Ask what department is responsible for data security in an organization and the most likely answer is, “IT.” But some experts are saying it shouldn’t be IT alone – that better security requires a closer collaboration with Human Resources (HR).
One example, they say, is a breach this past Feb. 26 at the Federal Deposit Insurance Corporation (FDIC), when a departing employee inadvertently downloaded 44,000 customer records, including personally identifiable information (PII), to a USB thumb drive.
Fortunately, officials said, there was no apparent harm done. The breach happened on a Friday, the agency’s data-loss-protection software detected it the following Monday, the FDIC contacted the ex-employee immediately and she returned it the following day.
She also signed an affidavit saying she had not used or shared the information. And the FDIC noted that the former employee was authorized to access the data. She just wasn’t supposed to have brought any of it home with her.
But this was not the only such incident. The Wall Street Journal reported about a month ago that the FDIC has reported seven such breaches in just the past eight months, all from departing employees taking data with them and potentially compromising the PII of 160,000 Americans.
So, could better collaboration between IT and HR have prevented any of those incidents? Expert opinions are mixed.
Even though this was very obviously a “human” problem, and it has been obvious for decades that people are the so-called “weakest link” in the security chain, most security awareness training is done by IT, not HR.
It is also IT that is responsible for protecting data, for knowing where it is and who has access to it when – otherwise known as Identity and Access Management (IAM). Even software designed to detect months in advance that an employee is exhibiting behavior that he is likely to leave is managed by IT, not HR.
Still, Joseph Loomis, founder and CEO of CyberSponse, said it is, “always good practice to have a strong connection between IT and HR.”
Anytime there is human behavior involved, HR should also be involved.
Joseph Loomis, founder and CEO, CyberSponse
When there is a failure, he said, it is likely due to “bad process.” In tracking an organization’s, “headcount turnover, demands for talent and shifts in culture, all information is often lost with the former IT admin,” he said. “We call this the ‘House of Cards for IT.’ Things go up and down every time someone comes and goes.”
And tracking the coming, going and transitioning of employees, he said, is very much within the purview of HR. “Anytime there is human behavior involved, HR should also be involved,” he said.
Sign up for Computerworld eNewsletters.