HR and Cybersecurity: Supporting Each Other in Challenging Times

Sonja Jovanovic
Author: Sonja Jovanovic, HR Associate Director, EY
Date Published: 2 March 2021

Cybersecurity was not on the top of the agenda for many Human Resources professionals in early 2020.

However, the COVID-19 pandemic brought a lot of new challenges and considerations, and it has become clear that cooperation between HR and cybersecurity teams never has been more important.

During pandemic times, the number of cyberattacks against organizations increased in virtually all forms. Many of us started working from home and using less secure networks. Employees accessing and processing sensitive data became more challenging for companies. Employees were downloading and using software and apps that had not been approved by the IT and cybersecurity teams, both for business and personal uses. Moreover, cybercriminals looked forward to remote workers coming back to the office and reconnecting to corporate networks, and thereby triggering cyberattacks.

It is important to keep in mind that not all attacks were coming from professional cybercriminals. Many companies had to reduce headcount, and this led to breaches from unhappy and frustrated employees and ex-employees.

In total, 44 percent of the breaches were caused by employees who—intentionally or not—exposed sensitive data to hackers or data thieves, according to research from business writer Dave Zielinski.

With billions of devices connected to the internet, and containing sensitive data, cybersecurity has becoming a hot topic not only for companies, IT and HR, but for every single person. Employees need to learn how to secure not only company sensitive data, but also their own personal sensitive data, such as personally identifiable information (PII), protected health information (PHI), personal information and intellectual property.

Cooperation between HR and cybersecurity
So, how HR can help? By stressing the importance of information security and raising awareness, beginning with the initial recruiting process and continuing throughout an employee’s tenure.

HR is the channel between the IT security team and staff — communicating and clarifying policies, providing resources, and working behind the scenes to identify and anticipate the potential information security issues that arise in every company, especially in a pandemic situation.

In these challenging circumstances, security programs must be kept relevant, engaging and fresh. Involvement of HR is specifically valuable in emphasizing the importance of security best practices during new-hire orientations (mostly done virtually now), as well as demonstrating a deep understanding of it while gathering personal information in onboarding and working with sensitive information such as payroll, benefits, and performance and health data.

As important as it is for employees to have the awareness, tools and processes required for basic security, it is also vital that they feel comfortable reporting suspicious security matters, particularly those sparked by the behavior of co-workers or management, both to HR and cybersecurity teams. Furthermore, in order to protect personal and company data, HR should encourage employees to reach out and have their concerns heard, and at the same time make sure there is no punishment for a false alarm.

From an offboarding perspective, HR should monitor employees who leave the company and ensure they leave without sensitive data, even if this is not due to malicious intent.

Recruitment collaboration
What else can HR do to work with cybersecurity?

From a recruitment perspective, HR should show more understanding for cybersecurity teams’ needs and requirements, which means we need to learn and understand more about the scope of work and prioritize cybersecurity recruitment activities accordingly.

The need is clear, as 62 percent of organizations indicate their cybersecurity teams are understaffed and 32 percent say it’s taking companies six months or longer to fill unfilled positions, according to ISACA’s State of Cybersecurity 2020 research. Meanwhile, Cybersecurity Ventures projects 3.5 million unfilled cybersecurity jobs globally by 2021.

However, the story does not end here: since COVID-19 crises started, cybersecurity workers were taken off some or all their typical security duties to assist with other IT-related tasks, including equipping mobile workforces, according to an April 2020 survey from global nonprofit (ISC)2.

So, what profile are we searching for, and what skills should cybersecurity professional bring to the organization?

Rob Sobers mentions some of them in What Working in Cybersecurity is Really Like: A Day in the Life (varonis.com): active listening and clear verbal and written communication, attention to details, curiosity to seek new skills and information, creative problem-solving, adaptability and a team mindset (soft skills); strong analytical skills, computer science fundamentals, at least one programming or scripting language skills, attack tools/techniques, information management and high-risk decision making (hard skills). And – of course – we are looking for a person who would never switch to “the other side.”

Cultivating tomorrow’s cybersecurity workforce
Looks difficult, right?

The solution might be focusing on training the skilled cybersecurity workforce of tomorrow. Partnerships with universities and high schools, as well as scholarships for talented kids, can result in building a pipeline of engaged and job-ready cybersecurity professionals.

Retention of cybersecurity professionals is another challenge due to limited promotion and development opportunities, unsatisfactory financial incentives, high work stress levels and 24x7x365 assignments. As we know, cybercriminals do not take a break on weekends, nights or even New Year’s Eve, so designing an exceptional employee experience for cybersecurity team members should become our priority number one. 

Special attention should be put on efforts to attract and retain women on cybersecurity teams and generally to increase representation in the field, as women make up only around 20% of the cybersecurity workforce today.

Diversity on cybersecurity teams is crucial in order to create the highest-performing teams and ensure that different ideas, viewpoints and approaches are reflected. Organizations have been making slight progress in putting diversity programs in place, though only 13 percent of organizations say that progress is significant. Companies indicate that 86 percent of cybersecurity teams still have significantly more men than women or consist of all men.

Furthermore, it will be imperative to have diverse viewpoints to address the newest and toughest challenges in cybersecurity.

And finally, HR departments can really help in creating and sustaining cybersecurity culture within their organizations, addressing cybersecurity threats during the employee professional journey, so both companies and our people will be much safer.