The modern attack surface has expanded due to digital transformation and the adoption of remote or hybrid workforce models post-pandemic. This expansion has opened more avenues for cybercriminals to exploit, making the landscape more precarious.
The alarming statistic that 82% of all data breaches involve a human element signals a paradigm shift and underscores the need for robust employment risk management strategies to address human-related vulnerabilities. Humans are the last frontier of cybersecurity—but they are also the front line, emphasizing the importance of employee risk management in this evolving landscape.
Organizations have invested heavily in platforms, tools, and services designed to secure devices, applications, networks, and data. However, risk management employees tasked with human element oversight often find their efforts relegated to ‘check-the-box’ compliance training. A Gartner report revealed that 93% of employees already knew their actions increased organizational risk. CISOs face the challenge of evolving this state of affairs into a comprehensive approach to managing human risk.
Human Risk Management Maturity Model Overview
The reality is that compliance is not the same as security. Organizations need to transform the way they identify, respond to, and report on human-initiated risk and adopt an approach of human risk management. Companies vary in their overall cybersecurity maturity, and specifically in their maturity as it relates to human risk management, so it is useful to have a maturity model that defines the stages of maturity and what elements are necessary to mature further.
Developed in collaboration with cybersecurity industry experts, the Human Risk Management Maturity Model provides a framework to understand and implement HRM. Culture plays an essential role in the maturity model because it defines the way individuals and teams address human risk management, and how executive leaders and the company as a whole can collaborate for more effective security.
Human Risk Management: Culture
The essence of culture in an organization is like the DNA that shapes its operational behavior, and nowhere is this more evident than in the domain of Human Risk Management (HRM) in cybersecurity. What starts as a mandatory exercise, often confined to the corners of the IT department, gradually evolves into an organization-wide philosophy—if done right.
There are five stages of workforce engagement outlined for Culture in the Human Risk Management Maturity Model:
Mandatory
In the earliest stages, cybersecurity is often seen as an extension of IT responsibilities. In this stage, employee risk is often underestimated, with the security team being a small, underfunded unit performing perfunctory training sessions. The tone is set by a managerial directive: “You must do this because you are told to.” In such a culture, only the team directly involved with security endorses these measures. The rest of the organization largely operates under the illusion that security is someone else’s problem.
Remediatory
As awareness creeps into the organizational conscience, some departments start to take note. However, these are usually reactive measures, hastily initiated after a security scare or an audit. While leaders in these silos start to acknowledge the importance of cybersecurity, the awareness remains confined to their immediate teams. Here, the security culture is somewhat like an archipelago—a series of isolated islands with limited communication between them.
Incentivized
Soon, the culture starts to take a more unified shape. Security becomes everyone’s responsibility, transcending departmental boundaries. Leaders across the organization don’t just enforce security measures; they incentivize them. We begin to see the rise of “security champions”—individuals within departments who take it upon themselves to be the vanguards of best practices. This proactive approach to cybersecurity is like the first ray of dawn after a long night; people are not just aware of the risks but are motivated to act.
Buy In
Reaching the next level involves expanding the circle of trust and responsibility even further to include external stakeholders—partners, vendors, and customers. This is when the organization achieves full buy-in for its cybersecurity measures. The ethos here is a shared belief in the value of secure operations, woven into the very fabric of business strategy. Security becomes part of the organization’s identity, recognized and respected both internally and externally.
Ownership
The zenith of this cultural evolution is a state where security becomes an innate characteristic of the business model, influencing even business decisions. The Chief Information Security Officer (CISO) is not just a guardian of the network but an influential voice in the boardroom. Cybersecurity diligence starts to influence the perception of external stakeholders, elevating the organization’s standing as a responsible and secure enterprise.
The Cultural Transformation in Human Risk Management
In parallel to this cultural shift, the security organization itself evolves. Initially buried within the IT department, it becomes its own robust, fully-funded unit that’s recognized as an equal by other departments. The fight for resources gradually turns into an allocation based on carefully measured Key Performance Indicators (KPIs). The CISO’s desk moves closer to the boardroom, both literally and metaphorically.
The cultural transformation in human risk management is a journey that starts with mandatory protocols and ends with shared ownership. It’s an evolution from isolated awareness to an integrated, organization-wide philosophy, involving a profound shift in mindset, attitudes, and behaviors. As the culture matures, so does the organization’s capacity to handle the increasingly complex landscape of cybersecurity risks.