Paul King argues in Workforce that HR needs to adopt a new mindset when it comes to cybersecurity:
Despite the increased vulnerability of HR systems, many HR professionals still view themselves in the traditional role of workforce management, choosing to leave cyber risk management to other departments, notably IT.
According to a recent IBM security study released this year, 57 percent of chief human resources officers globally have rolled out employee training that addresses cybersecurity. However, the respondents’ positive percentages dropped noticeably when asked if they provided cybersecurity training that included measurable, results-based outputs, or if there was reinforcement throughout the year that provided more than a once a year cybersecurity training. …
The IBM report urged key executives in human resources, finance and marketing departments to be more proactive in security decisions, coordinate plans internally and to be more engaged in cybersecurity strategy and execution with the C-suite and IT. This means HR personnel should not only stay abreast of proper security processes when it comes to accessing sensitive employee data, but they should be able to communicate updates about cyber threats effectively to the enterprise, to current and new employees, and contractors.
From my perspective, the implication here is that the CHRO-CIO relationship needs to become closer. King hints at this notion at the end of his article, but it merits more discussion.
Within HR, the emergence of big data, cloud services, and the digitization or “app-ification,” as it were, of HR services mean that technology is no longer a mere tool to execute HR strategy: Technology is HR strategy. As King underscores, one of the new challenges for an HR executive is that more people inside the organization (talent analytics teams) and outside the organization (cloud-based service providers) have access to employees’ personally identifiable information now than ever before, creating numerous points of system vulnerability. So how do you best protect this data while still capitalizing on its potential?
The article specifies a couple of valuable tactical actions HR and IT teams can take to protect employees’ personally identifiable information, such as expeditiously removing an employee’s IT access when they are terminated. However, too much onus is placed on HR staff to somehow find a way to “stay abreast of proper security processes” in order to then “communicate updates about cyber threats effectively to the enterprise, to current and new employees, and contractors.” This is clearly not something HR employees can or should be doing alone and HR executives need to find a better approach.
For heads of HR in particular, they should take advantage of their next meeting with their CIO, whether it’s a formal meeting or an informal chat over coffee, to pull up and have an open conversation about the increasing convergence of their two functions–especially as it relates to cybersecurity–to identify when and where their teams need to work more closely (and potentially in new ways).
One way to start this conversation is by discussing the CIO’s strategic cybersecurity objectives. Taking these objectives and breaking them down into their specific activities or tasks, HR executives can better identify those that require HR support. Then they can brainstorm with the CIO relevant objectives that the HR function can be held accountable for and incorporate them into the 2017 strategic planning efforts underway right now at many organizations. In this way, heads of HR and IT can lay the foundation for productive and sustainable collaboration across a range of cybersecurity threats that have no definitive shape and abide by no functional boundaries.