The Human Resources function has become integral to organizational cyber risk management in recent years due to a convergence of factors: an increasingly active regulatory environment, the pervasive use of technology and devices in employees’ work, and recognition of the importance of a strong organizational cybersecurity culture. HR increasingly is called upon to take a lead role, along with IT/InfoSec, in determining and enforcing employee data permissions, and training and enforcement of the organization’s cybersecurity policies and procedures – as well as helping respond to cyber events that involve employees.
Employees’ data and security practices are critical determinants in an organization’s cybersecurity posture: two in three executives in a Mercer survey say the greatest threat to their organization’s cybersecurity is employees’ failure to comply with data security rules.
Given that HR is in the people business, it should logically be a consistent key stakeholder in managing organizational cyber risk. However, the majority of companies say HR is not a primary owner or driver of cyber risk management; 88% of companies continue to delegate cyber risk first and foremost to IT/InfoSec, followed by C-suite, Risk Management, Legal, and Finance.
That needs to change; HR should play a central role in organizational cyber risk management. HR also needs a strong partnership with IT/InfoSec to effectively managing data and technology risk, particularly in the remote working environment. Their roles should be closely aligned with active involvement in managing their organization’s evolving technology and data infrastructure.
In this article, we explore three key areas where the evolving regulatory and cyber risk landscapes are changing the role of HR in cyber risk management:
- Privacy regulation compliance
- Employee data controls and access
- Cybersecurity culture