Why Focus Your Hr. Each week, we’ll publish an article from the original HRExaminer Legacy Archives.Note: This is the first in a two-part series about making security a part of the HR agenda.
HR agenda. The working link to part 2 is at the end of the article.
Download your copy of The Future of Work today.
Shifting definitions, laws, and sensibilities concerning privacy and personal data combine with rapidly evolving technologies to produce a climate ripe for subterfuge, misunderstanding, and missed cues.
The working level employee is in possession of extraordinary tools that make her capable of surveilling the company from the inside while loading critical data onto her smartphone.
The spectrum of security issues ranges from outright intentional damage to the sloppiness that comes from a lack of commitment or concern.
Fortune Magazine reported that:
“20% of employees would sell their passwords, with 44% of them willing to do it for less than $1,000. Some would give up their corporate credentials for less than $100… and workers in the U.S. looked most willing to put their passwords up for sale.”
Sailpoint, the company that did the survey behind Fortune’s reporting, notes that:
65% of employees use a single password to secure their accounts, and 42% of employees could access their corporate accounts after termination.
Employees are both security threats and targets. There is every reason to believe that morale and commitment to the company are key factors in protecting the company’s physical and intellectual property.
The goal is to tie workforce development issues to the company’s security needs; to position security as a pivotal value and as a measure of organizational health.
Shifting legal frameworks regarding the management of personal information coupled with increased power in the hands of individual employees make this a timely discussion.
By starting now, a company can gain real competitive advantage in the face of predictable changes.
The People Problem
Security is, fundamentally, a people problem. One can get all of the technology in place and working properly then still encounter massive human security failure.
A single missed tech upgrade can result in sustained brand damage and significant economic fallout (as it did at Equifax).
It is also useful to carefully examine the idea that security problems are indicators of culture failings.
Context: Shifting Technology
Emerging tools are being designed to reduce time using the software, involve a view of design that runs counter to the prior generation of technology.
Today’s ROI is measured at the bottom line while providing clear feedback to the company’s machine learning toolset.
The object is to increase the benefit technology delivers while reducing the amount of time required to realize it.
Until recently, the goal was stickiness – great design held you in the interface. More time using the product was the goal.
The premise was that usage and adoption were related to a sustained quantity of user experience.
Context: Increasing Employee Power
Meanwhile, the individual employee grows steadily more powerful. She is increasingly backed by systems that expand their own effectiveness so the employee can expand hers.
Much of the design is delivered without regard to overall governance. The assumption is that the employee will know how to use and maintain the tools ethically, responsibly, and legally.
With echoes of crowd sourcing as a management philosophy, the tools blandly assume that every employee works with the best interests of the company at heart.
The Ecosystem of Security Issues
Security involves a complex set of related factors ranging from attention to detail in maintenance, proper levels of concern for sensitive information, privacy, password management, hacking, competitive intelligence, identity management, infrastructure, financial issues, and more.
Here is a quick and easy framework for thinking about the components of the Security Ecosystem:
- Business Continuity – The goal of an organization’s security program(s) is to ensure that the business can continuously to operate at an optimal level without unplanned interruptions, intentional or not.
- Risk Management – Specific security concerns, practices, and policies are a subset of the organization’s approach to understanding, anticipating, and preparing for the various threats to continuous function.
- Information Security (InfoSec) – At its most basic, InfoSec is procedures or measures used to protect electronic data from unauthorized access or use.
- Cyber Security – The systems (hardware, software, infrastructure) that contain the company’s treasure trove of data and information are protected through password administration, technical systems upkeep, intentional design, and security access permissions.
- Information Technology – In order to make the business work well, various elements of the operation are automated and or managed in the IT infrastructure.
- Human Context/Culture – The primary users and administrators of strategic information are rarely the members of the IT staff.
Tomorrow in part-two of my series, I’ll look at the future of security issues, building an internal security center of excellence in the HR department, and all the specifics on getting started with your organization.
Conclusion
As the consequences of security problems are increasing, individual employees have increased responsibility for data security and have the power to disrupt the operation.
Culture matters at the intersection of security consequence and increased employee capacity.
No pressure.
