Cybersecurity within SMEs: What Human Capital Aspects to Consider?
With the increase of digital developments, cybersecurity is more important than ever. Within SMEs, it is noticeable that there is growing attention for this, but that not enough is known about how human capital can contribute to this. This is what Paula Kager, as Human Capital Cybersecurity Quartermaster, has been researching on behalf of Security Delta (HSD) and the Economic Board Zuid-Holland.
"There is a lot of information available about what actions SME companies need to take for good cybersecurity, but it doesn't say who will do it and whether they can," said Paula Kager.
Who does what?
Large companies usually have cybersecurity as the responsibility of a CISO, ISO and/or a team of security officers. SMEs often lack the resources and need to hire specialists or hire outside experts. Smaller companies (10-50 FTEs) often do not have their own IT and HR departments. At the same time, the basics of cybersecurity must be and remain in order. This means continuously monitoring processes, systems and (the behavior of) people. SMEs have often outsourced IT to their IT supplier and expect it to keep everything under control - just as a security company monitors the physical security of buildings, premises and people. Cybersecurity involves a lot. The quartermaster broke down the landscape of cybersecurity into areas of concern, broke them down into tasks and divided them into 12 clusters. Which cybersecurity tasks lie with the director/owner? Which of these tasks fit under the responsibility of an Office Manager, an IT manager or HR managers if any? The results of this research can be found in the "Human Capital Cybersecurity Tool."
"Many smaller companies do not have policies written down on paper, so they do not have job descriptions, job duties and onboarding programs. Things often go well until they go badly wrong."
How to attract and retain cyber talent?
The human capital aspects of cybersecurity include attracting, engaging and retaining potential talent for cyber tasks. A key piece of advice in the report is, "Entrepreneurs, offer attractive growth prospects." And expand the recruiting pond, thinking about existing staff, lateral entrants, re-entrants and seniors. Investing in and partnering with a good IT vendor or industry organization can create roles that match talents, competencies and ambitions. Cybersecurity employees should be given room to develop; it is a young field whose content is not yet set in stone. Company management should participate in the formation of a cyber team, in which technology, people and organizational policies are properly and evenly invested. Open the doors to potential talent and ask yourself the question: why exactly would someone want to work at my company?
An organization can have the technology so well arranged and the policy so well formulated, but in practice the chain is only as strong as the weakest link. This involves culture and behavior, communicating policy and acting accordingly, holding each other accountable, daring to make mistakes and learning from them, and sharing knowledge.
What are the next steps?
We now have a useful tool for SME entrepreneurs and their advisors. Human capital has so far been an underexposed aspect in realizing cybersecurity. This has also been included in the Human Capital Agenda Security that will be presented June 29 and in the approved growth fund application IT verband Zuid-Holland to get more (cyber) IT professionals employed in SMEs. It is now a matter of bringing this to the attention of SMEs and keeping it there. This is precisely what the Economic Board Zuid-Holland and Security Delta (HSD) want to work hard for in the coming period.
Human Capital Agenda South-Holland
By carrying out the follow-up steps and entering into discussions with organisations in the region about training in cybersecurity, a Human Capital sub-agreement for South Holland could be a possible sequel. Because awareness is good, but training is better.
You can find the condensed version of the "Human Capital Cybersecurity Instrument" here. For more information, contact Ron Brans (firstname.lastname@example.org) or Mark Ruijsendaal (email@example.com).