March 27, 2023 By Michelle Greenlee 3 min read

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something to consider integrating to help improve overall security for the organization.

As the department responsible for maintaining an organization’s employee recruitment, hiring and retention programs, HR is often the first point of contact for future and current employees. This department reaches every employee through training and other employee-centered activities throughout an employee’s tenure; this makes them a valuable resource. At the current moment, cybersecurity training is often developed and distributed by IT and security operations departments alone. Instead, bringing HR departments into the process may help improve an organization’s security posture.

A focus on training and retention

Human resources has long been responsible for administering regulatory compliance training. Increasingly, data privacy and security training programs are included, along with other mandated education instruction. Regulations that govern data acquisition, usage and storage are becoming increasingly complex. Companies that do business internationally have the added burden of complying with both domestic and international regulations.

The penalties for poor data protection, whether or not it leads to a data breach, can result in steep fines and legal action. Employee actions and attitudes toward data protection and security affect the company’s overall security. HR is often involved in enforcing company policies around data mishandling or abuse.

Good cybersecurity starts with employees. Human resources is often a resource for employees to improve job-related skills, which can include specialized training for internal systems. Not all employees have the same experience or knowledge about the technologies they use every day. This can leave an organization open to threats. As a result, HR departments should make an effort to bring employees up to speed on any company system that could pose a risk.

Hiring new employees is a major responsibility for HR, but this department must also focus on retaining existing employees. Retaining security professionals is a continual challenge for the industry as a whole. Human resources may gather data on what drives employee retention and what drives them to leave. They ensure retention policies are well understood by managers and may also be involved in employee engagement programs as part of an overall retention strategy.

Foster partnerships between departments

Developing an effective cybersecurity awareness training program requires a balance between providing enough information to be useful and not overwhelming. Human resources’ expertise with employees through the years is an invaluable resource for creating cybersecurity training programs that are engaging and frequent (but not too frequent). The CIO, on the other hand, is an essential partner in training employees on cybersecurity.

The CIO’s role is to work with the human resources department to ensure their technology needs are met and help guide them to more effective solutions. The CIO is also a partner for employee recruitment, hiring and retention, especially for IT and security professionals.

The CIO can affect organizational change by partnering with human resources and IT to develop an integrated cybersecurity awareness training program for employees of all technical proficiencies. Building upon HR’s close connection with every employee, the CIO can lead the way in building a culture of cybersecurity.

Everyone has a part in cybersecurity

Human resources is valuable as a partner in cyber risk assessment and incident response planning. People operations software includes detailed employment records, which are popular targets for cyber criminals. Protecting these assets is essential to cybersecurity for the entire organization.

Cyber risk assessment and business continuity planning committees should include senior leadership across disciplines and departments to help ensure operations can continue after a cyber incident. Human resources can provide perspective from both operational and individual employee angles.

Cybersecurity is everyone’s job, even if it might not seem like it on the surface. The CIO should work closely with the human resources department to communicate the company’s focus on data protection and security. Communications should go beyond broad statements to instead present engaging content which encourages employees to take ownership of cybersecurity within their own role. Working with human resources, the CIO can provide an invaluable perspective on talent retention, especially for technical roles. At the end of the day, this partnership will keep an organization’s cybersecurity posture strong.

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today