Human Resources

Human Resources, the Missing Piece From Every Security Program

Like a ‘service on the Internet’ – which we’ve had for decades – is now called The Cloud, Human Resources is now known by more touchy-feely names. Talent, People, Employee Success, all sound great, but they don’t represent a fundamental shift in the functions they perform. Or even HOW they perform those function from what I’ve seen.

Regardless of what the department is called, I’ve never seen one take an active part in their organisation’s security program. Not one, in the better part of 20 years, and as I hope to demonstrate, this a significant loss to everyone concerned.

HR are usually the very first people in an organisation that you talk to, often even before the interview process begins. They are first ones who can instill the security culture in new candidates from the get-go. Anyone who has tried to implement a security awareness program knows that the loss of this ‘first impression’ makes the task exceedingly difficult. Unnecessarily so. If the joiners had just been told how important security is, AND received appropriate training, they would just accept it as a fact of life. Try and force it on them after they have already learned the bad behaviours and your impact is enormously reduced.

But there are 5 fundamental areas in security, that with HR’s help, would be significantly more effective:

o

  1. Onboarding – As I have already stated above, HR are the first people with whom new employees have interaction. The onboarding process is the perfect time to get everything out on the table. From Acceptable Use Policy / Code of Conduct, to security awareness training, security can be instilled from the very beginning. Now imagine if the CEO had a welcome letter prepared that emphasised the importance of data protection / privacy. Imagine further that this letter detailed what is expected them, and to take this aspect of their jobs seriously. There is ZERO cost associated with any of this, yet the positive impact of the security culture is immeasurable.
    o
  2. Role Based Access Control – The hint is in the title; ROLE based. If HR broke the org chart into specific roles, granting appropriate access to all joiners, movers , and leavers would be that much simpler. In theory, everyone gets what I call ‘base access’, usually consisting of email address and domain access. A role could then receive everything they need to perform their basic job functions automatically. Then, an individual could apply for any additional access they require. Everything is now recorded appropriately, allowing for not only a demonstrable access control process, but the raw material for all access reviews. Especially those with elevated privileges.
    o
  3. Policies, Standards, and Procedures – If you accept that policies represent the distillation of the corporate culture, standards are the baselines of ‘known good’ configurations, and procedures are the sum of all corporate knowledge, why aren’t these distributed at the beginning? First, most organisations don’t even HAVE these documents in place, at least not in a condition to meet the above criteria anyway. Second, even if they did exist, HR take no part in their distribution. Why not? If they assisted with RBAC per 2. above, surely it’s a simple step to have the relevant department heads which documents should be attributed to a specific role? Can you imagine it, every new employee knows 1) what they should and should not do, 2) how to do it, and 3) what to do it with!
    o
  4. Security Awareness Training – OK, so HR are not security experts and will take very little part in developing the SAT content, but they should be involved in HOW it’s delivered. HR are the people experts, IT and IS professions are usually quite the opposite. Training written by me would suit technical people, who’s going to write it for everyone else? After all, it’s usually the ‘everyone else’ who are the cause of most of the issues. HR should also be tracking the annual SAT program and flagging any issues to the employee’s supervisor etc.
    o
  5. Role Specific Procedures – This one is a bit of a stretch, but I can’t just have 4 bullet points. The concept is that part of everyone’s job description is to document every one of their repeatable tasks. If the procedure already exists, they could be challenged to improve it. In almost every job I’ve had there was a 3 month probation period. This review, and every performance review from that point forward could include a procedure section where failure to develop appropriate content has negative repercussions. Or, for the glass-half-full folks, great documentation has rewards attached to it. Imagine how nice it would be is every new starter just moved forward and didn’t have to waste time re-inventing the wheel.

The fact is most HR departments are not geared to perform any of the above functions. They are simply not trained to do so. I can’t help thinking this is a terrible waste.

I’d actually love to hear from some HR folks, even if you’re gonna tell me I’m way out of line! 🙂

[If you liked this article, please share! Want more like it, subscribe!]