Throughout Cybersecurity Awareness Month we examined the different ways some organizations are building a culture of security awareness and getting employees and executives on board with viewing security as everyone’s responsibility.
One department we haven't spoken to yet is human resources. And according to Marcy Klipfel, SVP of employee engagement at benefits administration tech company Businessolver, HR is uniquely equipped to humanize and promote security within an organization, and IT is missing out on an opportunity to use HR skills and insight to enhance risk mitigation.
The Edge asked Klipfel for her thoughts on why HR should be more involved in security and why it is an important move in creating improved security culture.
The Edge: Most businesses go to the IT department to develop policies and procedures around employee security awareness. You say they should be consulting HR, too. Why?
Klipfel: While technical sophistication is vital to any successful cybersecurity strategy, putting fancy locks on the doors won't keep the company safe if employees are opening the windows. Human error is one of the greatest threats to an organization. But HR leaders can engage employees in recruitment, culture, and education to boost awareness and adoption of new policies to help IT teams develop a "human firewall" for your organization, turning employees – your greatest security threat – into your greatest asset.
The Edge: Creating a "human firewall" is also the mission of security training that the infosec team brings to the table. What different perspectives and value can HR bring to the security conversation?
Klipfel: HR approaches security through the lens of the organization's people. HR teams can drive a cybersecure culture by ensuring that employees know what is expected of them to keep the organization safe from security issues. While IT is typically consulted to outline policies and procedures, HR can communicate the importance of new policies and execute IT's plans to protect the company through training and modules to ensure proper adoption.
The Edge: So should HR be involved in employee awareness training and testing procedures? To what extent and how?
Klipfel: From day one, HR can help current and prospective employees understand a company's commitment to a cybersecure culture. HR professionals can offer creative ways to spice up training modules, including gamification and learning management systems [LMS], and they can aid with mock testing to allow employees to learn from their mistakes. At Businessolver, we regularly send a fake phishing email from a seemingly reputable sender to random employees asking them to click a link and/or share personal or professional information. If an employee follows through, they receive a message telling them that it was a phishing attempt, thus increasing their vigilance for the future.
The Edge: Some might say, 'What does HR know about technology? How can they really add value?' What is your reaction to that attitude?
Klipfel: The world of technology and cybersecurity is constantly changing, making it difficult for even the best IT professionals who work in the field every day to keep up. The role of HR is their expertise in engaging with employees and demonstrating the importance of protecting data and information, which is critical to the success of any cybersecurity program. They can help employees navigate technology and turn them into partners in securing the organization.
The Edge: Should HR be involved in technology conversations, such as purchasing decisions, that revolve around security?
Klipfel: HR professionals receive valuable personal information from all employees when they are hired and throughout their tenure, so it's important for the HR department's technology platforms and tools to be secure. Additionally, HR can provide insight into how new technologies should be incorporated into the workforce to maximize participation and adoption.
The Edge: How can organizations get started with a conversation between IT and HR?
Klipfel: A great place to start is by setting up an initial meeting where IT and HR leaders can coordinate on current cybersecurity plans and how to address any security pain points from an employee perspective. From there, it's best to meet regularly – typically every quarter – to discuss how to best train the workforce, create an emergency response plan with team roles and responsibilities should an attack occur, and share key learnings or insights from recent tests or trainings.