Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
How HR and IT Can Partner to Improve CybersecurityHow HR and IT Can Partner to Improve Cybersecurity
With their lens into the human side of business, human resources can be an effective partner is the effort to train employees on awareness and keep an organization secure.
November 4, 2019
Throughout Cybersecurity Awareness Month we examined the different ways some organizations are building a culture of security awareness and getting employees and executives on board with viewing security as everyone’s responsibility.
One department we haven't spoken to yet is human resources. And according to Marcy Klipfel, SVP of employee engagement at benefits administration tech company Businessolver, HR is uniquely equipped to humanize and promote security within an organization, and IT is missing out on an opportunity to use HR skills and insight to enhance risk mitigation.
The Edge asked Klipfel for her thoughts on why HR should be more involved in security and why it is an important move in creating improved security culture.
The Edge: Most businesses go to the IT department to develop policies and procedures around employee security awareness. You say they should be consulting HR, too. Why?
Klipfel: While technical sophistication is vital to any successful cybersecurity strategy, putting fancy locks on the doors won't keep the company safe if employees are opening the windows. Human error is one of the greatest threats to an organization. But HR leaders can engage employees in recruitment, culture, and education to boost awareness and adoption of new policies to help IT teams develop a "human firewall" for your organization, turning employees – your greatest security threat – into your greatest asset.
The Edge: Creating a "human firewall" is also the mission of security training that the infosec team brings to the table. What different perspectives and value can HR bring to the security conversation?
Klipfel: HR approaches security through the lens of the organization's people. HR teams can drive a cybersecure culture by ensuring that employees know what is expected of them to keep the organization safe from security issues. While IT is typically consulted to outline policies and procedures, HR can communicate the importance of new policies and execute IT's plans to protect the company through training and modules to ensure proper adoption.
The Edge: So should HR be involved in employee awareness training and testing procedures? To what extent and how?
Klipfel: From day one, HR can help current and prospective employees understand a company's commitment to a cybersecure culture. HR professionals can offer creative ways to spice up training modules, including gamification and learning management systems [LMS], and they can aid with mock testing to allow employees to learn from their mistakes. At Businessolver, we regularly send a fake phishing email from a seemingly reputable sender to random employees asking them to click a link and/or share personal or professional information. If an employee follows through, they receive a message telling them that it was a phishing attempt, thus increasing their vigilance for the future.
The Edge: Some might say, 'What does HR know about technology? How can they really add value?' What is your reaction to that attitude?
Klipfel: The world of technology and cybersecurity is constantly changing, making it difficult for even the best IT professionals who work in the field every day to keep up. The role of HR is their expertise in engaging with employees and demonstrating the importance of protecting data and information, which is critical to the success of any cybersecurity program. They can help employees navigate technology and turn them into partners in securing the organization.
The Edge: Should HR be involved in technology conversations, such as purchasing decisions, that revolve around security?
Klipfel: HR professionals receive valuable personal information from all employees when they are hired and throughout their tenure, so it's important for the HR department's technology platforms and tools to be secure. Additionally, HR can provide insight into how new technologies should be incorporated into the workforce to maximize participation and adoption.
The Edge: How can organizations get started with a conversation between IT and HR?
Klipfel: A great place to start is by setting up an initial meeting where IT and HR leaders can coordinate on current cybersecurity plans and how to address any security pain points from an employee perspective. From there, it's best to meet regularly – typically every quarter – to discuss how to best train the workforce, create an emergency response plan with team roles and responsibilities should an attack occur, and share key learnings or insights from recent tests or trainings.
This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
Human-Centric Security Model Meets People Where They AreDec 07, 2023
Name That Edge Toon: On Your Mark...Dec 01, 2023
10 Holiday Gifts for Stressed-Out Security ProsNov 30, 2023
Cyber Threats to Watch Out for in 2024Nov 28, 2023