HR And Cybersecurity: More Yin Or Less Yang?

You know what other people in the organization think of you: reactive, never available, poor 'people skills,' a cost center and not a revenue producer, not strategic, needs a lot of training, easily out-sourced.

Yes you, IT, that's what people think of you.

Oh wait -- you thought this post was about Human Resources!

We at Pythia propose that cybersecurity and HR are inseparable. Check our posts about social engineering, ransomware problems, the Enigma machine, etc.: bottom line, you cannot have cybersecurity without HR.

We also propose that there are cybersecurity problems because organizations have HR functions that are not aligned with cybersecurity functions. 

And there you have it: HR and IT are the yin and yang of organzations.

What does all that mean for HR and for IT?

A fundamental rule of being a business partner in any organization is this: you (or the function you lead) must be able to show metrics regarding how you increased revenue or profit, or minimized revenue loss, or advanced the mission. It really is that simple. 

With that in mind, what should HR do?

First, HR should mandate that cybersecurity training and risk management are part of all performance plans, for everyone. That requires that HR leaders have learned about cybersecurity risk management at least enough to discuss how those performance plans will be shaped and scaled. And as all IT people know -- if they don't we've discussed it at length -- cyber threats keep evolving.

Having cybersecurity in a performance plan means that poor cybersecurity behavior is now cause for remediation. Good cybersecurity behavior creates opportunities for people to contribute more to the mission.

Second, HR needs to develop and discuss metrics about revenue/profit created, or loss minimization, or mission accomplishment. (Example here.) That's true in general, and even more so in terms of cybersecurity.

Third, HR needs to work with liaisons in IT to develop a workforce development plan so that your cyber-defenders have current skillsets.

What should IT do?

First, IT has plenty of metrics but tie them more obviously to cybersecurity.

Second, IT should be able to create risk assessments for new or evolving functions such as incorporating artificial intelligence into work functions and revisiting acquisitions and contracting.

Third, IT needs to liaise with HR to create those performance management plans.

Here's what will happen if you ignore this: too much yin, not enough yang, ongoing ransomware problems, stagnation in technology adaptation and leveraging, and mediocrity.

Ask us how you can align IT and HR to create yin and yang, which in turn is value through cybersecurity.