About 10 years ago a light bulb went off for me that, as an HR professional, I had a crucial impact on the organization’s cybersecurity posture. I was talking with a colleague in information security, and one of the main themes across our discussion was people. This theme encompassed HR-related topics such as the information security team we were trying to hire, develop, motivate and retain; our organizational security culture and employee behaviors; HR policies and practices that intersected with security activities; and my role as a leader and cybersecurity advocate in the organization.
This conversation, and many subsequent ones, were eye-opening for me. I quickly realized that if I was not part of the cybersecurity solution then I would be part of the problem. As a leader, this was a real-world example of how organizational silos could prevent mission-critical collaboration across core business functions. I refused to be part of the problem and wanted to be part of the solution.
HR colleagues have asked, “Doesn’t cybersecurity seem outside of your swim lane?” “Don’t you have enough HR related activities to keep you busy?” and “What will the executives or investors think if you are spending time on cybersecurity and not HR?”
Yes, trust me, there are many days where I have my own HR fires to put out. However, when a cybersecurity event does occur I will know that I’ve done all that I can to protect the organization.
In addition to being a partner and advocate of cybersecurity, HR must also be a protector of sensitive company data, personally identifiable information and protected health information. Over the last decade, HR has been the target of several dedicated cyber-attacks (GoldenEye, Gameover ZeuS) and countless malicious social engineering attempts. We play a crucial role in the data management lifecycle – the creation, storage, use, distribution, archival and disposal of information.
October is National Cybersecurity Awareness Month, which was launched by the National Cyber Security Alliance and the U.S. Department of Homeland Security in October 2004. The theme for 2019 is “Own IT. Secure IT. Protect IT.”– helping to encourage personal accountability and proactive behavior in digital privacy, security best practices, common cyber threats and cybersecurity careers.
The National Institute of Standards and Technology-National Initiative for Cybersecurity Education Working Group has published a guide called “Cybersecurity is Everyone’s Job.” This is a tremendous resource for professionals across all domains, from IT, HR, finance, marketing, leadership and beyond. We all must do our part to “Own IT. Secure IT. Protect IT.”
Over the last two years I’ve had the honor of serving as NIST National Initiative for Cybersecurity Education Working Group Co-Chair for Industry. This group of individuals from government, academia and industry is constantly striving to create ways to not just make people aware of cybersecurity but to get everyone involved. Kick off the NCSAM by reviewing the “Cybersecurity is Everyone’s Job.” For additional information please see the links below.