Preventing data breaches in an organization requires a strong collaborative effort between the HR and IT departments—a collaboration that may even involve a blurring of the line between those traditionally separate functions.
That’s the assessment of Jacqui Summons, international HR director at Clearswift, a provider of data loss prevention technology in the UK. I had the opportunity to speak with Summons about this topic recently, and I began the conversation by asking her to provide an overview of what HR’s role should be in preventing data loss. She said the role is one that HR directors are slowly adopting:
Perhaps in some cases, they’re not grasping the importance of it quite as quickly as they should. I guess I’m in a privileged position, being in this type of business—it’s in front of me every day, whereas perhaps for some people, they don’t see that. But for me, there’s been a long period of time in which a lot of the HR directors would probably have seen this as being an IT issue, so they haven’t necessarily paid the attention to it that they perhaps should have done. When they are suffering as a result of a breach of some type, they realize that it is actually the HR function that is the group of people who are picking up the mess, and for a very long time after it happens, as well, because of the lack of trust that employees then have in that employer. It’s too late at that point, because it’s already happened. What I’m seeing within my own network is an increasing awareness of the fact that the HR function can’t just say that this is [the responsibility of] the IT department, and say that HR really doesn’t need to worry about it. It isn’t anywhere near as simple as that, because it’s a combination of having in place the right technology, the right policies that you can enforce within the business, and then—critically—the training piece, [to ensure that employees] are refreshed on a very regular basis so that people really understand what they should and shouldn’t do. It’s bringing all those pieces together that I see as an HR role.
Given that the HR and IT organizations in a company need to work closely together to address the problem, I asked Summons what form this cooperation takes at her company, Clearswift. She said training is a good example:
In terms of making sure that all of the employees who join the business go through the right kind of information security training, that isn’t something that HR can just do in isolation. We don’t deliver that—we work with IT to deliver it. We facilitate it, to make sure the employees who join the business really understand how important it is; and on an ongoing basis we make sure that our employees are aware of it. So we have the communication piece, but the delivery of the training, [given that] there are clear explanations that have to go with it so people really understand what they should and shouldn’t do, fits within IT. So certainly within Clearswift, when it came to us making sure that we had all of that very tight within our business, the IT manager and myself did that very much together—it was a joint exercise. I don’t think it works if it just fits within one function or the other.
I asked Summons what advice she might have for HR people to strengthen their collaboration with IT to prevent data breaches. She said it starts with asking the right questions:
The advice I’ve given to HR people is not to make an assumption that this task fits within the IT function, and that there’s therefore no need for them to be involved. Ask the questions you need to ask—don’t just assume that somehow or other this is magically being sorted by your IT function, and that you will never suffer any kind of data breach. The challenge, in terms of asking the right questions, is one I face myself, to a degree—HR people are typically not very technically minded. That isn’t normally what you find within an HR function. For some HR people it’s a whole new world, and a whole new language that they have not in the past had to be involved in.
Beyond the blurring of the line between HR and IT, I asked Summons if she foresees merging of the organizations in any sense. She said she hasn’t seen that yet, but the potential is there:
HR over the years has been part of many different functions. I have worked before in HR as part of the finance function, which was a less than enjoyable experience. But I have never actually been amalgamated as part of an IT function. Certainly in bigger organizations, you have what was always known as the HR Information System group. I can very much see those being much more closely aligned with IT than they were in the past—there was always sort of a gap between the two. I think that line will blur to the point where you could potentially see them together. I haven’t come across it very much in Europe so far, but I’m not saying that it wouldn’t do. I think it’s inevitable that if you have to work much closer, you may end up being structured in that way.
So should HRIS professionals report up through HR, as they typically do today, or up through IT? Summons said she’s beginning to lean toward IT:
There’s part of me that says maybe IT, because I think they do feel very challenged sometimes. Being part of HR sometimes leads people in the HRIS function to kind of go the more people-friendly, slightly more flexible route: ‘It doesn’t really matter if he has that data—let’s just let him have it because he needs it.’ Whereas actually, the more they work towards a much stricter IT function, and properly follow the policies and rules that are in place, the safer an organization would probably be with its data. I do think there is a slight tendency within HR to wear that flexibility hat when they’re talking to the various line managers and trying to make their lives a bit easier. That would be popular, but it may not be the safest route. So my gut feeling is that HRIS is better off moving more towards an IT function to preserve those policies and rules more rigidly than they might do if they were part of an HR function.
Summons concluded the conversation by returning to the question of how IT and HR can partner together:
I think there’s a tendency from an IT perspective to very much tell people, ‘You can’t do this, you can’t do that—there is technology in place that will stop you.’ If you just do that in isolation, employees see this as just a way of being blocked from doing what they want to do. They don’t understand it. They think, ‘This is just IT with some ridiculous rule—we have no idea why they’ve deployed this technology. It’s painful—let’s find a way to work around it.’ And they do find a way to work around it. I think the HR piece, which is really critical if they’re going to get it right, is the communication piece. It’s about trying to get people to not just be told, ‘The policy is X—don’t breach it.’ It’s about telling them, ‘The policy is X, because if we don’t have this in place, or if you find a way around it, and it results in your personal data being out on the street, not only will you be really unhappy about it, but we also will not be able to recruit people into this business because our name will become synonymous with that data breach.’ Everybody cites Sony—you can go into an HR community and people say, ‘We don’t want to end up like Sony.’ The corporate reputation piece for them is huge. I would think that people who go for interviews at Sony are now saying, ‘Are you going to take care of my data? And how are you going to take care of my data?’
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.