How HR Can Become a Cybersecurity Ninja
Corporate culture should be a critical factor in a successful cybersecurity program. Culture is universally recognized as a key component of business outcomes in general. Peter Drucker famously said that “culture eats strategy for breakfast.” The National Association for Corporate Directors regards culture as a corporate asset. In today’s world of instant communications, culture can immediately influence business outcomes, either positively or negatively.
However, while culture is generally regarded as an essential enabler in achieving business results, it is less visible in achieving cybersecurity goals. The recent ISACA-CMMI Institute cybersecurity culture research demonstrates this, illustrating both worthy aspirations and efficient programs, with room for improvement in effectiveness.
For example, the research shows that 96 percent of organizations plan employee cybersecurity training within the next year, but only 7 percent say such training has been extremely successful in building a broad-based cybersecurity culture. This indicates that our training programs have effectiveness gaps. However, virtually all firms are finding business benefits from improved cybersecurity culture (only 2 percent find no such benefits). At the same time, most businesses are finding a culture gap between where they are and want to be; only 5 percent do not have such a gap.
Should HR leaders help close these gaps and enable their organizations to benefit from improved cybersecurity culture? If so, how? Cybersecurity today has left the tech silo and is moving into the business front lines, where HR must play a key role in the people side of implementation. Challenges and opportunities can be found in the data. One thing I noticed is that 55 percent of respondents think that the chief information security officer is responsible for cybersecurity culture, while only 6 percent assign this to HR. Cybersecurity cultural initiatives should be a team effort involving HR and the CISO. In security consulting engagements I have led, I have always been optimistic when HR leadership is involved. In contrast, the absence of HR means that the project will focus on security technology and will miss positively impacting security culture and program effectiveness.
If culture is a critical part of an effective cybersecurity program, what can HR professionals do?
For one thing, HR should be a key stakeholder in corporate cybersecurity policy. Policy, in turn, reflects the corporate culture. HR has already been involved with most corporate policies. Security policies that are out of date, or not comprehensive or are gathering dust reflect a weak security culture. I can see this at the beginning of any consulting engagement. Policy should reflect the existing behaviors and then seek to improve those incrementally. A policy is a guide for individual behaviors, and HR must be an active participant in any policy change. Any policy written without considering individual behaviors will not be effective.
As I mentioned, cybersecurity today has moved out of the tech silo and is moving into the business frontlines. The recent National Institute of Standards and Technology guidebook, Cybersecurity is Everyone’s Job, provides detailed guidance on workforce development. Awareness training must be replaced with cybersecurity education, and HR should be the enabler for this. The HR department also should be a leader in implementing cybersecurity culture within the HR department. The best cybersecurity program begins at home. The HR function is where all of the organization’s most sensitive data are stored, processed and transmitted. HR should be an active business partner with the CISO in protecting this information. As such, some HR professionals may choose to obtain cybersecurity expertise themselves. ISACA’s Cybersecurity Nexus platform is one of the best places to start to establish cybersecurity qualifications.
Achieving a strong cybersecurity culture across the organization requires action on many fronts: people, process, technology and outside partners. Many groups, including HR, need to be engaged. Culture is people and process. Technology and outside partners are supporting players. Details matter. It’s great that, according to the research data, 75 percent of organizations are getting management more involved. However, it is important that the C-level executive regularly communicate the importance of security to management and to employees. An annual communication to all employees will not work. HR knows how to implement effective internal communications.
Continuous, incremental improvement of cybersecurity is vital. There are no cybersecurity magic bullets, or 30-day sprints. In fact, the essence of the word “culture” is “to grow.” Incremental improvement applies to both overall culture and to specific elements, like risk management. An effective risk management program is another building block for a good cybersecurity culture. Unfortunately, we humans are not good at logical risk management.