Is HR running your employee security training? Here’s why that’s not always the best idea – Source: www.csoonline.com

In today’s fast-changing threat landscape, relying solely on human resources to deliver employee security training can leave an enterprise vulnerable. While HR excels at organizing and overseeing internal compliance, IT and security teams bring the specialized knowledge needed to address various threats, such as phishing, data breaches, and social engineering.

By working together, these departments can develop a comprehensive program that covers requirements and hands-on skills, ensuring employees are well-prepared to protect themselves and their organizations.

On the surface it might make sense to have HR deliver training initiatives to staff, after all, they are the professionals whose job it is to manage the relationship between corporate leadership and a company’s workforce. And security teams tend to be focused on immediate technology needs and don’t always have the skills or tools to teach hundreds or thousands of employees.

But all too often, there’s a lack of communication between HR and security when these programs — whether developed in-house or provided by a third party — and that can create inconsistencies that can become costly down the line.

Security threats change constantly

HR shouldn’t be solely responsible for security training for the same reason that a security team shouldn’t be responsible for HR training: they’re two different roles with vastly different focus areas and backgrounds that demand specialization, says Rob Hughes, CISO at RSA Security.

“Security is always changing — cyberattackers make their livelihood by deploying new tactics and launching new campaigns,” he says. “HR shouldn’t be expected to stay current on those changes or how security training needs to account for those evolutions.”

Hughes adds that it’s beneficial for HR to help set up how training and onboarding will work, as well as to work with the security team on what happens if employees don’t take the training. However, the security team should lead the way on what the training includes and why it’s important to complete it.

“At the same time, the IT team needs to work in tandem with security teams to explain the best practice mechanisms for working with data and managing threats such as phishing emails,” he notes.

There are a number of limitations to HR-led security training programs, according to Hughes.

“The first is just visibility: HR doesn’t know what it doesn’t know, nor is it aware of the tactics that are currently targeting your organization’s users — and the ones that your users are falling for,” he says. “Security teams are in the trenches and know what cybersecurity risks your team needs help with. HR likely won’t.”

HR doesn’t have specialized security knowledge

Another limitation is that an organization’s security training can be a component in maintaining certain certifications, compliance, contractual agreements, and customer expectations, according to Hughes.

“If that’s important to your organization, then security, IT, and compliance teams will know the subjects to cover and help guide in the importance of compliance and the risks of not complying,” he says.

Keavy Murphy, VP of security at Net Health, agrees that HR-led security training programs often face limitations due to a lack of specialized or up-to-date knowledge on security threats in their industries.

“HR departments may not be fully aware of current cyber threats or the organization’s specific risks,” she says. This can result in overly broad or generic training, which reduces its effectiveness. These programs can also fail to emphasize the practical, real-world application of security practices or offer enough guidance on addressing threats if they lack collaboration with security and IT teams.”

HR may not effectively tailor the training to the organization’s industry-specific threats, Murphy notes. Without the security department’s involvement, training content often lacks focus and fails to address the company’s unique threats, leaving employees unsure of what to watch for.

“For example, in the financial services sector, data breaches related to payment card information are the most likely risk,” she explains. “Training should focus on that and not the less likely scenarios, such as breaches of sensitive healthcare data.”

Bryan Willett, CISO at Lexmark, concurs that HR shouldn’t be solely responsible for employee security training because HR professionals lack the daily operational experience in the cybersecurity field.

“The HR team is well-versed in managing people and managing broader communications with the broad employee base,” Willett says. “But when it comes to the intricacies of security awareness that needs to be done or even security alerts that we might need to send out to users, that’s not their day job.”

The security team, by contrast, lives and breathes these challenges every day, according to Willett. They understand the specific risks that come from what employees do and can better explain what might happen if someone makes a cybersecurity mistake. Their expertise also helps them create training that’s more focused and useful, not just basic compliance messages.

Collaboration leads to more effective training

However, while HR shouldn’t run employee security training, Willett does view the HR team as a key partner. He suggests a collaborative approach where HR and security teams work together, leveraging their respective strengths. He explains that HR can help translate complex technical information into understandable language, while the security team provides the core content and technical expertise.

Hughes seconds this assessment.

“Any large-scale change or training initiative needs collaboration to be successful,” Hughes says. “At RSA, the HR, IT, legal, and security teams all collaborate on our annual compliance training to make sure that our team has what they need to continue working safely.”

HR has skin in the game for employee onboarding, compliance, and adherence to company policies and practices, according to Hughes. But they need to work hand in hand with the experts in the IT, legal, and security teams to ensure that the security awareness and compliance issues that relate to legal matters and privacy are properly covered.”

“One best practice we’ve made use of is compartmentalizing our training to allow each department to go as deep as they need to: I’m not weighing in on HR policies because that’s not my superpower,” he says. “Likewise, the other department leaders aren’t defining security training. By keeping each module independent of one another, every team can focus on what they know best.”

Like Hughes and Willett, Chad Thunberg, CISO at Yubico, says that while HR often is an important collaborator for employee training, it is the security organization that should be responsible for the training content.

The security team has an in-depth understanding about the threats that are relevant for the company, insights into the types of attacks that have been successful in the past, and a catalog of known areas of concern or vulnerability, Thunberg says.

“Security training that is either sourced or developed by non-practitioners runs the risk of not feeling relevant or actionable,” he says.

Security experts must be actively involved in employee training

Harlin Lipman, head of information security at Chronosphere, says security has been growing into a very specialized role and department based on the expertise and growing importance it requires. As such, HR should not be solely responsible for employee security training because several key challenges and limitations come with HR-led security training programs.

“One common challenge is that the training content can quickly become stale, irrelevant, or does not match the risk profile of the organization,” Lipman says.

Security threats evolve rapidly, and without input from security professionals, training materials may fail to address current risks effectively, according to Lipman.

Another challenge is getting full buy-in from employees.

“If ‘off-the-shelf’ training materials are being provided, i.e., not custom-made, there could be a risk of users not being aware of organization-specific processes and policies, e.g., how to specifically report a security incident, what type of policies exist at the organization, etc.,” Lipman says. “This is oftentimes overlooked and leads to confusion internally.”

That’s why it’s essential for security experts to be actively involved in designing and delivering these training programs, Lipman notes.

“HR, IT, and security should work closely together to develop and deliver training,” he says. “Specifically, they should assess what type of content might be relevant for the organization. These teams should also collaborate to see who should specifically announce and deliver training. And if there is a dedicated security department, training is recommended to come from this team directly.”

Traditional training methods may not be enough as threats evolve

Dan Potter, senior director of cyber drills and resilience at Immersive, says that a successful security training program deploys frequent, up-to-date cybersecurity simulations that depict real-life scenarios employees may face in their day-to-day operations.

“Due to the fast-paced nature of the threat landscape, traditional trainings are often too infrequent and by the time they’re rolled out, the material is no longer relevant or impactful for the latest threats an organization faces,” he says. “While HR plays a critical role in a wide variety of training and development programs, they aren’t able to provide the specificity and speed required to develop a robust security training program.”

By leveraging insights from a business’s security team, training programs can be developed with unique roles in mind, according to Potter. An operations team member’s work streams look very different from a communications team member’s, so their training and cyber drills should too.

Not only do more in-depth trainings empower employees to address potential cyber attacks, but they also create a broader culture of security within an organization, something tick-the-box trainings could never do, he adds. Potter says that when it comes to employee security training, HR can be responsible for the logistics, scheduling, and organizational rollout of the training, while IT and security should provide the content and ensure it’s tailored to the company’s specific risks and technology.