From FIC 2019[i] to PWC[ii] and Kaspersky[iii] —to mention only the most recent sources— it is now widely acknowledged that the techno-centric approach to cybersecurity has had its day. According to Deloitte[iv], 63% of security incidents within a company are linked to a malicious action or to an error made by an employee. It is therefore time to make room for human aspects.
In this context, it is time for the Human Resources Departments to step in!
In the core cybersecurity business, the training and recruitment of technical experts is a struggle and there is no miraculous solution in sight to train enough specialists. Moreover, the miraculous remedy will not come from technology: in half of the cases, the stacking of technical solutions is already considered as aggravating operational complexity and reducing visibility on the company’s cybersecurity policy[v].
The task of raising awareness among the entire company’s population is huge, and the HRDs have an essential role to play.
Yet, we hardly hear them. Why? Maybe because we do not mobilise them. The valuable reports mentioned above do not specifically mention them; they merely provide generic advice to companies and to the general management. Perhaps also because cybersecurity always hangs like a millstone what makes its pride: its technical complexity.
I am not the only one who wants to approach human resources experts, to bring them into the great circle of men and women who are building cybersecurity, to hope for their involvement and support. I was able to get close to a few of them. They told me that it was a good idea, that it should be done. In one or two years, perhaps… yes, in two years probably, time will have come. It will be 2021.
Fortunately, the experts, at the round table I hosted at the FIC 2019 on people as a weak link in corporate cybersecurity, have already put people at the heart of their action. This is the case for Phédra Clouner, the Deputy Director of the Belgian Cybersecurity Centre. The national agency conducted a phishing awareness campaign that was noticed by 43% of the population, i.e. almost 5 million people. It has also taken training initiatives for public stakeholders and essential service operators. Stéphane Nappo, the CISO of the international branch of a major French bank that totals 30 million customers and 71,000 employees, has also chosen to bet on private individuals in their privacy. To best raise the teams’ awareness, they are told about the security of their private photos on their personal devices. When their privacy is talked about, people listen. At the Luxembourg Cybersecurity Competence Centre, Pascal Steichen launched Room#42, a cyber-attack simulation game that makes it easy to see what challenges a company’s teams face when it comes to reacting to an emergency. In such moment, the comfort of a silo organisation and the “every man for himself” reaction really become the worst obstacles to overcome the panic created by data losses and the failed computer system. Technology providers are not to be outdone, so Sébastien Gest, of Vade Secure, advises CISOs and provides them with tools by giving them visibility on phishing attacks to better protect the company. Because forewarned is forearmed.
Each team, each person has a role to play in securing the company. Although it is clear that the team—which has the word “human” in its very title—is already or is destined to become a key player in cybersecurity, it must be recognised that the HRD is now in the blind spot of cybersecurity.
My dream is to see a human resources manager step onto a stage and show his or her daily commitment in favour of the (cyber)security of the company and all its employees, and to mobilise an entire profession. Will my dream finally come true in…2021?
[iii] Employee awareness of IT security. It is time to open your eyes! (Kaspersky, April 2019)
[v] Ponemon Institute study for IBM: The 2019 Study on the Cyber Resilient Organization (April 2019)