A common shortcoming of human resources (HR) departments is that — despite being an operation designed to put humans at the center of how an organization is run — they often fail to adequately align with their IT counterparts and the core technology systems that define how a business is run and protected from cyber-risk.
Insufficient coordination between HR and IT processes and procedures remains common and gives rise to security gaps that can represent some of the most dangerous vulnerabilities on a company’s attack surface. Let’s examine the scope of the challenge and some key cyber-asset management priorities that can close the schism for a more robust cybersecurity posture.
Elevating HR’s Role in Securing the Enterprise
Gone are the days when HR’s role in securing the enterprise relied on basic tutorials for employees about protecting passwords on company equipment. Today’s threat environment intersects with the workforce in more ways than ever — from BYOD and authentication gaps to user vulnerabilities that make spear-phishing seem quaint. Traditional social engineering attacks are now being augmented by zero-click exploits that compromise employee devices without the user ever having to click a link or take any action at all.
Beyond malicious threats, even routine HR processes can introduce risk to the organization when they’re not adequately aligned with the IT processes in an organization. As just one example, when an employee leaves a company, the offboarding goes far beyond just the exit interview to also include removing access to multiple enterprise systems, accounts, and devices — all of which require close coordination between HR and IT personnel and systems.
To better secure the enterprise, it’s mission-critical to get HR and IT more united in a common and advanced understanding of cyber hygiene and risk mitigation. This relies on enhanced awareness of the impact that HR processes have on cyber assets in other parts of the organization, as well as the HR role in access management for employees and contractors. This requires asset visibility that must be ongoing and in real time, since our roles, devices, and access to data and systems may change multiple times over the course of our employment.
Three Priorities for Better Cyber-Asset Visibility and Alignment Between HR and IT
Any lack of IT coordination across the many integration points and business systems involved in the HR operation creates risk for the company. There must be an effort toward more visibility and synergetic business processes to align HR operations with the organization’s larger IT estate. Here are three priorities for achieving this:
- Increase the data IQ among HR professionals: Data literacy among domain-specific business analysts is important, and that message needs to get louder within the HR community. The more HR professionals can understand the technology implications of their work, the more they can help protect the IT estate as their processes and policies play out in the workforce.
- Fully integrate HR as a well-represented domain in the IT estate: Unison between the HR department and the IT department security relies heavily on the alignment of their respective business processes. Ideally, this integration should include predefined, HR-specific compliance frameworks within the cyber-asset management domain that can be applied to all existing and future cyber assets. There should also be clear coordination with IT on HR’s role in employee access to systems, files, and data.
- Automation is essential: HR’s digital reach into the organization is such that automation will inevitably be needed. As an example, let’s return to the case of employee offboarding. Especially with the current “great resignation,” the multiple IT tickets generated by each offboarding can pile up and lead to backlogs that expose the company to unnecessary risk, unless automation is introduced to handle more of these HR-related processes and handle them more quickly.
These priorities underscore the pivotal role cyber-asset management plays at the nexus of HR and IT operations. Better adherence to common data standards, a rigorous cloud tagging schema, and other cyber-asset management basics can streamline and scale the ability for HR and IT teams to work seamlessly together. The result is more visibility and control, and a single source of truth around where and how HR and IT operations affect each other, a clarity that enhances the overall security of the enterprise.
Source: www.darkreading.com