Opinion: Four good reasons for Security to talk to HR

Dogs and cats living together? Yes, but necessarily so

Neither IT nor security managers fire people in most organizations. That plain reality seems to escape some in the industry, where offended security administrators declare that disabling the antivirus program is grounds for demotion or an IT manager finding unlicensed media makes arrangements for someone to make the cardboard box commute.

Too often, security folk are surprised and disappointed when the perpetrator is just slapped on the wrist, or the incident is quietly tabled without reprimand. Why the disjoint? Because they didn't coordinate with human resources, and because there's no clarity about the severity or risk from the behavior, even incidents that ought to garner serious attention don't.

The solution is to get right with Human Resources long before the incident. I know -- like dogs and cats living together, the notion of touchy-feely HR personnel working together with hard and graceless IT security geeks may portend the coming of the End Times. But there are a handful of topics that require collaboration. By addressing them before there's an incident, a lot of pain and frustration can be avoided.

Identity and authentication

The initial establishment of identity for a new hire -- involving driver's licenses and W-2 documents -- is a management task specific to HR. When identity is established, and the person who showed up is sufficiently authenticated as that person, we say that initial identification and authentication or "initial I&A" is complete.

This is never an automated task. This is also never an IT task. If someone shows up at the IT help desk asking for an account and there's no HR record of initial I&A, all sorts of alarm bells ought to go off. Unless there's a specific exception -- perhaps the granting of temporary IDs to vendors when a business unit's contract serves as initial I&A -- IT should never, ever be in the business of determining if a person exists or not.

It's one of the most common errors I see, but initial I&A ought not be confused with the implementation of roles and rights. Only after the management decision to hire someone is processed by HR can a person's online persona be connected to a set of tasks, a specific role, a salary and the other trappings of a job. Confusing these different steps means stepping on HR's toes, after which conflict, confusion and weakened security are inevitable.

Acceptable behavior

IT may be a gatekeeper, but it is not the arbiter of all things ethical. Again, that's HR's job, even if an IT director or security officer authored an "acceptable use" policy under the umbrella of IT policy. IT frequently falls down the rabbit hole of trying to define ethical behavior for an organization in the context of its computer systems and resources.

By confusing this topic, loopholes are created where people may claim that only specific behaviors were proscribed, or that there wasn't any clear connection between misuse of technology and an actual ethical violation for which one might be terminated. Confusion creates uncertainty, and uncertainty lets misbehaving people through the cracks -- even when the violations are pretty egregious.

It's important to work with HR to understand the ethics standards for the organization, and to make sure that they account for the things that might take place. For example, a non-IT ethics policy might focus on job performance and gender sensitivity but ignore the resources and common behaviors permitted by the presence of information technology.

By reviewing the policies together, HR may decide to add specific topics about handling sensitive information or behaviors while connected to company resources. With a little attention, it may be possible to lean on the HR ethics policy heavily so that an Acceptable Use Policy can focus on real use and potential pitfalls -- instead of trying to re-state the ethical justification behind the policy.

Training vs. awareness

There aren't enough hours in the day for most IT security staffers, so I often wonder why they spend any of them offering information-security training sessions for the general office population. Not only is it wasteful to put on single-purpose training sessions of that sort, but those most likely to attend voluntarily are not those who most need to be reached.

Whether selling items on eBay or running a business from one's desk, the behaviors, prohibitions, policies and training ought to be the same regardless of mode. Trading ID badges and database accounts? Leaving keys in the door or writing a laptop's password on the cover with a marker? Calling a manager when something is seriously amiss in a system or paper files are found unlocked and rifled-through? Technology is not the issue.

Like most other controls in information security, the most effective ones are indistinguishable from properly performed business processes, so there's little good reason not to combine security training with periodic HR training on organizational policies. As a first step, IT security trainers should pick up the HR training list or catalog and see where the information can be combined in existing courses.

"Awareness," on the other hand, is typically used to mean ongoing reminders about right actions and proper behavior -- distinct from classes or instructional sessions that constitute formal training. A security awareness program is a good vehicle for ensuring that good behaviors are maintained, through messages, posters, periodic campaigns or other ways of getting short messages out. However, the effectiveness of awareness programs is often not verifiable, so they're poor tools for communicating important changes or events.

Don't re-invent the wheel. If HR has a program of regular reminders about business policies, communication updates, or other messages that are not tied to a specific event, it may be efficient and effective to piggyback on those as well. Otherwise, security staff should conduct their own awareness campaigns more often than not.

Termination

Information security officers and IT directors don't make the call to fire other departments' staffers, at least not in any organization I've seen -- it's just not part of the program. HR will have specific procedures for termination that involve reporting managers. If an organization is unusually together, there may be documented criteria for what constitutes a serious or fireable offense. Sometimes this takes the form of a zero-tolerance policy; other times it's just the historical record of things people did to get themselves escorted from the building by managers or law enforcement. But the role of the ISO or IT manager is to document events, not judge them.

Understandably, then, when the ISO shows up demanding that a person be fired for doing something, the HR response is often "Why?" If the response is technical and unintelligible, there's likely to be little or no action. Doing this repeatedly will result in a patronizing attitude from HR, if not outright derision.

First, ask HR whether they have a documented "zero-tolerance" policy or other list of actions that they think ought to result in immediate termination. Ask for a secondary list of things they want to be told about immediately -- their list of troublesome things that warrant an alert. Read both lists carefully. Whomever is responsible for security policy and compliance (usually the security officer) should then cross-reference and consolidate the list so that the IT security events can be communicated in nontechnical terms to HR.

For example, "browsing Web pages that were flagged by the smart filter policy and then forwarding the images via e-mail to a distribution list" can be expressed in HR-speak as "violated the ethics policy by retrieving pornography on company time using company resources, and violated the antiharassment policy by sending obscene material to multiple employees." The goal is not just to normalize policies and language, but also to make the consequences of misbehavior more predictable and thus fairer to employees.

Keep the door open

The point is to keep the IT-HR dialogue going. Rather than trying to enumerate all of the things that one shouldn't do, IT can open up the doors of technology more fully if HR has already delineated the behaviors that are not acceptable no matter what the venue. The more communication there is, usually the simpler and easier the work of monitoring and enforcement becomes.

With any luck, this will make time for even more interesting conversations between HR and IT, such as the review of executive proxy logs, mutual difficulties with audit, IT's internal access to sensitive HR data and other things best discussed -- together -- over an after-hours beer.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a major refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon