6 Cyber Security Measures Every HR Leader Needs To Consider In 2020

The exact remit of HR will vary from organisation to organisation, but one area that’s increasingly on the HR agenda is cyber security.

Cyber security is as much about people as it is about technology, so HR leaders need to be just as involved in any large scale cyber initiative as their IT counterparts.

Here are 3 key drivers that explain why cyber is becoming a more pressing subject for HR leaders:
  • Cyber security has a major impact on the lives of every employee - not only within their professional environment, but also their personal lives. Most people will at some point be affected by cyber crime, whether personally or via a family member, so developing a culture of awareness is key in protecting all round employee welfare.
  • Awareness IconCyber security is a company wide issue - there is not a function in the business not affected by cyber threats. Simply siloing the subject within IT only addresses a fraction of the challenge.
  • The biggest challenge is in changing human behaviour - As Phil Scully explained on The Cyber Leaders’ Network, “It’s fairly easy to implement a new firewall, but nearly impossible to stop people writing their passwords on post-it notes”. Needless to say that HR needs to play a central role in driving the behavioural changes required within any cyber security initiative.


There is sadly no blueprint for getting this right, but the HR departments that have the greatest success with cyber security seem to share the following behaviours:
  1. Communication IconThey establish effective lines of communication with IT - given the overlap in responsibility, it’s easy to either duplicate effort or leave gaps. HR and IT need to agree clear boundaries of responsibility, while collaborating on those challenges that have both a technical and people dimension, as many in cyber security do.

  2. Communication IconThey provide ongoing training - education is a huge part of cyber security. What appears obvious to one person is a mystery to another, so HR should assume nothing and provide guidance for everything. Above all, people need to know that it’s okay to ask questions.

  3. They build a vigilant culture - in too many offices, relaxed attitudes towards security are accepted. People joke about using the same password for every platform and device, and senior staff fail to lead by example. One of your primary aims as the HR function needs to be to develop a self policing culture where complacency is considered unacceptable. Social norms are
    Communication Iconpowerful forces. Just as most (!) people would think twice before leaving a communal area a mess for fear of upsetting their colleagues, so too must there be a culture of intolerance towards who wilfully expose the company, and everyone within it, to avoidable cyber threats.

  4. They celebrate success - visibility is key. When people do something well, HR needs to publicly celebrate that. And if someone makes a mistake but proactively reports it the appropriate person, HR should think carefully about how to respond, as admonishments may deter others from admitting their future errors.

  5. They consider a “hub and spoke” approach - every department in the company will need its own policies relating to cyber security, and both IT and HR should be playing active roles in the development of those policies. However, you should also encourage the department in question to initiate its own ideas. After all, nobody will Communication Iconunderstand the idiosyncrasies of that department better than the people within it. This “hub and spoke”approach, where there are company wide HR and IT policies standardising certain cyber security practices, alongside more departmentally specific initiatives, will typically result in the greatest overall adoption.

  6. They focus on the weak spots - one of the greatest sources of threat is when employees leave the business. In fact, over half of employees leave the job with some sensitive information (usually through carelessness rather than any malign intent). Ensuring the off-boarding process places a major emphasis on cyberCommunication Icon security is paramount. Likewise, remote workers represent another vulnerability,and as greater emphasis is now being placed on flexible working conditions this issue is only going to grow. The sooner your company establishes robust remote working practices that place cyber security at their core, the better.

Contact us today and see why our cyber security recruitment services are trusted by FTSE 100 companies and UK Government Departments.

If you are a CISO and you want to find out how to best project the needs of your cyber security team in the boardroom, download our specialist whitepaper here.
If you want to read more, discover what problems the retail industry are encountering with cyber security due to digital transformation here, or discover what Zero Trust Architecture means for a business here.