No Image Available

Is your organisation secure?

pp_default1

SecureHR has an important role to play in securing information assets and hiring top notch security staff, says John Colley.


With our increasing dependence on electronic information in every corner of business and society, the need to hire first-rate information security staff to protect our information assets has never been greater.

And there’s a lot at stake. When confidential information falls into the hands of outsiders, it can lead to lost business, lawsuits, reputation damage and even bankruptcy. Protecting confidential information is common sense these days and, in most cases, it’s also a legal requirement.

We recently conducted a survey among 4,000 of our information security professional members, which produced surprising results. More than half said they don’t involve HR in the hiring process, and 90% said HR is not responsible for the hiring decision of security personnel.

There’s clearly room for HR to demonstrate its value in the hiring and career management of information security professionals, as well as other information security initiatives, such as embedding security procedures into hiring practices and ongoing internal security awareness and training programmes. HR can play a vital role in the protection of corporate information assets and mitigation of information security risks.

Hiring and keeping the best information security staff

The recruitment of information security professionals needs to be carefully considered given the fast changing nature of the profession and the role they play in mitigating business risk.

Driven by internal and external security threats, information security is changing more quickly than any other profession today, even though it’s still relatively new. This makes having a detailed understanding of the types of job functions that exist, ideal traits and typical career paths essential.

“There’s clearly room for HR to demonstrate its value in the hiring and career management of information security professionals.”

While job specifications are generally defined by the line managers, HR can help focus on issues such as the work environment, team dynamics and the personal characteristics that would be a good fit for the information security team and the corporate culture of the company.

Hiring quickly is also important in this sector. Many qualified candidates are lost because the hiring process went on too long. It is clear that hiring practices need to be adapted to deal effectively with the fast-paced and dynamic information security profession.

With demand for information security professionals continuing to outstrip supply, providing an effective professional development environment is a growing and important challenge for hiring managers. Companies will need to take a more strategic and supportive approach to retention to keep the new breed of evolving talent.

Securing recruitment practices

If it hasn’t already been done, it’s worth carrying out a review of existing recruitment practices. This should include a review of job descriptions. Every job description should include a security component to encourage the idea that all employees are responsible for security.

The information security team can also help HR professionals decide what level of clearance every employee should have. This will aid in assessing how thorough a background check should be and how many years back to go to gather data on the candidate.

Terms of employment

When the terms and conditions of employment fail to incorporate security requirements for the use of information systems, the organisation could possibly suffer damage with minimal legal redress against the individual(s) concerned. Terms and conditions of employment should:

  • Incorporate the need to comply with current statutory regulations

  • Reflect the security responsibilities of employees outside the workplace

  • Refer to the possibility of disciplinary action, should security policies and standards be breached

  • Confirm that it is the organisation’s responsibility to provide appropriate training and education in the subject of information security.

Whenever an employee is terminated or a contractual relationship ends, the security and HR departments should make certain that the termination process includes removal of access to all information resources. This includes the return of information and physical assets in their possession.

In addition, a formal process for return of the organisation’s hardware, software and data media, as well as the return or destruction of organisational data, should be established. Access rights to information and information processing facilities should be removed immediately.

Part of this process should be to remind and reinforce the need to continue to respect the confidentiality agreement that was signed when employment started.

Spreading the word

HR professionals can also play a pivotal role in driving security messages, policies and procedures and really contribute to corporate security in all employee management practices.

This is important because, conscious or not, employees are faced with decisions every hour that can impact the security of an organisation’s or its customers’ data. The most expensive security system in the world can be breached by an employee simply divulging their password over the phone to a company impostor or taking a laptop home containing unencrypted data and then leaving it on the train.

“HR professionals can play a pivotal role in driving security messages, policies and procedures and really contribute to corporate security.”

In fact, according to the Information Security Awareness Forum, one of the biggest problems facing organisations and individuals is a lack of information security awareness with people either not knowing about, ignoring or circumventing security processes and technical countermeasures.

Lack of awareness has been the main cause of some of the most impactful security incidents in the UK in the last year. A number of high profile examples of major security incidents where lack of awareness has been the main cause of the security breach prove the point – HMRC’s loss of disks containing personal data of about 25 million people receiving child benefits; the MOD leaving a laptop in a car with hundreds of thousands of confidential records on it; and lost data on thousands of UK prisoners are just a few recent examples. Awareness campaigns are absolutely critical to educating employees about responsible behaviour.

HR professionals can launch and support internal awareness campaigns to spread the word about information security throughout the organisation. The information security team can provide the materials needed to ensure that new employees are fully aware of information security policies. Ultimately it should be a core element of employee responsibility.

All employees and, when relevant, contractors and third-party users, should receive appropriate awareness training in company security policies and procedures that are relevant to their job functions. This should include:

  • A formal induction process that includes information privacy and security training, prior to being granted access to information or information systems

  • Ongoing training in security control requirements and generally accepted security procedures, suitable to the person’s roles and responsibilities

  • Virtual sources of information on security policies such as email, screen savers or a local intranet, as well as global, tangible materials such as posters.

Managers should be given extra training as well as extra responsibility for security. This helps them become advocates of security programs instead of merely end-users. They serve as examples for the rest of the company; if they do not take security practices seriously, no one will. Managers should be required to maintain policies and provide recurring training within their respective departments. This not only spreads out the workload, but it also creates a pool of devoted managers to ensure the long-term viability of an information security programme. Regular employee surveys can determine the training’s effectiveness.

HR professionals can play a valuable role in securing an organisation’s critical information assets. By working closely with the security department, it’s possible to ensure that recruitment and management of employee awareness are no longer a weak link in security strategy.


John Colley is managing director EMEA for (ISC)2. A free guide to hiring information security professionals can be downloaded from: www.isc2.org/HRCenter.

No Image Available
Newsletter

Get the latest from HRZone.

Subscribe to expert insights on how to create a better workplace for both your business and its people.

 
 
 
 

Thank you.