One of IT’s primary goals is to protect the company’s confidential data. HR’s focus is on developing and preserving the corporate culture, while at the same time, protecting employee privacy. This blog is based on our learnings from working closely together to implement a global security program at Forcepoint. We were curious about each other’s worlds, and we developed a way of thinking about these ideas that I’d like to share with you.
Most Mistakes are Innocent
From an HR perspective, we have to remember that not everyone is malicious. In fact, most breaches occur because of what we call accidental or inadvertent intent. Perhaps someone is having a bad day, not on their game, or they simply became distracted and accidentally left a file unprotected. These are all innocent mistakes. However, we shouldn’t lose sight of the fact we’re trying to protect our company’s data and IP. When addressing situations like this with the employee, it’s crucial that the employer create a ‘learning moment’ to help them understand the impact of their actions – as innocent as they may be. In these discussions, be mindful of how the employee will feel as a result of your message. Your words matter and will make a lasting impact on them, as well as others, because it will get out to other employees on how the situation was handled. We must remember, that the way the employees feel links directly to their level of connectivity to the company, their desire to give of their discretionary effort, and their belief in the company’s mission. All of this helps to shape and preserve a strong company culture.
The Business of HR
From my perspective, there are two types of HR professionals – let’s call them “traditional” and “modern.” Traditional, old-school HR professionals are viewed as ‘the necessary evil’ in many companies across the globe. They focus on hiring, firing, and filing. Candidly speaking, these types of HR professionals no longer warrant a seat at the table. They are often barriers to productivity and seem to get satisfaction in catching someone doing the wrong thing – which they see as an opportunity to exert their power. The modern HR professional, by contrast, helps advance the business. This leader speaks the language of business, engages with the organization in meaningful ways to create more value for the business and the bottom line, and establishes a strong culture within the organization. Still, as effective as these modern HR professionals are within an organization, many miss a crucial point, which is the partnership between HR and IT. By partnering with IT and also the legal team, HR can actually help implement controls for the security system and get acceptance from employee base on the balance between privacy and protection.
Creating a Climate of Trust
An important lesson we learned from the rollout of our own internal workforce security program is that HR needs to be an actively involved stakeholder in the decision-making process from the beginning and share in the ownership and accountability of these important programs. As a result, HR cyber security can improve the culture by helping to educate employees so they will come to accept proactive monitoring of behavior and risk. This only works if a climate of mutual respect and trust is established. HR must partner with IT to create this climate. If we set the right tone from the top based on mutual trust and respect, fewer employees will make bad decisions – such as steal data and intellectual property. Trust is critical to establish with your employees, who are your greatest brand ambassadors. And trust is the most important driver of a company’s brand. Without trust, the brand suffers. And when the brand suffers, your overall business will suffer.
Moving to a More Adaptive Model
Acceptance by employees also leads to deeper understanding of cyber activity. We have to move from fixed defenses to something that’s more adaptive. When there is no longer a presumption of guilt, we see a faster resolution of incidents. Proving innocence can happen more quickly, while preserving and protecting the employee’s privacy. There has to be a balance, of course, between protecting employees, critical business data and intellectual property. But you don’t have to trade off privacy. With protection of employee privacy you are protecting their rights. And furthermore, protecting employee privacy can be the means to protecting against accidental data loss or theft.
HR can help employees when breaches occur. Companies should avoid creating a culture of fear when breaches occur – regardless of whether these breaches result from innocent or intentional actions. Don’t over-rotate and make broad policy changes just because of the conduct of a single employee. If you do this, the bad apples will indeed spoil the bunch – and that is never a good outcome. It will erode your culture, and erode it FAST. Instead we should focus on two-way communication, education, and coachable moments. Focus on unleashing the power of people and their potential.
Be Human First
The key to protecting privacy through security is being human first. You need to be able to relate to your employees and help them understand. One of the biggest realizations we have had while deploying our solution is the workforce security program can provide valuable information to HR and vice versa. It’s everyone to the defense: Being involved means ownership and accountability at every level. We’ve learned that clear communication requires transparency. With transparency, you can destroy every silo within the business. These simple shifts in attitude can improve trust between the company and the employee, and create a higher performing and more engaged workforce.
HR and IT must share the responsibility and workload for a forward-looking cyber security program. And to do this requires a true partnership, not a veneer. This partnership must balance employee privacy with the protection of users, critical data and IP.
Originally shared on LinkedIn.