Four Good Reasons for Security to Talk to HR

In most organizations, security and IT managers don’t have the authority to fire employees who breach company policies. That’s why, according to one expert, security and human resources should work together more often.

In an article on the ComputerWorld website, Jon Espenschied says too often, “security folk are surprised and disappointed when the perpetrator is slapped on the wrist, or the incident quietly tabled without reprimand. Why the disjoint? Because they didn't coordinate with human resources, and because there’s no clarity about the severity or risk from the behavior, even incidents that ought to garner serious attention don’t.”

Espenschied says the key is to work with HR long before an incident happens. He cites four reasons the two should work together, including:

• Identity and authentication: With the task of establishing the identity of a new hire going to HR, IT needs to know there’s a record of that person’s identity.
• Acceptable behavior: Technically, it’s HR’s job to ensure employees are acting in an ethical manner, even if IT wrote the security policies.
• Training vs. awareness: Combine security training with periodic HR training on organizational policies to save time. HR can also help implement a good security awareness program.
• Termination: Since most information security officers and IT directors can’t actually fire staff, they may not know HR has specific procedures in place for termination. Working together can eliminate those miscommunications.

“The point is to keep the IT-HR dialog going,” Espenschied says. “Rather than trying to enumerate all of the things that one shouldn’t do, IT can open up the doors of technology more fully if HR has already delineated the behaviors that are not acceptable no matter what the venue. The more communication there is, usually the simpler and easier the work of monitoring and enforcement becomes.”