Agreeing roles and responsibilities

To effectively embed cyber security within the delivery of government services, project teams need to make security everyone’s responsibility.

While some roles will have more duties than others, improving the overall security culture is the most effective way to ensure risks are understood and managed throughout the digital delivery lifecycle.

Agreeing team and stakeholder responsibilities will allow you to:

assign ownership of specific security activities
identify skills required within the team, and fill any resource gaps with recruitment or training
give each individual involved in the project personal responsibility for mitigating risk

This should be conducted at the start of the project, with changes in requirements continually assessed as delivery progresses through various phases.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to create responsibility for cyber security risk.

Who is involved

Working together to determine the roles and responsibilities across your project should be your Senior Responsible Owner (SRO), service owner, and product and delivery managers.

Discussions should also take place with security professionals across delivery teams to agree where responsibilities best sit.

It’s important that those being given responsibility for security are consulted as part of the process, rather than having tasks assigned to them. This will allow security to be considered during digital delivery and reduce the risk of security activities being overlooked due to ambiguity around who should perform them.

How to agree security roles and responsibilities

Step 1: Review the existing organisation resource plan

Your organisation’s programme and project management offices will be able to share details of any models already in use that align tasks and deliverables with team roles. If a suitable model exists, discuss with them how cyber security responsibilities can be integrated.

If there is nothing suitable available, you will need to produce and maintain this information separately.

Step 2: Understand responsibilities related to mandatory security obligations

Every organisation has certain obligations related to cyber security. These could be related to policies, regulations, laws, or contracts, and may be different for each digital service depending on the type of data handled and the industry in which it operates.

Consult with the security professionals within your organisation to establish the tasks that should be assigned to roles within your project to meet these obligations.

Step 3: Understand responsibilities for delivering secure digital services

To deliver a secure digital service, various activities need to be completed during each stage of the delivery lifecycle. These cover both operational and technical security tasks.

Consult with the security professionals within your organisation to establish the tasks that should be assigned to roles within your project to meet these secure by design activities.

The Secure by Design activities guidance provides a recommended approach to follow when building and maintaining a secure digital service. This can be tailored to reflect your service when collating a list of the cyber security responsibilities that will need to be allocated across your delivery team.

Step 4: Assign tasks to roles

Associate the roles within your project to each responsibility identified in the previous steps. This should cover who is involved but does not need to include details of what each task consists of, or how it will be carried out.

The Secure by Design activity Identifying security resources will help you understand the people and skills required within your project.

The suggested approach is to create a RACI matrix to clarify inputs and expectations:

Responsible – team members making a direct contribution toward the completion of a task
Accountable – the individual (typically one, but can be two where there’s shared ownership) with final authority over the successful completion of a task
Consulted – subject matter experts providing input on the task and advising how it may impact other activities‍
Informed – people kept up-to-date on the progress and outcome of an activity who do not need to give input on the work

Example cyber security roles and responsibilities RACI matrix

Delivery teams can use this template as a starting point for assigning roles and responsibilities to Secure by Design activities.

Secure by Design RACI Matrix (Google Sheets)

Click the ‘Use Template’ button to create a copy

Secure by Design RACI Matrix (Microsoft Excel)

This will download a file to your device

The roles included within this example reflect recommended service team roles, the security profession career framework and digital and data profession capabilities. You will need to adapt this to reflect the structure of your organisation and delivery teams.

Step 5: Share and monitor roles and responsibilities

The output of this activity should be shared with everyone that has been assigned a responsibility. Delivery team managers should ensure that everyone understands what is expected of them and that they agree to take on the relevant security responsibilities.

Where suitable, specific tasks should be included within job descriptions and monitored through regular performance reviews.

Roles and responsibilities should be regularly assessed during the lifecycle of a project to confirm:

the security tasks are still appropriate for the service
the people involved are aware of what’s expected of them
individuals in each role have the necessary skills and knowledge to perform the tasks they have been assigned

In instances where security issues have been identified, this process should be revisited to ensure that roles are appropriately assigned with improvements made to reduce the risk of repeat incidents.