Security blogs

What role does HR play in cyber security?

Cybersecurity is increasingly becoming a whole-of-business issue, including HR.

Historically, cybersecurity has been primarily handled in the IT space. However, these days HR has an important seat at the table in terms of the holistic business-wide approach to addressing cyber security.

If you look traditionally at where HR has played a role in cybersecurity, it has been more around policy enforcement and compliance. That is obviously important, but that is not going to really change behaviour. What you really want to do when you are building a security culture is drive a real behaviour change.

This is about reiterating that the messaging is crafted to the individual and that’s no different from any other activities that HR does in terms of aligning the people to the organisational goals and policies.

Security is just another organisational goal. So, if you tell an employee to do something just so the next quarterly results are great or just so the shareholders are happy then that doesn’t align well with them unless they are a shareholder.

You need to encourage what is relevant to them in their job. And people do not want to be the one that let the attacker through, they don’t want to be the one that causes the breach.

It’s also crucial to build a top-down security culture and culture is HR’s domain. So, if the culture isn’t driven top-down it is not going to filter down in the right ways to the employees.

If management is focused on productivity, the next quarter results, etc, that is going to filter down to the employees and the way that they conduct their job.

If security is seen as an important priority, as it should be for the C-suite and middle management, it will filter down to the organisation and people will act accordingly. So, it is vital to establish that top-down culture when it comes to security.

People are often the weakest link when it comes to breaches and this is the space where HR plays a part.

And really thinking about how you get through to the individual and reinforce positive behaviours. Often types of exercises can turn into a witch hunt which is not productive.

It is not about pointing out that you’re the failure or you’re the issue. It’s more about saying these are the behaviours that we are trying to instil.

Being able to reinforce and positively reward those behaviours and really embracing that culture holistically top down is how you do it.

It is easier said than done, but it is one of those things that you have to work at it every day and that’s how you get it right.

You may also like
Can you Hack IT?
Why Security Awareness Does Not Work and What to Do Instead 
Security Awareness Training is ineffective!
Get the budget you need, not the one you deserve.