March 27, 2023 By Michelle Greenlee 3 min read

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something to consider integrating to help improve overall security for the organization.

As the department responsible for maintaining an organization’s employee recruitment, hiring and retention programs, HR is often the first point of contact for future and current employees. This department reaches every employee through training and other employee-centered activities throughout an employee’s tenure; this makes them a valuable resource. At the current moment, cybersecurity training is often developed and distributed by IT and security operations departments alone. Instead, bringing HR departments into the process may help improve an organization’s security posture.

A focus on training and retention

Human resources has long been responsible for administering regulatory compliance training. Increasingly, data privacy and security training programs are included, along with other mandated education instruction. Regulations that govern data acquisition, usage and storage are becoming increasingly complex. Companies that do business internationally have the added burden of complying with both domestic and international regulations.

The penalties for poor data protection, whether or not it leads to a data breach, can result in steep fines and legal action. Employee actions and attitudes toward data protection and security affect the company’s overall security. HR is often involved in enforcing company policies around data mishandling or abuse.

Good cybersecurity starts with employees. Human resources is often a resource for employees to improve job-related skills, which can include specialized training for internal systems. Not all employees have the same experience or knowledge about the technologies they use every day. This can leave an organization open to threats. As a result, HR departments should make an effort to bring employees up to speed on any company system that could pose a risk.

Hiring new employees is a major responsibility for HR, but this department must also focus on retaining existing employees. Retaining security professionals is a continual challenge for the industry as a whole. Human resources may gather data on what drives employee retention and what drives them to leave. They ensure retention policies are well understood by managers and may also be involved in employee engagement programs as part of an overall retention strategy.

Foster partnerships between departments

Developing an effective cybersecurity awareness training program requires a balance between providing enough information to be useful and not overwhelming. Human resources’ expertise with employees through the years is an invaluable resource for creating cybersecurity training programs that are engaging and frequent (but not too frequent). The CIO, on the other hand, is an essential partner in training employees on cybersecurity.

The CIO’s role is to work with the human resources department to ensure their technology needs are met and help guide them to more effective solutions. The CIO is also a partner for employee recruitment, hiring and retention, especially for IT and security professionals.

The CIO can affect organizational change by partnering with human resources and IT to develop an integrated cybersecurity awareness training program for employees of all technical proficiencies. Building upon HR’s close connection with every employee, the CIO can lead the way in building a culture of cybersecurity.

Everyone has a part in cybersecurity

Human resources is valuable as a partner in cyber risk assessment and incident response planning. People operations software includes detailed employment records, which are popular targets for cyber criminals. Protecting these assets is essential to cybersecurity for the entire organization.

Cyber risk assessment and business continuity planning committees should include senior leadership across disciplines and departments to help ensure operations can continue after a cyber incident. Human resources can provide perspective from both operational and individual employee angles.

Cybersecurity is everyone’s job, even if it might not seem like it on the surface. The CIO should work closely with the human resources department to communicate the company’s focus on data protection and security. Communications should go beyond broad statements to instead present engaging content which encourages employees to take ownership of cybersecurity within their own role. Working with human resources, the CIO can provide an invaluable perspective on talent retention, especially for technical roles. At the end of the day, this partnership will keep an organization’s cybersecurity posture strong.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today