“The HR-Security Center of Excellence will help the HR Department to extend its charter to include content, messaging, and, ideation on the topic. The underlying message is that security is a management problem, not a technology problem.” – John Sumser

Building an Internal Security Center of Excellence in the HR Department

Because security issues can impact or disrupt ongoing business operations, they will become more important in the medium and long term. Accelerating technical change and revisions to the social contract conspire to make the HR Department an essential element of the solution. The HR-Security Center of Excellence will help the HR Department to extend its charter to include content, messaging, and, ideation on the topic. The underlying message is that security is a management problem, not a technology problem.

The CoE will be equal parts content studio, thought leadership factory, education development and audience building. At its core is the question “How do we help our organization achieve more operational continuity and continuous improvement?” The answers to that question are a series of frameworks, presentations, webinars and so on.

Establishing the parameters of an effective HR approach to security will involve the careful consideration of current practices and the development of a way of seeing the problem, perhaps as a taxonomy or more fleshed out as a modular curriculum. Weaving topics as varied as GDPR, AI, IoT, Engagement, Employee Experience, Workforce Trust, Privacy, and Sentiment Analysis into a cohesive view will take a good deal of work.

Research Agenda

The primary goal of the CoE is to cement the relationship between security requirements and the ongoing organizational work of the HR Department. The CoE should establish a regular Cadence of publication, video production, brainstorming sessions and future state visioning on the following 12 themes. In addition, the CoE should establish a security reference library, accessible by all employees.

  1. Security is a People Problem
    The security risks and responsibilities of the individual member of the organization grow rapidly. Aided by ever more intelligent machine advisors, the individual’s power to disrupt the operation are constantly expanding. Expanded power is always accompanied by increased responsibility for security. The day to day implementation of privacy policies fall to the individual. Security vigilance and how to encourage it are at the heart of this theme.
  2. Security is an Organizational (Cultural) Problem
    Security is a reflection of the degree to which individual members care about the growth and development of the organization. The company’s culture can be strengthened in ways that make attention to security a core value. This theme investigates the ties between security and culture (engagement, compensation, competitive pressures, personnel changes, performance management, and other processes).
  3. Security is a Technical Problem
    The essence of security is the protection of company data and intellectual property. The first level of loss prevention is technical security. It is a complex and often (usually) dry topic. This theme explores ways to understand, define, and make intelligible the minimum level of technical competency required for an individual employee to be an effective participant in organizational security.
  4. Security is a Legal Problem (PII, GDPR)
    With the implementation of GDPR and state data privacy laws, individual citizens now have security rights in their relationships with all organizations. The change is not subtle. What was once company owned information now belongs to the individual citizen. Fully respecting these new rights involves a significant shift in the way individual employees treat their communications. This theme focuses on the changes in work styles and methods required by law. This theme also explores the systems integration issues companies face as they try to understand and account for all of the Personal Information that resides within the company walls.
  5. Security in a Gig Economy Workforce
    The walls of the organization are permeable. The trend towards the use of contingent workers creates unique opportunities to expand the reach and definition of the company’s culture. While there are significant technical issues in security that extends beyond the legal walls of the operation, the cultural issues are more significant. The question in this theme is ‘how do you increase the reliability and intensity of gig workers allegiance to the company?”
  6. Fundamentals of InfoSec
    The range of concepts, issues, questions, and answers associated with keeping company data and information secure is vast and overwhelming. This theme is where the CoE will develop tutorial material that explains the basics of security.
  7. Data Security in the Office
    Security is not usually a cloak and dagger mystery. It is practiced routinely in behavior that is as common as getting a cup of coffee. Good security habits can be identified, modeled and trained. This theme focuses on the day to day practicalities of protecting the company and encouraging is growth and prosperity.
  8. Understanding Personal Identifying Information (PI)
    The degree to which personal information is collected and traded is unclear to most people. New regulations (such as GDPR) expand the definition of PI to include individual tidbits ranging from IP address to the contents of the software stack on an individual’s desktop machine. When a European citizen asks to be forgotten, the rule is to completely forget them. That means that all employees will need to know how to identify PI. This evergreen theme tracks and explains the elements of PI in simple and entertaining ways.
  9. Engagement as a Security Measure
    This theme examines whether there is an identifiable relationship between engagement and security. This theme is distinct from the others in that it will tackle the question of environmental security as a part of the framework. The degree to which security is a matter of concern varies from modest to extreme depending on the organization’s market. Expect to find significant differences based on the intensity of the security environment. The more intense the environment, the more that engagement (or a similar measure of attachment) is colored by security. It should be the case that intense environments can be mined for useful practices.
  10. How to Tell Which Laws Apply
    As intelligent software evolves, the regulatory environment will intensify. Expect to see governance in the areas of data model certification, algorithm explain-ability, decision validation, decision quality notification, and more. It is unlikely that the IT Department will be able to track and understand all of the ways in which smart machines are permeating the company. This theme provides the tools and resources for HR Departments to offer employees to better understand legal requirements.
  11. Using AI to support HR Efforts
    HR itself (as opposed to its organization-wide impact) is ground zero for the implementation of intelligent tools that coach, direct, discover and make personnel decisions. Carefully guiding machine decisions to ensure that their impact on culture, attachment and morale are well understood is the name of the game. This theme works to enable HR professionals to understand the security implications of the incremental decisions they make.
  12. The Ethical Implications of Security, AI and Intelligent Machines
    The HR Department is at the center of ethical concerns about intelligent software. This theme is distinct from the practical use of intelligent tools (11, above). This theme focuses on understanding the quality and consequences of decisions driven by machines. A reputation for unethical or sloppy regurgitation of machine recommendations creates the ground for serious security problems.


The Security Series: HR as Security Leader

1: Overview – Why Focus Your HR Department on Security? Link »
2: Introduction Link »
3: Context – Shifting Technology Link »
4: Context – Increasing Employee Power Link »
5: The Ecosystem of Security Issues Link »
6: The Future of Security Issues Link »
7: The HR Security Center of Excellence Link »
8: Getting Started Link »

Read previous post:
Security Series 6 – The Future of Security Issues

“There can be an ironic relationship between scrutiny and secrecy; the more scrutiny (which can feel like a lack of...