CISO Guide: How can you work with HR to improve your cybersecurity?

HR and cybersecurity have one thing in common — people. Cybersecurity teams must work hand in hand with their HR colleagues to have any chance of success.

As a cybersecurity professional, one of your key soft skills is to be a social butterfly. You strive to work across all areas of your organisation.

Of course you work hand-in-hand with the IT department. But there is another crucial department you need to walk cheek by jowl with — Human Resources.

HR = People = Cybersecurity

It's a simple equation. No matter what technology a company deploys to make it cyber secure, people are the ones who operate and/or work with it daily.

They need to appreciate the value of data and have the knowledge and confidence to know what to do in any given situation.

You need to give them this vital knowledge and experience, or ‘data craft’. It is this data craft that complements the technology they use and creates the strongest cybersecurity protection you can get.

CISOs know how easy it is to fall into the trap of being seen, falsely, as the Business Prevention Officer. Working closely with HR removes this wrong perception. It then follows that you can achieve the balance you are seeking between maximising security and allowing employees to work freely and effectively.

And this is where your metaphorical schmoozing with the HR department comes into play. Collaborating closely with your HR colleagues can bring big gains. Not just for the achievement of your awareness and training objectives, but for the business as a whole. You’re both in the ‘people business’ after all.

So, how should you work with your HR colleagues? Here are a few ideas.

‘Before the cradle to beyond the grave’

Cybersecurity throughout the employee lifecycle

Cybersecurity is in play from before you take on a new employee to beyond the minute they leave. On- and offboarding are the highest-risk times for information security. Involve your team before the recruitment process begins to guide HR on cybersecurity matters. For example, check closely contract terms and conditions to ensure employee responsibilities are clear and any restrictions with information are watertight.

Onboarding and prioritising information security

Your input as CISO is crucial in the onboarding process to ensure that information security is a priority from day one. Before hiring any individual, tight controls around access rights need to be in place. It is important to associate access rights, passwords and permissions with the job role and not the employee. This enforces the understanding that all secure information belongs to the workplace, not the individual.

Monitoring remains important once people are on board too. Keeping track of their activity will uncover issues and policy violations. Should this happen, HR is once again your go-to. They can step in to handle investigations if necessary.

Managed offboarding for secure goodbyes

When an employee leaves your business, it is vital that they do not take secure and sensitive information with them. A pre-planned offboarding process is necessary, especially when dealing with employees who may be unhappy or leaving due to disciplinary action. Consider the ongoing financial burden the 2014 revenge hack on Morrisons is causing to the company. This is an example of how an unhappy employee can use insider knowledge to cause significant damage after they leave.

Every leaving employee should have all access rights revoked immediately on departure – from admin access to domains, to security passwords for client files. Likewise, it is also important to consider every device they may have used and revoke access across all of these.

In trickier cases where you know an employee is leaving on bad terms, be sure to have a plan in place. Seek legal advice and prepare to work with the relevant law enforcement bodies to avoid any risk to your business information security.

CISOs and HR management need to work together to cover all outcomes.

In daily operations...

1. Education and communication

CISOs and information security teams need to have open dialogue with HR to ensure they understand security issues and concerns. Ensure your HR team is well-trained in cybersecurity. They need the right mindset to support current staff as well as new employees. As you develop your relationship with HR, they become your ambassadors as well as facilitators.

2. Influencing the ethical framework

All information security procedures should be rooted in the company’s values and consistent in style with other policies. HR can help you make sure that this happens. That integration will mean simpler and more consistent messages and higher compliance levels.

3. Incentive programmes

Very often HR has experience in developing employee incentive and rewards schemes. Why not integrate some of your cybersecurity objectives into these programmes? Closer integration with the overall rewards culture of your company will save time and money, and deliver better results.

4. Monitoring and enforcement

HR teams vigilate behaviours and handle sensitive issues of employee non-compliance across multiple business areas. Even with the best cyber awareness training, mistakes will occur and vigilance is necessary. It can mean more training or disciplinary action, dependent on the situation. HR input will be valuable to ensure an appropriate response.

Putting people at the heart of cybersecurity

Human error is behind most cybersecurity leaks. The solution is to work with your people. Therefore, create the best possible framework for a secure, yet manageable working environment.

This positive collaboration with HR will deliver huge gains in cybersecurity.

To find out how we can support you in building understanding awareness of cybersecurity through bespoke training, please get in touch with Jenny or your TSC Client Project Manager today.