Cybersecurity is increasingly becoming a whole-of-business issue, according to Michael Gianarakis, director, Trustwave SpiderLabs (APAC).
“Historically, cybersecurity has been primarliy handled in the IT space. However, these days HR has an important seat at the table in terms of the holistic business-wide approach to addressing cyber security,” he told HRD.
Gianarakis said that if you look traditionally at where HR has played a role in cybersecurity, it has been more around policy enforcement and compliance.
“That is obviously important, but that is not going to really change behavior,” he added.
“What you really want to do when you are building a security culture is drive a real behavior change.”
This is about reiterating that the messaging is crafted to the individual and that’s no different from any other activities that HR does in terms of aligning the people to the organisational goals.
“Security is just another organisational goal. So if you tell an employee to do something just so the next quarterly results are great or just so the shareholders are happy then that doesn’t align well with them unless they are a shareholder,” he said.
“You need to hammer home what is relevant to them in their job. And people do not want to be the one that let the attacker through, they don’t want to be the one that causes the breach.”
Gianarakis added that it’s also crucial to build a top-down security culture and culture is HR’s domain. So if the culture isn’t driven top-down it is not going to filter down in the right ways to the employees.
“If your management is focused on productivity, the next quarter results, etc, that is going to filter down to the employees and the way that they conduct their job,” he said.
“If security is seen as an important priority, as it should be for the C-suite and middle management, it will filter down to the organisation and people will act accordingly. So it is vital to establish that top-down culture when it comes to security.”
Gianarakis added that people are often the weakest link when it comes to breaches and this is the space where HR plays a part.
“And really thinking about how you get through to the individual and reinforce positive behaviors. Often types of exercises can turn into a witch hunt which is not productive,” said Gianarakis.
“It is not about pointing out that you’re the failure or you’re the issue. It’s more about saying these are the behaviors that we are trying to instill,” he said.
“Being able to reinforce and positively reward those behaviours and really embracing that culture holistically top down is how you do it.
“It is easier said than done, but it is one of those things that you have to work at it everyday and that’s how you get it right.”