2021-02-18 HR Examiner article John Sumser Why Focus Your HR Department on Security stock photo img cc0 by AdobeStock 202568707 544x362px.png

 

“There can be an ironic relationship between scrutiny and secrecy; the more scrutiny (which can feel like a lack of trust), the more secrets are kept. In other words, surveillance can become a self-fulfilling prophecy that produces the very behavior it wants to eliminate.” – John Sumser

 

Note: This is the second and final article in a two-part series about making security a part of the HR agenda.

 

The Future of Security Issues

 

The balance between surveillance and independent action will be constantly evolving in the foreseeable future. Smarter objects that monitor and report on their usage and users are already proliferating. The devices will continue to shrink, get more powerful and be embedded in every nook and cranny of our lives.

 

It’s inevitable that the mere presence of these various ways of monitoring will be perceived as intrusive oversight. There can be an ironic relationship between scrutiny and secrecy; the more scrutiny (which can feel like a lack of trust), the more secrets are kept. In other words, surveillance can become a self-fulfilling prophecy that produces the very behavior it wants to eliminate. Worse yet, well-intentioned endeavors to understand and increase productivity can easily be seen as evidence of a lack of trust.

 

The implication is that we are going to need a way of thinking about the impact of adding new technologies to the workforce. Somehow, employers will need to demonstrate the value of increased monitoring to a workforce that is increasingly empowered and motivated to control individual privacy. It will take a disciplined and persistent approach to ensure that smarter workplaces don’t become breeding grounds for serious cultural problems.

 

Technical security threats are escalating at the same rate that the underlying technology is expanding. A severe shortage of security professionals (demand dramatically exceeds supply ) means the technical team is overworked and likely to miss things. Next year’s security pros will be pressed to keep up with the AI that will be managing core security questions.

 

Finally, our understanding of the definition of Personal Information and what, exactly, is protected under various regulatory schemes is constantly shifting. For example, the cross-device tracking necessary to ensure that a company’s virtual assistant can operate creates a digital signature that can easily be reference back to a single individual. The technical stack on an individual’s computer is a fingerprint that can be (and is) used to monitor the behavior of specific individuals. Knowing how to tell when we are creating Personal Information is a key to long term organizational risk mitigation.

 

In order to offset the risks that are accumulating for all of the aforementioned reasons, companies are going to look to their people as a solution to the security risk. Current emphases on engagement, culture and employee experience are all evidence of the shift organizations are making in the way the value and develop their people. There is a virtuous circle that connects increased security, workforce attachment and the content, ideas and products that make that relationship real.

 

“The HR Security Center of Excellence will help the HR Department to extend its charter to include content, messaging, and, ideation on the topic. The underlying message is that security is a management problem, not a technology problem.” – John Sumser

 

The HR Security Center of Excellence

 

Building an Internal Security Center of Excellence in the HR Department

 

Because security issues can impact or disrupt ongoing business operations, they will become more important in the medium and long term. Accelerating technical change and revisions to the social contract conspire to make the HR Department an essential element of the solution. The HR-Security Center of Excellence will help the HR Department to extend its charter to include content, messaging, and, ideation on the topic. The underlying message is that security is a management problem, not a technology problem.

 

The CoE will be equal parts content studio, thought leadership factory, education development and audience building. At its core is the question “How do we help our organization achieve more operational continuity and continuous improvement?” The answers to that question are a series of frameworks, presentations, webinars and so on.

 

Establishing the parameters of an effective HR approach to security will involve the careful consideration of current practices and the development of a way of seeing the problem, perhaps as a taxonomy or more fleshed out as a modular curriculum. Weaving topics as varied as GDPR, AI, IoT, Engagement, Employee Experience, Workforce Trust, Privacy, and Sentiment Analysis into a cohesive view will take a good deal of work.

 

Research Agenda

 

The primary goal of the CoE is to cement the relationship between security requirements and the ongoing organizational work of the HR Department. The CoE should establish a regular Cadence of publication, video production, brainstorming sessions and future state visioning on the following 12 themes. In addition, the CoE should establish a security reference library, accessible by all employees.

 

  1. Security is a People Problem
    The security risks and responsibilities of the individual member of the organization grow rapidly. Aided by ever more intelligent machine advisors, the individual’s power to disrupt the operation are constantly expanding. Expanded power is always accompanied by increased responsibility for security. The day to day implementation of privacy policies fall to the individual. Security vigilance and how to encourage it are at the heart of this theme.
  2.  

  3. Security is an Organizational (Cultural) Problem
    Security is a reflection of the degree to which individual members care about the growth and development of the organization. The company’s culture can be strengthened in ways that make attention to security a core value. This theme investigates the ties between security and culture (engagement, compensation, competitive pressures, personnel changes, performance management, and other processes).
  4.  

  5. Security is a Technical Problem
    The essence of security is the protection of company data and intellectual property. The first level of loss prevention is technical security. It is a complex and often (usually) dry topic. This theme explores ways to understand, define, and make intelligible the minimum level of technical competency required for an individual employee to be an effective participant in organizational security.
  6.  

  7. Security is a Legal Problem (PII, GDPR)
    With the implementation of GDPR and state data privacy laws, individual citizens now have security rights in their relationships with all organizations. The change is not subtle. What was once company owned information now belongs to the individual citizen. Fully respecting these new rights involves a significant shift in the way individual employees treat their communications. This theme focuses on the changes in work styles and methods required by law. This theme also explores the systems integration issues companies face as they try to understand and account for all of the Personal Information that resides within the company walls.
  8.  

