This Content Component encountered an error

Data protection services and strategies for enterprise CIOs

Strategy: Preparing for corporate data protection, NAC, security <<previous|next>> :Network access control evaluation tips: NAC systems insights for CIOs

CISOs, human resources cooperation vital to security

10 Jan 2009 | SearchSecurity.com

Fifteen years ago, when human resources executive Anita Orozco needed to hire or fire an employee, involving IT probably wasn't on her to-do list. But the Internet boom and employees accessing corporate systems from virtually anywhere changed that.

"Now it's definitely more important, whether getting a new employee set up with access to systems and software, or getting someone turned off," says Orozo, director of HR at Sonneborn, a manufacturer of refined hydrocarbons. "The turning off has become especially important. Generally, we'll give as much notice as possible to the IT staff so they can do what they need to do to protect the company."

Like others in her field,Orozco finds it increasingly important to work regularly with technology managers to ensure corporate data is secure. In the information age, human resources professionals are teaming up with their counterparts in IT security to investigate potential Web or email policy violations by employees, develop security policies and procedures, and plan for disaster recovery.

Bringing human resources and security together isn't always easy, though. The two have sharply different perspectives and there can be some tension, says Khalid Kark, principal analyst at Forrester Research.

HR has its own set of policies and might view security as imposing IT policies that HR can't really implement; HR also has access to sensitive data, which security might want to limit, he says. It works best if a cooperative tone is set from the top, Kark says.

"Typically what happens in those organizations is the head of HR and the head of security have decided that they will work together," he says.

Winn Schwartau, founder of SCIPP International, a nonprofit provider of end user security awareness training, says the relationship between HR and security is "mission critical" but often can be overlooked. He encourages organizations to have the two departments work together in three areas: hiring of employees with access to proprietary information or control over large parts of the network; developing policy for employees who violate security rules; and making sure terminated workers cannot access corporate resources.

"We need to get HR as part of the process because security is about people," he says. "It's about their behavior, their intentions, proclivities, and tendencies."