Building a Culture of Security: The HR Connection
Your organization's security plans are only as good as those that are willing to enforce it.
In so many organizations, IT and HR get along so poorly. I get it, though. HR people are the equivalent of those who were the good-looking and popular people in high school, while IT were the nerds they all made fun of. Yet, they share something in common: they're both considered "overhead" in most organizations, so maybe there should be a bit more of an alliance between them. Frankly, HR has the power to solve a number of IT problems, if you take the time to loop them in.
My past two columns have focused on the need to build a culture of security, or a culture of protection, within organizations. You need security to be present at every level, including your users' brains, in order for it to work and still allow you to get your job done. But IT can't do much about users' brains. In fact, your usual approach to uneducated users is to dumb things down for them, implementing systems that reduce users' need to think. And then you get annoyed when your users get dumber.
When it comes to security, you have no security unless your users have a responsibility to play along. Only HR can bring that responsibility to the table and make it stick. And it doesn't have to be complicated -- although politically it might take some time to maneuver through the system, because HR also has a lot of legal obligations to worry about. At the foundation, your employee manual or employee job descriptions just need to contain a phrase similar to this one:
All employees must be able to operate and access company technology assets in a safe and secure manner, and in compliance with other company guidelines and rules.
This simply makes security part of everyone's job. Now, I've been in organizations where incoming virus and spam e-mails were a huge problem simply because of that one person. That person who must forward chain e-mails for fear of dying otherwise. It's the one who must open e-mail attachments promising to detail their lottery winnings. Well, with HR on your side, that person can be disciplined for not following company procedures for safely accessing company technology assets. They can be formally put on notice that they've screwed up, and that screw-up can be documented.
Trust me, I know this isn't a panacea, but it's the first step in the direction of a solution. Without this first step, you'll never get anywhere. With this step, you've got the makings of a secure culture.
Of course, the big vague bit in my sample statement is "in a safe and secure manner," along with "in compliance with other company guidelines and rules." That means you've got to have other guidelines and rules -- such as "no opening e-mail attachments" (although you should wonder why you still allow them in the first place) and "no divulging passwords over e-mail or phone, to anyone, ever, for any reason."
You also need some training about basic secure computing, and that's another thing HR can provide. Numerous companies have ready-made training videos and other materials -- this isn't something IT needs to tackle. HR's job is to help prepare employees to do their jobs correctly and to provide a legal protection for the company -- secure computing falls squarely in that realm.
Yes, this will take some executive buy-in to get going, and it might take some agitating, and it will definitely take some time. But if you don't start the process, it'll never happen; if you do start the process, in most organizations it will eventually happen. I've seen it, even in the most recalcitrant situations. Even a tiny, tiny business can pay a few bucks for "safe computing" training to help employees understand how attackers use social engineering to get an "in," and to help those employees not become that "in."
Securing IT must involve more than just IT, if you're going to really do it right.
Don Jones is a 12-year industry veteran, author of more than 45 technology books and an in-demand speaker at industry events worldwide. His broad technological background, combined with his years of managerial-level business experience, make him a sought-after consultant by companies that want to better align their technology resources to their business direction. Jones is a contributor to TechNet Magazine and Redmond, and writes a blog at ConcentratedTech.com.