  9. Security in a Gig Economy Workforce
    The walls of the organization are permeable. The trend towards the use of contingent workers creates unique opportunities to expand the reach and definition of the company’s culture. While there are significant technical issues in security that extends beyond the legal walls of the operation, the cultural issues are more significant. The question in this theme is ‘how do you increase the reliability and intensity of gig workers allegiance to the company?”
  10.  

  11. Fundamentals of InfoSec
    The range of concepts, issues, questions, and answers associated with keeping company data and information secure is vast and overwhelming. This theme is where the CoE will develop tutorial material that explains the basics of security.
  12.  

  13. Data Security in the Office
    Security is not usually a cloak and dagger mystery. It is practiced routinely in behavior that is as common as getting a cup of coffee. Good security habits can be identified, modeled and trained. This theme focuses on the day to day practicalities of protecting the company and encouraging is growth and prosperity.
  14.  

  15. Understanding Personal Identifying Information (PI)
    The degree to which personal information is collected and traded is unclear to most people. New regulations (such as GDPR) expand the definition of PI to include individual tidbits ranging from IP address to the contents of the software stack on an individual’s desktop machine. When a European citizen asks to be forgotten, the rule is to completely forget them. That means that all employees will need to know how to identify PI. This evergreen theme tracks and explains the elements of PI in simple and entertaining ways.
  16.  

  17. Engagement as a Security Measure
    This theme examines whether there is an identifiable relationship between engagement and security. This theme is distinct from the others in that it will tackle the question of environmental security as a part of the framework. The degree to which security is a matter of concern varies from modest to extreme depending on the organization’s market. Expect to find significant differences based on the intensity of the security environment. The more intense the environment, the more that engagement (or a similar measure of attachment) is colored by security. It should be the case that intense environments can be mined for useful practices.
  18.  

  19. How to Tell Which Laws Apply
    As intelligent software evolves, the regulatory environment will intensify. Expect to see governance in the areas of data model certification, algorithm explain-ability, decision validation, decision quality notification, and more. It is unlikely that the IT Department will be able to track and understand all of the ways in which smart machines are permeating the company. This theme provides the tools and resources for HR Departments to offer employees to better understand legal requirements.
  20.  

  21. Using AI to support HR Efforts
    HR itself (as opposed to its organization-wide impact) is ground zero for the implementation of intelligent tools that coach, direct, discover and make personnel decisions. Carefully guiding machine decisions to ensure that their impact on culture, attachment and morale are well understood is the name of the game. This theme works to enable HR professionals to understand the security implications of the incremental decisions they make.
  22.  

  23. The Ethical Implications of Security, AI and Intelligent Machines
    The HR Department is at the center of ethical concerns about intelligent software. This theme is distinct from the practical use of intelligent tools (11, above). This theme focuses on understanding the quality and consequences of decisions driven by machines. A reputation for unethical or sloppy regurgitation of machine recommendations creates the ground for serious security problems.

 

“The coming years will feature an enhanced role for HR in the management of critical information assets, education about employee tech utilization, and effective communication of employee level security programs.” – John Sumser

 

Getting Started

 

There are no current case studies that demonstrate the operation of an initiative that blends the management of Security and Organizational Health. However, the regulatory and technical climates are shifting in ways that suggest that such an effort is imperative. The coming years will feature an enhanced role for HR in the management of critical information assets, education about employee tech utilization, and effective communication of employee level security programs.

 

This means that the establishment of an HR based Security CoE is pioneering work. The design and execution of the project will vary between companies. The focus of security initiatives is highly dependent on industry, location, ecosystem sophistication, and the quality of current employee attachment to the company.

 

Step 1. Data Collection and Categorization
There are three primary sets of data to collect and understand: Ongoing Measurement and Analysis of Employee Sentiment, Current Security Plans and Programs, and an Inventory of Data that must be kept secure. Acquiring and understanding the company’s information assets is the foundation of an HR based security thrust. This data is the foundation of a project library.

 

Step 2. Feasibility Analysis
With a clear grasp of the contents of the project library, the core team must develop an approach to tying workforce commitment to security outcomes. The initial feasibility analysis will include a plan to involve the highest levels of the organization.

 

Step 3. Project Scheduling
The first year of the project will involve establishing a regular cadence of information delivery, results management, and content creation. Depending on funding level, the CoE should deliver quarterly training and monthly reporting of the relationship between ongoing organizational work and security issues.

 

Step 4. Kickoff
Project momentum is always established in early finding and the fanfare associated with the launch. This is the point at which project sponsors and high level executives begin to really exercise their input to the project.

 

Step 5. Ongoing Strategy Development
The key to long-range success of the CoE is an ongoing initiative to try to see the things that are not obvious. Quarterly meets that integrate executive and working level perspectives will make it possible to discover the leverage that makes Security and integral part of the company’s culture.

 

Bottom Line
Establishing an HR Security Center of Excellence is a 21st Century initiative. By asserting the relationship between the workforce’s aggregate attachment to the company and reductions in security problems, HR can start to fully demonstrate its commitment to the bottom line.

 

The Series

 

  1. Why Focus Your HR Department on Security? Link »
  2. Why Focus Your HR Department on Security? Part II Link »


 
Read previous post:
2021-02-18 HR Examiner article John Sumser Why Focus Your HR Department on Security stock photo img cc0 by AdobeStock 202568707 sq 1500x1000px scaled 200px.png
Why Focus Your HR Department on Security?

Almost all security problems, intentional or otherwise, come from people. This is the first in a two-part series about making...

Close