Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

CISOs, human resources cooperation vital to security

CISOs work closely with human resources to investigate potential Web or email policy violations by employees, develop security policies and procedures, and plan for disaster recovery.

Fifteen years ago, when human resources executive Anita Orozco needed to hire or fire an employee, involving IT...

probably wasn't on her to-do list. But the Internet boom and employees accessing corporate systems from virtually anywhere changed that.

"Now it's definitely more important, whether getting a new employee set up with access to systems and software, or getting someone turned off," says Orozo, director of HR at Sonneborn, a manufacturer of refined hydrocarbons. "The turning off has become especially important. Generally, we'll give as much notice as possible to the IT staff so they can do what they need to do to protect the company."

Like others in her field,Orozco finds it increasingly important to work regularly with technology managers to ensure corporate data is secure. In the information age, human resources professionals are teaming up with their counterparts in IT security to investigate potential Web or email policy violations by employees, develop security policies and procedures, and plan for disaster recovery.

Bringing human resources and security together isn't always easy, though. The two have sharply different perspectives and there can be some tension, says Khalid Kark, principal analyst at Forrester Research.

HR has its own set of policies and might view security as imposing IT policies that HR can't really implement; HR also has access to sensitive data, which security might want to limit, he says. It works best if a cooperative tone is set from the top, Kark says.

"Typically what happens in those organizations is the head of HR and the head of security have decided that they will work together," he says.

Winn Schwartau, founder of SCIPP International, a nonprofit provider of end user security awareness training, says the relationship between HR and security is "mission critical" but often can be overlooked. He encourages organizations to have the two departments work together in three areas: hiring of employees with access to proprietary information or control over large parts of the network; developing policy for employees who violate security rules; and making sure terminated workers cannot access corporate resources.

"We need to get HR as part of the process because security is about people," he says. "It's about their behavior, their intentions, proclivities, and tendencies."


At Sonneborn, Orozco works across the hall from the IT director in the company's Petrolia, Pa. office, which makes communication easy when security issues come up (see "Lost in Translation," below). The company, which outsources its IT functions, counts about 160 employees in Pennsylvania and about 300 worldwide.

Lost in Translation

Don't use jargon when communicating with human resources.

In working with human resources professionals, security professionals should make sure they're "talking in a language the HR person can understand," says Melody Silberstein, senior vice president of human resources at insurance brokerage Woodruff-Sawyer & Co.

"Sometimes my IT person and I are talking two different languages," she says. "If I don't understand what he's saying, I don't understand my risk."

Using laymen's language is critical in communicating the risks associated with newer tools that employees use, such as instant messaging, and also in supporting proposed equipment purchases, she says.

Since she's been immersed in security, Silberstein has become aware of the security issues around outsourcing. IT security professionals can help HR teams understand the risks involved when they outsource and questions they need to ask third-party vendors, she says.

Lee Kushner, founder and CEO of information security recruiting firm LJ Kushner and Associates, says security professionals can help HR pros who are focused on recruiting to help them understand what type of person to hire. "A big complaint of security professionals is, 'HR doesn't understand what I'm looking for'," he says. "But if the security professional would actually sit down with the recruiter and give the recruiter a bit of an education on how to find or what to look for, you would definitely have more successful recruiting."

Khalid Kark, principal analyst at Forrester Research, says security and HR professionals need open minds when they begin working together.

"Usually they have preconceived ideas around this is what HR or security is going to do," he says. "Go in with the perspective that the other is there to help the organization. Don't go in with the notion that HR doesn't know or care about anything about security."


In addition to making sure new employees get the system access they need and former employees' access rights are terminated as soon as they leave the company, Orozco works with IT on security policy development.

When she first joined the company, the IT director expressed concern about the company's policies on system use. "His argument was we need stronger controls, and management's reply was that we can trust our employees," she says. "So bridging that gap between the two and coming up with policies that would satisfy both has been important."

Today, Sonneborn has tight controls on Internet use, and employees can't download programs onto its systems. It also uses thin clients, and Orozco says the company has been free of computer viruses for years. In working with technology personnel, she's learned that they're very structured and process oriented. "As long as I have a process and good checklist, it generally goes pretty well."

In the end, human resources and IT are similar in that both are service oriented departments, she says. "They're providing a service and I'm providing a service."

Lee Kushner, founder and CEO of information security recruiting firm LJ Kushner and Associates, also sees the similarity. "HR is shared service, just like security. Security and HR have a lot in common because they affect everybody" in the enterprise, he says.


Melody Silberstein, senior vice president of human resources at Woodruff-Sawyer & Co., began working more closely on security issues with her IT director and IT manager about 14 months ago. The reason was twofold: the San Francisco-based insurance brokerage firm, which has 300 employees in six locations, was kicking off its first in-depth disaster recovery plan and also embarking on a review of its security procedures.

Silberstein leads the disaster recovery planning, which she says has involved understanding how quickly the firm could get its systems back up and running after an incident, revamping some systems for better backup, and building awareness.

"So much of disaster recovery is getting people to stop for a few minutes and think about what they'd need if they had to walk out of the building and not come back," she says.

Reviewing the company's security procedures included looking at encryption policies for stored and transmitted data, and the physical security of its servers. As an insurance brokerage handling sensitive client data, security is critical, Silberstein says.

