« Cabinet Office Terror Files - Inquiry Results Here | Main | Data Breach Investigations - Watch your partners »

The role of HR in Information Security

This turns out to be a more controversial subject than I had thought. My opinion is that the HR department is an essential ally for ensuring that information security policies are correctly presented, documented, communicated and enforced. Conversely I've encountered HR professionals who think nothing of the sort and in fact, have little or no idea about why it's something they even need to know about.

It's by no means a new subject. A couple of years ago Computer Weekly discussed it here and the point was made that "HR directors do not understand the potential risk [to security] that is presented by new technologies. There is a lack of education in the HR world about IT". A survey discussed in Personnel Today, the journal for HR professionals, back in 2004 stated that despite "91 per cent of respondents saying that IT security was very important, only 28 per cent cited the need to better educate and train their staff on IT security as a top initiative." More recently, that same journal has been strongly advocating the role of HR in being key to preventing data breaches:

"..policies should be published and made accessible to all employees in terms they can understand, and if companies are serious about protecting their data, employees, even directors, should face serious disciplinary action if they are found to be contravening these policies....And as an HR director, if you aren't getting any direction from the board, you should be bashing down the door demanding something be done."

There's an interesting opinion piece here in Computer World (by Jon Espenschied) entitled "Four good reasons for security to talk to HR". I particularly like the point made that "the role of the ISO or IT manager is to document events, not judge them. " The final reference for this blog is the results of a National Computing Centre survey (.pdf file) which concludes that "organisations are not aligning HR with security governance."

For my own part, I'm takng steps to ensure that I have an HR person contributing to my security committee. That way, I get buy-in to new employee focused policies and that all-important non-technical view.

Posted by Stuart King on June 14, 2008 11:05 AM
| View blog reactions

TrackBack

TrackBack URL for this entry:
http://www.computerweekly.com/cgi-bin/mt/mt-tb.cgi/29053

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on June 14, 2008 11:05 AM.

The previous post in this blog was Cabinet Office Terror Files - Inquiry Results Here.

The next post in this blog is Data Breach Investigations - Watch your partners.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type Enterprise 4.1-en