Human resources has traditionally been a people-focused discipline. However, the relationship between HR and information technology has increased rapidly in recent years because of the abundant new technologies and compliance requirements. For today's CHROs, understanding security benchmarks is crucial.
Ponemon Institute research indicates that employee negligence is the biggest source of data risk, which should embolden HR leadership to embrace their role as security champions.
Why CHROs Have Become Chief Human Security Officers
Employees act as gatekeepers to the vast majority of successful cyber-crime attacks, with Forbes estimating that some 90 percent of all malware requires "human interaction" or permission before it can do any damage. Compliance and behavioral training are cornerstones of successful protection programs, which require collaboration between CHROs, Chief Information Security Officers (CISOs) and other members of the executive team. In addition to a responsibility to reduce behavioral risks, CHROs must also embrace and understand their role as protectors of employee data.
HR information system (HRIS) technologies have evolved at many organizations to incorporate ACA time tracking, deeper databases and even predictive talent algorithms. CHROS should be aware that increased information is often coupled with increased risk. For CHROs meeting with CISOs or other high-level security personnel, understanding certain security benchmarks can be key to reducing departmental risks.
The following aspects of security are valuable to consider:
1. Employee Awareness
Awareness training is among the most important benchmarks to mitigate organizational risks. In fact, leading organizations are 70 percent more likely to implement "end user awareness programs," according to Security Week. CHROs must work closely with CISOs to adopt training and technologies that have a real impact on employee behaviors. In addition, awareness programs should address each of Security Week's cornerstones for human-driven risk mitigation, including
- Behavioral change
- Knowledge development
- Disciplinary baselines
Ideally, information security awareness shouldn't begin at your annual or quarterly training. It should start with updated position descriptions for recruitment, which address every employee's responsibility to protect information. Security should also be included as an essential element of new hire onboarding processes.
If your organization is required to comply with Payment Card Industry Data Security Standards (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Affordable Care Act (ACA) or other regulatory requirements, meeting these baselines are critical security benchmarks.
While the role of HR in compliance can vary between organizations, the complexity of many regulations require organization-wide efforts to achieve standards. Notably, Deloitte highlights that HR's responsibility to meet benchmarks can include
- Recruiting knowledgeable talent
- Education and training
- Employee handbooks and policies
- Compliance audits
3. Incident Management
Planning for recovery from a data breach or other crises are important benchmarks of business continuity, which is traditionally a cross-departmental function that involves close collaboration between IT, HR and other leaders. HR should take a leading role in developing a crisis management plan and disseminating information and training.
4. Policy Development
Creating an up-to-date policy for information security isn't just a best practice, it's required by PCI and other regulatory measures. CHROs must be prepared to collaborate in benchmarking their policies against regulatory standards. Search Security highlights the need for modern CISOs to drive policy development processes "with HR." In conjunction with legal counsel, newly formed policy teams should work to address the following:
- Acceptable use
- Business continuity
5. Other Security Benchmarks
Other technical security benchmarks could include application security, configurations, patch management and automated scanning for network vulnerabilities or penetration testing. Although it's unlikely that CHROs will have direct involvement in the administration of the benchmarks recommended by the Center for Internet Security, some familiarity could be helpful for creating effective position descriptions and policies.
As information security and risks evolve, it's clear that CHROs must become strong advocates for organizational risk management. By understanding key information security measures and benchmarks, HR leadership can develop a stronger understanding of the state of security at their organization and be more effective risk managers.