March 27, 2023 By Michelle Greenlee 3 min read

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something to consider integrating to help improve overall security for the organization.

As the department responsible for maintaining an organization’s employee recruitment, hiring and retention programs, HR is often the first point of contact for future and current employees. This department reaches every employee through training and other employee-centered activities throughout an employee’s tenure; this makes them a valuable resource. At the current moment, cybersecurity training is often developed and distributed by IT and security operations departments alone. Instead, bringing HR departments into the process may help improve an organization’s security posture.

A focus on training and retention

Human resources has long been responsible for administering regulatory compliance training. Increasingly, data privacy and security training programs are included, along with other mandated education instruction. Regulations that govern data acquisition, usage and storage are becoming increasingly complex. Companies that do business internationally have the added burden of complying with both domestic and international regulations.

The penalties for poor data protection, whether or not it leads to a data breach, can result in steep fines and legal action. Employee actions and attitudes toward data protection and security affect the company’s overall security. HR is often involved in enforcing company policies around data mishandling or abuse.

Good cybersecurity starts with employees. Human resources is often a resource for employees to improve job-related skills, which can include specialized training for internal systems. Not all employees have the same experience or knowledge about the technologies they use every day. This can leave an organization open to threats. As a result, HR departments should make an effort to bring employees up to speed on any company system that could pose a risk.

Hiring new employees is a major responsibility for HR, but this department must also focus on retaining existing employees. Retaining security professionals is a continual challenge for the industry as a whole. Human resources may gather data on what drives employee retention and what drives them to leave. They ensure retention policies are well understood by managers and may also be involved in employee engagement programs as part of an overall retention strategy.

Foster partnerships between departments

Developing an effective cybersecurity awareness training program requires a balance between providing enough information to be useful and not overwhelming. Human resources’ expertise with employees through the years is an invaluable resource for creating cybersecurity training programs that are engaging and frequent (but not too frequent). The CIO, on the other hand, is an essential partner in training employees on cybersecurity.

The CIO’s role is to work with the human resources department to ensure their technology needs are met and help guide them to more effective solutions. The CIO is also a partner for employee recruitment, hiring and retention, especially for IT and security professionals.

The CIO can affect organizational change by partnering with human resources and IT to develop an integrated cybersecurity awareness training program for employees of all technical proficiencies. Building upon HR’s close connection with every employee, the CIO can lead the way in building a culture of cybersecurity.

Everyone has a part in cybersecurity

Human resources is valuable as a partner in cyber risk assessment and incident response planning. People operations software includes detailed employment records, which are popular targets for cyber criminals. Protecting these assets is essential to cybersecurity for the entire organization.

Cyber risk assessment and business continuity planning committees should include senior leadership across disciplines and departments to help ensure operations can continue after a cyber incident. Human resources can provide perspective from both operational and individual employee angles.

Cybersecurity is everyone’s job, even if it might not seem like it on the surface. The CIO should work closely with the human resources department to communicate the company’s focus on data protection and security. Communications should go beyond broad statements to instead present engaging content which encourages employees to take ownership of cybersecurity within their own role. Working with human resources, the CIO can provide an invaluable perspective on talent retention, especially for technical roles. At the end of the day, this partnership will keep an organization’s cybersecurity posture strong.

More from Risk Management

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Spooky action: Phantom domains create hijackable hyperlinks

4 min read - According to a recent paper published at the 2024 Web Conference, so-called "phantom domains" make it possible for malicious actors to hijack hyperlinks and exploit users' trust in familiar websites.The research defines phantom domains as active links to dot-com domains that have never been registered.Here's what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.Domain errorsErrors…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today