The number of data breaches reported each year continues to increase and companies are looking at a stronger alliance between human resources and IT professionals to improve their information security strategies. Teamwork between HR and IT is in place at most organizations and is, of course, important because these two departments touch every employee at a company. The increased use of technologies coupled with changes in the workforce have increased the importance of the HR/IT relationship in combating growing information security concerns. There are three areas where this partnership is becoming critical to avoid breaches.
On and Off Boarding
Problem - Getting a new employee set up with the proper access to systems and software is a focal point of a company’s onboarding strategy. Studies show that both retention and engagement improve when an employee is effectively onboarded. From a security perspective, offboarding can be just as important as onboarding. When an employee leaves a company, IT or others who may have granted access to systems must ensure that access is promptly removed. The increase in the number of systems utilized at organizations has made turning access on and off more complicated.
Solution – Access rights to systems should be aligned with roles or positions at a company. Automated workflows can provide notifications and process sign-offs as employees enter and exit a company. These workflows along with tools such as Single Sign On (SSO) make the process of turning system access on and off more efficient and secure.
Training and Education
Problem – Whether it's carelessness or a malicious act, employees continue to be a top cause of data breaches. In spite of awareness of this issue only about 50 percent of those surveyed believe their training program is actually improving data protection and information security awareness. The main issues with security training programs is when a “one size fits all” approach is taken and the training happens once a year with no reinforcement.
Solution – Training and education needs to be personalized; by that, I mean employees should understand how it affects them. Cover things they should do in their personal lives to improve information security and what can happen when they don’t take security seriously. Focus security training on what is meaningful to people in their role and then make that a part of a department’s new hire orientation. Look for ways to reinforce training through repetition such as surveys and tests. Studies show the average person must hear or read a piece of information at least three times to remember it. And finally, periodically update the training material to reflect changes in roles and new areas of risk hackers are trying to exploit.
Recruiting and Retention
Problem – Recruiting and retention are areas where IT and HR are facing increased challenges. Public news of a data breach does not help efforts to attract and retain talent, but a bigger issue for organizations is the labor shortage in the cybersecurity field. According to studies last year there were over 1 million vacant cybersecurity positions worldwide and of those 200,000 were in the U.S. Those numbers are expected to increase. While that might be good for people going into the cybersecurity field, it creates a real dilemma for companies looking to hire security professionals.
Solution - Contract workers are becoming popular to supplement the talent shortage and smart organizations are turning to HR to assist in finding these contract workers or identifying firms that specialize in temporary placement of security professionals. Another approach companies are taking is hiring college graduates and offering programs for students to gain experience while continuing their education. The goal is to add team members with high potential but low experience often referred to as HPLE’s. Ongoing education and mentor programs with experienced leaders can quickly provide the experience and skills to help these HPLE’s advance. The education and mentorship is typically a draw for those seeking to advance in the field of cybersecurity and can be invaluable in retaining these employees.
Every department in an organization must share the burden of improving information security programs. HR and IT clearly play key roles and must become evangelists, setting an example for other departments. An effective information security strategy considers technology and people. Employee behavior, objectives, and inclinations must be considered and influenced to make security a part of the way we think and work.