HR and IT Make a Powerful Cybersecurity Team

It's not just a technical hurdle anymore. It's a workplace-culture problem, too.


According to the Harvard Business Review, 60% of attacks come from inside a company. This number accounts for the actions of both malicious employees as well as those who were victims of malware or their own negligence. Suffering the most breaches: data-rich industries such as healthcare, finance, and manufacturing.

This shouldn’t be a huge surprise. We’ve learned over the past year that inside threats are the new norm, and that those concerns are too sprawling for an IT department to tackle by itself. Complicated by IoT, legal intricacies, and employee data theft, cybersecurity is now a human-resources problem, too.

Some companies have expanded the executive suite to include a Chief Human Resources Officer (CHRO) to reconcile corporate goals with workplace realities. In the context of security, they’d greatly benefit from a solution that nurtures, and grows from, interdepartmental cooperation. Still, reports The Whir, “almost three-fourths of CEOs, CHROs, CMOs, and CFOs indicated they do not believe the cybersecurity plans include them in a cross-functional approach.” This lack of cybersecurity culture in the workplace is a significant problem.

“The connection between HR professionals and security professionals needs to be the closest it’s ever been in history,” Pete Metzger, vice chairman at executive search firm DHR International, told Workforce Magazine. “The chief human resources officer and the chief information security officer, for example, should communicate with each other about important security issues, like securing mobile devices, hiring trustworthy people, and implementing good kinds of authentication.”

Human Resources Information Technology Cybersecurity

"Complicated by IoT, legal intricacies, and employee data theft, cybersecurity is now a human-resources problem, too."

Their HR and IT teams must also be prepare them to brief company leadership on everything from security events and heightened areas of risk, to government compliance and how proactive security begets healthy enterprise performance. This works in tandem with strategic HR on-boarding practices. “The relevant documents should restrict insiders, to the extent permissible, from claiming compensation and benefits following a breach of their cybersecurity and confidentiality obligations to the company,” writes InsideCounsel. The HR department collaborates with IT to set a clear tone of company’s expectations, “an effective system of restrictions and rewards.” This may likewise include cyber education about phishing and negligence. (According to a recent report, 57% of CHROs have created cybersecurity training programs.)

Perhaps most critically, an HR team is invaluable in anticipating what Paco Consulting, a tech firm, calls “triggers,” or changes in rank or employment that may motivate an employee to act criminally. This knowledge enables a security team to curb access to sensitive information or intervene before theft. Should human oversight occur, a security-analytics platform would analyze HR information alongside several other network data logs to detect unusual behavior. In this scenario, an effective solution would provide the CHRO with actionable intelligence that illuminates the who-what-where-when forensics. This equips HR to take appropriate legal action and deliver clear learnings to the executive team, contributing to future risk protection.

Organizations must accept that attacks will occur. But they don’t have to be negatively impacted by them. “Every time an enterprise loses an employee, they lose data,” Shannon Donahue, ISACA director of information security practice, says. “Ensuring this is minimized is a critical role for HR that is often overlooked.”