Eight in ten cyber security incidents have a common denominator – people. This gives HR the opportunity for a much greater role in shaping a meaningful, well mapped out cyber security strategy than ever before.
But how can you get the best out of inter-departmental partnerships that produce meaningful results? This is a problem Phil Greenwood, Director of Glacis, spends his days – and probably nights too – thinking about solving.
Here, he shares practical ways to encourage a collaborative approach between HR and IT in the real world
People and technology are often credited as being the biggest benefits and challenges facing UK business today.
On one hand, we have an incredibly rich pool of bright, well-educated individuals with access to revolutionary innovation in the way we work. On the other, we are experiencing a seemingly unstoppable pace of technological change that opens up a world of possibility yet is increasingly problematic for leadership to keep up with.
But there is no doubt great people and great technology need to able to function together – because it can cause significant dangers to business if it goes wrong.
Nowhere is this need more obvious than in dealing with cyber security as, all too often, issues in this arena tend to be recognised as a technology risk, with ownership assigned to one of various role titles such as CISO, Head of Cyber, IT Director.
But ‘ownership’ is a misleading word, and while many may breathe a sigh of relief that somebody else is cradling that particular chalice, the reality is that this isn’t a technology problem in isolation.
In fact, most corporate functions now have a part to play in protecting the services and data that their business relies on.
This position is confirmed by the growing trend for CISOs to take on a much more business-facing role that reports directly to the board, rather than IT.
The evolution here is that the cyber risk ‘owner’ will change from a legacy position of fixer, fire-fighter or enforcer to become more of a shaper, influencer and collaborator.
These risk owners need support, and one area where that is most apparent is the human factor, with human action – deliberate or accidental – a key factor in up to 80% of cyber security incidents.
The tech community often takes a highly simplified view of this such as: “Let’s just give everyone a training package and they’ll do the right things,”; or “We’ll put controls in place to stop people doing stupid things.”
The reality is that reducing the human risk requires a shift in employee behaviour and mindset that often needs a more insightful and nuanced approach.
Shaping behaviours in the business.
So, it is helpful to keep a human-focused view of the problem and look for other situations where behaviours need to be managed, and where the expertise lies in achieving this. I’ll use bullying and harassment as an example, as most organisations will have some form of policy on this.
HR will almost certainly have a role in defining this policy (what’s acceptable or not) and its implementation (how to report/respond to incidents).
Ultimately though, the success or failure of such a policy will come down to leadership, line management and staff themselves taking a stance and flagging when behaviours are not in line with “how we do things around here”, the core definition of culture.
There’s clearly an incentive for individuals to support this as nobody wants to be harassed, but, in this example, HR can help to shape and guide the rest of the business and create an environment where people know what’s right or wrong and feel confident to speak out.
The best companies go further than simply preventing the ‘bad’ outcomes and convert these situations to a core strength.
Think about the business where new joiners are welcomed and supported, mistakes are shared and learnt from, team work is king. These are the organisations that successfully shape the behaviours of their staff, and the associated performance impact is striking.
Try and apply the scenario above to cyber security and consider where the expertise of HR could contribute to changing behaviours and improved security outcomes.
HR & IT Collaboration
If you need to establish a more collaborative relationship between HR & IT, here are a few ideas to get started;
- Demonstrate empathy. Take your CISO for a coffee and really understand their struggles and how you could offer support. Ultimately, you’re both interested in the success of the business and wellbeing of the people.
- Find a common language. Ensure you communicate in language that everyone can understand. Note this doesn’t mean that all the tech folk should dumb everything down for the “business” community. Meet in the middle, it’s helpful for all leadership and staff to improve their digital literacy in the modern environment. It might even help you understand your kids…!
- Remove Stovepipes. Rather than focus on traditional corporate functions and structures, e.g. Recruitment & Retention, Talent Management etc, think about how the challenges overlap. If HR are response for staff engagement, then consider how security and digital fit alongside this. Work together and share successes.