Workforce
Organisational Structure
Workforce responsible for IT, OT, IIoT and Information Security within organisations can be generically divided into four levels of hierarchy, as given below. Typical job titles at each level are also mentioned, which are indicative of the associated job roles, tasks, and responsibilities.
Governing board and top management level – Board of Directors, MD, CEO.
Senior management level – Vice Presidents, CFO, CRO, CHRO, CTO, CIO, CISO, CSO, Heads of Business Units, Divisions, and Departments.
Middle and lower management level – IT Project Managers, Technology Managers, IT Operations Managers, IT Security Managers, Cyber Defence, NOC, and SOC Team Leads, GRC Managers, Workforce Development Managers etc.
Individual Contributor level – Operators, Analysts, Administrators, Specialists, Engineers, Technicians, Architects, Developers, Testers, QA, Apprentices, Associates, Interns. Individual contributors may also include MSP/ MSSP personnel and contractors etc, working in the CSEs.
The middle and lower management, as well as individual contributors, are accountable and responsible for day-to-day operational activities and tasks.
Workforce Competencies
The overall workforce in an organisation, having accountability and responsibility for cybersecurity, would typically comprise of a composite mix of employees, contracted/ hired resources, and external providers of products (OEMs/ ISVs) and services (OEM partners, System Integrators, consultants, other service providers). The essential competencies and focus of the composite workforce are summarised in the table below, along with the applicable knowledge, skills, expertise, and experience.
| Workforce Level | Focus | Competencies | Knowledge & Skill Areas |
|---|---|---|---|
| Governing board and top management | Business objectives, Information/ Cybersecurity | Business strategy, governance of use of IT, OT and Information security. Expertise in managing technology for a qualified IT Strategy Committee (ITSC), where established | Business Strategy, Risk, Finance, Technology, Workforce Development. The board should have independent Director with substantial IT expertise in managing/guiding information technology initiatives. |
| Senior management | Security programme, GRC | Business and technology leadership and experience | Governance, Risk, Compliance, Technology, Operations, Security |
| Middle and lower management | Technology management | Business and technology management experience | Technology, Operations, Security, Compliance, Supply Chain, Programme Management, MSP/ MSSP management |
| Individual Contributor | Technology | Technical skills, expertise, and experience | Systems, networks, platforms, applications, databases, enterprise IT and IS functions, cloud platforms and services, ITSM, ISMS, network and security operations, cyber defence, risk analysis, forensics, data analytics, systems & security design & engineering, software development, CI/CD, DevSecOps, testing, VAPT, audit |
Ownership of Activities and Tasks
All operating processes within organisations are owned and carried out by designated teams, each having middle and lower-level managers overseeing the operations on a day-to-day and periodic basis.
Typically, the team compositions include different individuals with specialized skills and knowledge. Given the size and complexity of IT, OT, IIoT and cybersecurity ecosystems, the CSEs and other organisations usually have a composite workforce which is a mix of own employees, contracted workforce, resources of SIs, OEMs, ISVs, Partners, consultants, MSPs, SaaS and other service providers, who work together to carry out the organisations’ activities and tasks. A must have practice for an outsourced workforce is to have senior and middle-level managers of the organisation oversee the outsourced work.
Cybersecurity practices and processes can map across multiple cybersecurity support functions due to the interconnected nature of cybersecurity operations, where different aspects of a process may support various functions simultaneously. Considering the interconnected nature of cybersecurity activities, entities should assign the primary ownership and support roles to the activities related to each practice/ process.
Primary ownership indicates the team or role with overall responsibility for executing a particular cybersecurity process or function. The primary team or role is accountable for the required outcomes and decision-making. The support (collaborative() role identifies the supporting teams or roles that contribute to the overall objectives of the practice or process. They may be required to provide necessary data, analysis, or assistance to ensure the process’s success.
The top and senior management of CSEs may use well-known mechanisms like RACI matrix to outline the roles and responsibilities of individuals and teams. The primary owners must be clear about their responsibility and accountability while the collaborative teams and roles must know what support is expected from them.
It is essential that the top and senior management clearly communicate the overarching objectives of cybersecurity and how each team’s efforts contribute to them. Cyber resilience can be enhanced when there is a shared sense of purpose and reduced friction between teams that usually arises due to overlapping or conflicting purposes.
Organisations will accrue significant benefits if their workforce understands the end goal of the practices and processes, and how the activities and tasks help or harm the accomplishment of the goal. Training and enablement of the workforce should focus on this aspect so that the workforce has a clear understanding of their ownership and responsibility for achieving the objectives.