This turns out to be a more controversial subject than I had thought. My opinion is that the HR department is an essential ally for ensuring that information security policies are correctly presented, documented, communicated and enforced. Conversely I’ve encountered HR professionals who think nothing of the sort and in fact, have little or no idea about why it’s something they even need to know about.
It’s by no means a new subject. A couple of years ago Computer Weekly discussed it here and the point was made that “HR directors do not understand the potential risk [to security] that is presented by new technologies. There is a lack of education in the HR world about IT”. A survey discussed in Personnel Today, the journal for HR professionals, back in 2004 stated that despite “91 per cent of respondents saying that IT security was very important, only 28 per cent cited the need to better educate and train their staff on IT security as a top initiative.” More recently, that same journal has been strongly advocating the role of HR in being key to preventing data breaches:
“..policies should be published and made accessible to all employees in terms they can understand, and if companies are serious about protecting their data, employees, even directors, should face serious disciplinary action if they are found to be contravening these policies….And as an HR director, if you aren’t getting any direction from the board, you should be bashing down the door demanding something be done.”
There’s an interesting opinion piece here in Computer World (by Jon Espenschied) entitled “Four good reasons for security to talk to HR”. I particularly like the point made that “the role of the ISO or IT manager is to document events, not judge them. ” The final reference for this blog is the results of a National Computing Centre survey (.pdf file) which concludes that “organisations are not aligning HR with security governance.”
For my own part, I’m takng steps to ensure that I have an HR person contributing to my security committee. That way, I get buy-in to new employee focused policies and that all-important non-technical view.