To tackle data protection projects, she and the IT executives get together as a team and bring in others from the company whom they feel could provide input.

"We'll define what our issues are, where we think we have gaps or risks, and what we need to close," Silberstein says. "If it's urgent or we're trying to close a gap quickly, we may meet weekly, but more frequently we set up meetings every other week and discuss what we figured out or how we closed a gap."

While the IT executives bring the systems expertise to these discussions, she and others can point to behavioral issues or what the risk will be from a people standpoint, she says.

The company fosters a collaborative culture in which everyone is working to achieve the best outcome, she says: "We try hard not to build silos."


For Robert Miller, director of human resources at the Greater Los Angeles County Vector Control District, contact with information security pros is based on circumstance. The agency, which has about 100 fulltime employees, contracts with an information security expert. It's the largest of five mosquito and vector control districts in Los Angeles County, serving six million residents.

Crisis Coordination

Human resources and security teams work together to prepare the enterprise for the worst.

Disaster recovery planning is a major area where human resources professionals team up with IT security pros.

The HR department is often the "conductor" of the crisis management plan while IT security teams help HR in ensuring systems remain operative, information is safeguarded, and employees can be located, says Paula Harvey, president of K&P Consulting, a human resources services firm based in Charlotte, N.C. "Information technology and HR must work hand in glove," she says.

In crisis planning, HR works with information security teams, which tend to fall under IT in the enterprise, and physical security teams, Harvey says. HR and IT usually work well together, she adds.

"Both departments have spent time proving to companies how useful they can be and how they can save the company money instead of being a cost center," Harvey says. "They're kindred spirits."


For example, Miller worked with the contractor during a re-organization at the agency. The fiscal officer was slated for replacement, so Miller made a proactive move: "I had his computer backed up before we gave him the news because I didn't want any sabotage to our finance systems."

In litigation issues such as allegations of discrimination or harassment, Miller works with legal counsel and other agency officials to see where electronic evidence might support their position. They might decide, for instance, to pull an employee's emails for a particular time period. If the worker has a company-issued cell phone, they might also pull text messages. He taps the security pro for help in such cases.

In general, employees often don't understand that when they use company equipment to email or surf the Web, all that electronic information can be used as evidence, Miller says. He drafted and received approval from the district's board of trustees for a policy that specifically outlines the organization's rules for proper email and Internet use.

"You have to have a policy in place that explains to people what their limitations on use are," he says. "They have to be fully aware it's discoverable and the boundaries they must stay within. That's for their protection and the employer's protection. The employer has to feel comfortable that people are doing what they're supposed to do when they're online, so security plays a large part there.

"Every human resources person who is involved in the strategic management of their environment needs whatever tools are available to assist the organization in moving forward,"Miller says. "Information security is one of those tools."

At CIGNA, the information protection team works hard to make employees aware of company policies for Internet and email use, says Karen King, employee relations consultant at the Philadelphiabased health services and benefits company.

"When we first opened up the Internet and email to all employees, which we did over time, we saw a spike in the usage of it," she says. "HR, employee relations and information protection worked more closely together to figure out how to handle that and what types of disciplinary actions would be required."

The awareness campaign has paid off and employees are mindful of their Internet use and the need to ensure privacy of sensitive customer data, King says. In the event of a violation, the information protection team sends an email to the employee's manager, who engages employee relations or HR to confer on disciplinary action.


Money Management International, a Houstonbased nonprofit credit counseling agency, has a committee that meets quarterly—sometimes more often—to discuss information security issues.

Nearly every part of the business is involved in the committee, from the C-level to operations, which includes HR. Topics range from possible security breaches and awareness training to document retention and disposal.

Everyone in the organization, which has about 1,200 employees in more than 120 locations in 23 states, takes a proactive stance when it comes to security, says Thomas Anderson, national director of human resources at MMI.

"It's very important as far as our corporate mission, which is improving lives through financial education," he says. "Clients need to have comfort that their information is going to be properly safeguarded."

Anderson also is a member of the Society for Human Resource Management's Employee Health, Safety & Security Special Expertise Panel, which tackles topics such as risk management, workplace violence, theft and fraud protection, workplace monitoring of email and Internet use, and background investigations. Other members include Orozco and Miller.

Many companies have formed councils that include HR and security leaders along with other business managers, says Howard Schmidt, former White House cybersecurity adviser and president of the Information Security Forum, a nonprofit association of 300 international organizations.

These groups go by various names, such as security and privacy council or business risk council, but the general goal is to ensure technical policies are fair and consistent with HR requirements, he says.

Still, a lot of enterprises have a long way to go in bringing HR and information security teams together, says SCIPP's Schwartau. He works with many organizations in the finance and government sectors and has seen HR and security often disjointed.

"You're dealing with technical things that tend to be fairly black and white," he says. "And you're dealing with the human issues that are anything but black and white; they're fully gray and subject to interpretation."

But for Orozco, the divide isn't so difficult. "You just have to understand what their concerns are. As an HR person,my concerns have to be the same," she says. "Our jobs are to protect the company. That's what they're doing and that's what I'm doing."

Dig Deeper on Information Security Incident Response-Information