The Department of Trade and Industry’s annual security survey showed last year, the threat of internal security breaches has now surpassed the risk of an external IT hack. Prescribing and monitoring employee behaviour around data access is probably the number one challenge facing any company today. But whose job is it?
IT directors who feel an unfair portion of responsibility for managing staff access is shifting their way may feel vindicated by the comments of Linda Klassen-Brown, IT director of the Logic Group. “HR directors do not understand the potential risk [to security] that is presented by new technologies. There is a lack of education in the HR world about IT”.
Klassen-Brown works for an IT company whose business is selling security technology solutions and the company is currently involved in marketing PCI to visa card companies. Her work in this sector puts her in the enviable position of being one of the more clued-up HR directors. “When it comes to developing policies and monitoring staff, we [HR] are clearly in charge. But we can’t work in isolation” she points out.
The problem is that in many companies, HR is not in a sufficiently confident mood to initiate the conversation. Hard though it is to believe, HR is even more insecure than IT. The navel gazing that IT engaged in after the dot com bubble burst is now being indulged in by its sister department along the corridor. "What is the role of HR?" asks Ciarán Fenton, CEO of career management specialists ExecEquity. " HR is at a crossroads. The transactional side is increasingly being outsourced resulting in pressure to manage people and cultural issues more innovatively.”
Ciarán Fenton, CEO ExecEquity
This leaves HR dealing with all the people-related issues and not engaging fully with IT. “Most people don’t know about the opportunities that access to IT provides. We’re more comfortable as users of the system”, agrees Klassen-Brown
The result is that HR can be reluctant to shoulder its burden of the security task. Ben Booth, group IS director at market research company MORI works in a market sector where data security is a priority in order to maintain the integrity of the business. He observes: “HR people tend to be really hot at the latest employee legislation, but they’re not so clued on IS and they do need help.”
And it’s in the interests of the IT department leader to start communicating with HR; otherwise the effort you’ve invested in securing data access goes to pot the minute someone is under suspicion. Failure to inform staff ahead of an incident that they may be subject to monitoring could well be a breach of their privacy. It would be a shame for all your computer monitoring and data protection efforts to go to waste because of a technical hitch in handling staff.
Former Scotland Yard detective and consultant with security company, Ibas, Simon Janes, says that the move of security provision within the company perimeter presents fresh challenges for the IT director. “The emphasis is moving towards managing the physical security of staff and data. This calls for a strategy for incident handling to ensure that any investigation does not contravene the Data Protection Act”, he points out.
Yet there’s plenty of common ground to start a conversation between IT and HR. As the relative newcomers to the board, IT and HR are finding themselves thrown together as allies and also have a common mission: to change perceptions of their function as being a mere cost base; and to prove their value to the business. More prosaically, both are customers of each other so that’s one way in which communication can be initiated.
“I routinely meet HR once a month,” says Booth, “plus there’s the monthly meet around the board table too. Other than that, it’s on an as and when basis”. Klassen-Brown belies that because here company is small, there are many opportunities for informal catch-ups between those responsible for IT and those responsible for HR.”
While a natural at the communication- as you’d expect from a HR professional- Klassen-Brown is also strong on defining the division of responsibility in a security context. That is IT is in charge of monitoring technology; HR in charge of education informing and educating. Fenton, too, is unequivocal about where the boundaries of responsibility lie. "Data is inanimate. Its management and security is as much about creating a culture of trust as it is about good systems. Over reaction could lead to data stasis rather than protection, resulting in lost revenues. [Ultimate] responsibility lies with the CEO who must balance these issues and create the environment in which IT and HR can do their best work, “he says.
If you feel that HR is not engaging totally with IT and security issues, the then remember that they’re almost certainly more comfortable trawling through the latest tome of anti ageism legislation. When in the board room, a mention of the dangers of memory sticks gets a blank look, it’s your cue to pop your head round her – it usually is a her – open door and share your concerns about the dangers of mobile storage to all of your hard earned pensions and work-life balance.
The bottom line is that everyone has to do their bit in the monitoring policy-making and education.