HR’s Critical Role in Creating a Cyber Defense Culture

By Darren Waldrep and  Kim LaFevor

What does Cyber Defense have to do with HR?  At its core, Cyber Defense has equivocally as much to do with our HR role as other key professional responsibilities, such asRecruiting, Staffing, Safety and Health, Compensation & Benefits, Federal & State Employment Regulation Compliance, and Performance Management as it directly ties to another essential HR function:  Risk Management and Business Continuity.  While many may envision Cybersecurity as a function of and confines solely within the IT department, it necessitates a much broader view of cybersecurity as a discipline, but also interdependently a part of a robust Cyberdefense system.  As risk management is at the center of effective business continuity management plans, what is HR’s critical role in creating and sustaining a Cyber Defense Culture?  Why does this matter? 

HR Linkages between Risk Management and Cyberdefense

The concept of risk management is not new to any of us.  We confront daily risks in our personal lives (ie driving a car, flying on a plane, investments, etc.) just as much as we do our professional roles as human resource professionals.  While risk management is often regarded as what we do for our organizations to adequately identify, assess and control threats to the organization’s earnings and capital, they can take on a cloak daunting different appearances in the form of legal liabilities, accidents and natural disasters, and errors in judgment, both operational and strategic. Cyberdefense is about managing risks through constructing multiple layers of protection across computers, networks, programs, and data  in our ‘connected world.’  In any organization, the best cyberdefense system considers any constraints and their weakest linkages in the interplay of people, technology, and processes (What is Cybersecurity?, 2020). 

On an Important Battlefront:  Shaping the Culture of Cyber Defense

To effectively manage existing risks, HR has a critical role in creating a cyber defense culture on five primary fronts:

1. Identifying cybersecurity talent to create cyber resilient systems
2. Strategic deployment of cybersecurity talent based on talent capaibilities
3. Front-end, built-in cyber resilient products, point-of-service practices and policies
4. Education of the workforce on cyber defense as mission critical, and identifying cyber threats and risks related to their work and how to avoid them
5. Auditing and testing the cyberdefense system to identify weaknesses and developing countermeasures

Cyber threats continue to grow in sophistication, so organizations face persistent challenges in recruiting skilled cybersecurity professionals capable of protecting their systems against the risk of malicious actors (Crumpler & Lewis, 2019).  According to CyberSeek, an initiative funded by the National Initiative for Cyber Education (NICE), the United States faces a critical shortfall of over 300,000 cybersecurity professionals (Cybersecurity Supply And Demand Heat Map, 2018).  The current cybersecurity education ecosystem lacks standard metrics or rankings to help employers understand what programs, certifications, and degrees are essential to cyber positions.  Having the key personnel in place at every level to identify, build, and staff defenses and responsibility is a crucial element to having a robust cybersecurity strategy.

Building in ‘Cyberreslience’ for your Organization

Creating cyberresilience is of paramount importance for business continuity and risk management planning. Merging cybersecurity, risk management, and business continuity practices can shore up cyber-response capabilities from event detection and recovery to continual process improvement (Dickson & Goodwin, 2019).  As more data breaches and hacks make the news, it becomes even more crucial for an organization to designate time to determine where the organization is vulnerable.

 Jones (2020) offers the following tips and best practices on how to educate employees for cybersecurity:

1. First, Don’t Blame Your Employees
2. Invest in Employee Training
3. Make Cybersecurity Awareness a Priority
4. Get Buy-In From the C-Suite
5. Password Security Training and Best Practices
6. Train Employees to Recognize Phishing and Social Engineering Attacks
7. Make Cyber Security a Part of Onboarding
8. Conduct “Live Fire” Practice Attacks

Cybersecurity training is mission essential for every organization.

Conducting an Assessment of your Cyber Defense Culture

Discerning organizational cyber weaknesses through regular and ongoing cybersecurity assessments and audits is essential to building a sound Cyber Defense Culture. Without them, it is difficult to thwart cyber attacks and protect your company, its people and assets.  While there are abundant supply of examples, we can consider a couple such as the risks with network acceptable use policies and teleworker practices.  How will HR handle a system failure caused by an employee that completed network access training and signed Acceptable Use Policy (AUP), yet failed to apply system-safe work practices? Who manages and enforces the policy?  What are the consequences and how do those consequences support the aims of an effective cyber defense system?  

One of the most significant threats to cyber resiliency are the work practices of teleworking employees.  How will HR manage the computer technology and data teleworkers use to perform their duties?  How do they determine which data is accessed outside of the organizations’ network?  How will HR know if a teleworker is accessing the company network through a Virtual Private Network (VPN) provided by the organization or a public hotspot that can place the organization at great risk?  It is about having a plan about for risks, and how your organization will respond to a threat or breach, and identifying specific individuals responsible for action (Best Practices for Cybersecurity Compliance Audits – BlackStratus, 2018).

The Interconnectedness of an Effective Cyber Defense Strategy:  HR Can Lead the Way

While cyber threats are very real and can be castastrophic to any public or private organization, it remains mission critical to focus on a having an effective cyberdefense system, strategy, and culture.  HR has a notable and integrative role in assuring the employment of strategies that address the important interplay of people, technology and related processes that can provide the best assurance in building a cyberdefense culture (Evans & Reeder, 2010).  As HR leaders, we can help to create a climate and employee mindset that cybersecurity at its core is ultimately everyone’s responsibility.