HR Management & Compliance, Learning & Development

HR Professionals Can Help Solve Cybersecurity Problems

by Maurice Uenuma
Yesterday’s Advisor illuminated how a lack of training has the potential to increase the risk of cybersecurity breaches at your organization. Today, Maurice Uenuma, chief operating officer for the Council on CyberSecurity, explains how HR professionals are integral to the security of enterprise data and networks.


It only takes a casual scan of the headlines to know that cybersecurity is a hot topic these days. It seems that nearly every day, a large company or government agency becomes another victim of data theft, or worse. It has become clear that cybersecurity is everyone’s problem. What’s less clear is how to address the problem, since it’s often believed cybersecurity is a technical matter and thus difficult for nontechnical professionals to understand or impact.
Cybersecurity: A People Problem
In reality, cybersecurity is fundamentally a people problem, with a people solution. People design, build, install, operate, and manage systems and must take steps to protect these systems from other people who seek to steal, disrupt, and undermine them. These steps range from designing security into products to ensuring proper configurations to monitoring networks to restricting access to properly responding to incidents.
There is an extreme shortage worldwide for talented cybersecurity professionals—in quantity and quality—to tackle the more technical aspects of cybersecurity. But, addressing that shortage will not reduce one of the greatest vulnerabilities that every enterprise has: its own nontechnical workforce. In many cases, hackers get in through weak passwords, harmful attachments, deceptive e-mails with harmful links, and exploitation of loose management of accounts and administrative privileges.
Therefore, the proper management of people is the best hope for turning the situation in favor of the good guys. Here HR professionals play a crucial role, as they are central to enterprise workforce management, which includes planning, recruiting, hiring, and developing talent.
Enterprise Workforce Management
Clearly, good workforce management is essential to enterprise defense. What’s needed is the right people in the right places at the right time to minimize vulnerabilities while providing continuous monitoring, mitigation, and response.
Looking at the broader picture, the enterprise is responsible for securing itself, including protecting its own data, systems, and infrastructure. To do this, enterprises must take effective and prioritized action with an effective, long-term strategy. Often though, organizations are impeded by the uncertainty of how to prioritize actions among all the things that can be done (which has been referred to as the “Fog of More”). To help with this process, the Council and its cohort of volunteer experts publish and regularly update the Critical Security Controls, a recommended set of actions for cyberdefense that provides specific and actionable ways to thwart the most pervasive attacks.
Against this set of prioritized action, the workforce can be organized and deployed. Mapping workforce roles to Controls enables an organization to focus HR on prioritized cybersecurity action.
By leveraging a common taxonomy for cybersecurity-related roles provided by the National Initiative on Cybersecurity Education (NICE) framework and linking them to specific Controls, the enterprise can implement an effective strategy to protect its data, systems, and infrastructure.
Central Role of HR Professionals
HR professionals are key to this process. By integrating cybersecurity planning with workforce management, the enterprise can address critical personnel needs while strengthening the cybersecurity posture of the entire workforce. This is done by integrating policies, training, and development into the routine tasks of sourcing, hiring, onboarding, and training, while supporting senior leaders in the fostering of a “security culture.”
This effort can be organized into three categories: cybersecurity professionals specifically tasked with ongoing security operations; IT professionals who manage and operate data systems; and all others. These three categories, known as the Essential Tasks Pyramid, are a ready reference for the tasks employees in these different functional areas should be performing. HR professionals can help drive secure behavior through the implementation of ongoing awareness programs and formal training.
The Cybersecurity Workforce Handbook, recently published by the Council on CyberSecurity, is a resource that guides business leaders, hiring managers, and HR professionals through a step-by-step process to make their enterprises more resilient to the attacks and vulnerabilities faced every day. You can access the handbook here.
Maurice Uenuma is the chief operating officer of the Council on CyberSecurity, responsible for implementing the organization’s value proposition through its programs and activities. Maurice was formerly with Dell, where he led global, cross-functional teams to establish sales intelligence and decision support capabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *