The Wall Street Journal recently quoted Wells Fargo CEO John Stumpf on the topic of cybersecurity: "it's the only expense where I ask if it's enough" (Dec 21, 2015). It's great that the CEO recognizes the significance of this issue, but don't just lead by spending more; engage the entire business, including human resources. There are at least four ways that human resources can play a key role supporting enterprise security:
- Job design—ensuring the chief information security officer (CISO) role is properly defined. Does your company have a senior role focused on information security? If the role is just a set of responsibilities housed under the CIO, your company may be at increased risk, say Korn Ferry cybersecurity experts, Aileen Alexander & Jamie Cummings. The most successful CISO roles align to the unique nature of the organization. Professor Richard Klimoski of George Mason University takes this thinking a step further sharing critical success factors that foster CISO credibility. HR leaders are well positioned to clarify differences between CIO and CISO, to drive talent acquisition, and enable the CISO to succeed. You can find this and other practical advice about the CISO role in the winter issue of People + Strategy.
- Model collaboration toward a common goal. As the senior OD agent for the firm, the CHRO needs to be a voice for collaboration between the CIO, CISO, audit, other functions, and the line. HR can also be a resource to the COO and CEO, helping shape messages that align cybersecurity with company vision and culture aspirations. Since they manage secure employee data, HR should thoroughly address risk within their own business function, and in the process can provide a real sense of security across the enterprise to employees concerned about the horror stories of what has happened at other companies.
- Drive cybersecurity into the DNA of the business As the driver of performance management, leadership development, and on-boarding, HR can influence cybersecurity by finding ways to increase awareness and personal responsibility whenever employees and leaders come into contact with these processes. Ronald Sanders, former chief HR officer for the US Intelligence Community, correctly refers to this as driving cybersecurity into the DNA of the business. This isn't just happy talk; it requires HR tactics and a team to put these aspirations into place.
- Measure attitude and action. One other tool HR typically owns is the engagement survey. Attitudes toward cybersecurity and related behaviors can and should be assessed. Find out to what extent employees believe: cybersecurity is a priority, if teams actually talk about how to improve it, and the level of confidence they have in cybersecurity processes that impact company, colleagues and customers. While you are at it, HR can partner with the marketing function, aligning internal and external branding around cybersecurity, seeing how internal colleague confidence matches external client confidence in the security of the enterprise.
Cybersecurity requires organization-wide leadership, and that is where HR should be ready and able to be a full partner across the enterprise.
How does your HR department help ensure security of the enterprise?