurity Job Descriptions for the Greatest Impact” by Hall



Comments are closed