The Role of HR in Cybersecurity

​As an information technology (IT) security specialist, I am responsible for ensuring that my organization follows best practices to protect its data, assets, intellectual property and reputation. In doing so, I wear many hats: technical engineer, analyst, trainer, policy enforcer, security cheerleader, auditor, ethical hacker, researcher, investigator. My primary role, however, is communicator. I communicate with staff members to ensure they understand that their responsibility for information security is commensurate with their access to the data and company resources their jobs require—this is the essential key to success in security. 

Every year in October, in observance of National Cybersecurity Awareness Month (NCSAM), I get a chance to share my passion for security and privacy. In coordinating activities and scheduling events highlighting cybersecurity, I am reminded of the vital role that HR plays as my partner. I rely on my partnership with the HR department to set expectations with all staff, stressing the importance of information security from day one, beginning with the initial recruiting process and continuing throughout an employee's tenure. HR is the conduit between the IT security department and staff—clarifying policy, providing resources, and working behind the scenes to recognize and anticipate the potential information security issues that arise in every company. Working closely with HR provides me with insight into the maturity of employees' overall security awareness. 

Keep Workers Motivated and Vigilant 

To be effective, information security must be emphasized as a standard business practice, well-integrated throughout the organization and reinforced in an ongoing security program that is kept relevant, engaging and fresh. This emphasis should occur during new-hire orientations, while gathering personal information during onboarding, and while working with sensitive information such as payroll, benefits, and performance and health data.

Maintaining a robust security-awareness program that is mandatory for all staff can help employees feel empowered and involved in a critically important function of the business, while driving home the understanding that everyone in the organization is responsible for information security. 

High on my list of challenges is keeping up-to-date on a dizzying array of security-related matters: data breaches, virus and malware exploits, vulnerabilities, and social engineering attempts that target everyone, including administrative staff and executive leaders. These efforts pale in comparison to my challenge as communicator: finding new and innovative ways to keep workers motivated and vigilant about security as they try to perform their jobs under the specter of falling victim to a clever phishing e-mail. 

Crowdsource to Spread Awareness and Share Strategies 

Cybersecurity in 2018 relies heavily on collaboration. A big buzzword in the IT industry today is "crowdsourcing"—using the sharing power of the global Internet to assist in large or difficult tasks, such as gathering information, requesting input on projects and soliciting funds. The idea of information sharing via crowdsourcing is particularly valuable for cybersecurity professionals and is widely used to help identify phishing trends, pinpoint malicious activity and share mitigation strategies. 

The same holds true for security issues within an organization. As important as it is for employees to have the awareness, tools and processes required for basic security, it is also vital that they feel comfortable reporting security suspicions, particularly those spurred by the suspicious behavior of co-workers or management.

Cybersecurity Issues That HR Can Evaluate

During this year's NCSAM, I urge all HR professionals to take ownership of their organizations' efforts in information security. To start, here are a few of the top security issues that HR may want to evaluate as part of its partnership role with IT security in your organization:

• Protecting company data when many staff members are working remotely.
• Ensuring that information security controls are in alignment with the organization's mission, goals, priorities and initiatives.
• Defining and updating roles and responsibilities regarding access to data.
• Adhering to legal regulations and complying with industry norms.
• Maintaining well-documented policies, standards and best practices.
• Ensuring that procedures for reporting a data breach are known by all staff, and that procedures for responding to an incident can be carried out efficiently and without additional data compromises.
• Ensuring that your acceptable-use policy is comprehensive and clearly written.

Links to NCSAM Resources: 

• Stay Safe Online (National Cyber Security Alliance) 
  
• National Cybersecurity Awareness Month (U.S. Department of Homeland Security)
  
• Stop. Think. Connect. Toolkit (public awareness campaign)
  

Robert Chavez, M.P.S., CISSP, is SHRM's senior IT security specialist.