Convergence of Physical and Cybersecurity to Protect HCM Data
This article was updated on July 17, 2018.
Because the data used in your HCM systems is among the most valuable, strategic and sensitive data in the entire organization, physical and cybersecurity concerns are probably something that keeps you up at night. According to a report from McAfee, your biggest security threat may actually be inside your organization, not outside it: 43 percent of data loss was caused by internal actors, either through malice or negligence.
Breaches can come from every direction, and hackers usually target your areas with the highest vulnerability, which may stem from either the physical security or the cybersecurity domain. The convergence of physical and cybersecurity to better protect HCM data is increasingly feasible on the technical level, but challenges for such a convergence may still require significant organizational change.
Technical Convergence of Physical and Cybersecurity
Physical security — surveillance cameras or sensors to monitor who is doing what and where, for example — has long been separated from cybersecurity. Those two domains, however, can work together toward the same goal: keeping intruders out. An outside hacker who gains physical access to a company computer, for example, is in a much better position to breach encryption software and firewalls and infiltrate your HCM systems to extract data.
A lack of convergence between physical and cybersecurity makes it difficult to identify physical intruders, detect cyber infiltration efforts and monitor or detect a person who may be accessing your computers without authorization. It could be months before you even know that you've been infiltrated, a major data security concern.
But with the growth of the Internet of Things — networked devices — organizations can get a better picture of who is accessing their data. As a white paper from Cisco explains it, physical and cybersecurity "have matured to the point that they can now be integrated. The convergence of the IP network and the migration of legacy sensors and appliances to TCP/IP have helped drive this transformation. Cameras are now IP-based; card readers use the IP network instead of a proprietary network; and access lists, policies, and procedures are stored and generated by computers."
Typically, management of security guards, building access controls and cameras have been controlled by the facilities or physical plant department, while cybersecurity is a core IT function. But because those two domains are so linked in their goals, organizations can restructure to perform this critical data-protection role within a single entity. As Scott Borg, Director of the U.S. Cybersecurity Consequences unit, relays in the white paper, "As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level."
Leading Organizational Convergence: 4 Steps
HR can take the lead in an organizational convergence:
1. Organize an interdepartmental, interdisciplinary security convergence team that includes your IT/cybersecurity leaders and your physical security/facilities leaders.
2. Define how communication structures will work on the interdepartmental team, and then begin the process of defining the potential benefits, the desired outcomes, KPIs and the timetable for this critical security convergence process. You want to work together to develop a powerful business case for convergence, answering the why, what, when, how much, who, etc.
3. Present your business case to your leadership team and seek buy-in in order to allocate the necessary resources for the change management process. HR should be especially careful about making sure that cultural issues such as transparency and strong communication structures are supporting the convergence process. Breaking down departmental silos may be a challenge during the whole process.
4. Once you have leadership buy-in, HR should continue to participate in the implementation of convergence efforts, ensuring that project goals are met and communication and cultural barriers don't hamper progress.
Global Implications
The complexities of convergence grow as an organization expands globally. While cybersecurity specialists have largely figured out how to integrate networks and computers within a multinational entity, the challenge comes when integrating physical security. That's where HR leaders will really earn their stripes. Language, culture and varying national laws may present major hurdles to progress, so HR leaders from global organizations will be integral to overcome those barriers to human and technical integration.
Because HR is the first guardian of employee-related data in HCM systems, it should lead a collaborative initiative with IT and whatever department controls the physical security domain to make a clear business case for both technical and organizational convergence of physical and cybersecurity domains. As the value of employee data grows, protecting the data within your HCM systems has never been more critical.
