HR’s Role in Cybersecurity

By John Kuforiji

— is a cybersecurity and IT strategy expert, specializing in leadership, risk management, cloud security, and digital transformation.

In today’s interconnected world, cybersecurity is no longer just the responsibility of the IT department—it is a company-wide priority.

The “People, Processes, and Technology” framework is the gold standard in cybersecurity, highlighting the need for a balanced approach to secure an organization’s infrastructure. While processes and technology are essential, it is ultimately people who form the foundation of a robust cybersecurity strategy. The actions—or inactions—of individuals are often what separate a secure organization from one that falls victim to cyber threats.

Why People Are the Key to Cybersecurity

Consider the infamous case of Edward Snowden, a former contractor for the U.S. National Security Agency (NSA), whose actions triggered one of the most significant breaches in history. Snowden had access to classified information, and while he was initially hired to assist in the NSA’s operations, his background was not fully scrutinized. Prior to his work with the NSA, Snowden had an obscure history involving brief stints in various intelligence agencies, but he had not been subject to a thorough review or a deeper background check that might have raised red flags.

When Snowden leaked classified data in 2013, the implications were enormous. Sensitive documents related to government surveillance programs were exposed, sparking widespread controversy and shaking the public’s trust in the government’s handling of sensitive information. The breach revealed how someone with the right access, and potentially a history of problematic behavior, could exploit the system from within. The case underscores the importance of background checks in preventing individuals with a hidden agenda or malicious intent from gaining access to vital systems and information.

This story highlights the central role that people play in cybersecurity. While technology and processes are critical components of a security strategy, human behavior—whether intentional or accidental—can create vulnerabilities that technology alone cannot protect against. Regardless of the sophistication of an organization’s security infrastructure, the weakest link will always be the human element. This is why HR’s role in ensuring the organization hires, develops, and retains the right people is absolutely critical.

How HR Strengthens Cybersecurity

HR is in a unique position to drive security across the organization, particularly by focusing on the hiring process, employee development, and retention. Here’s how HR can play a pivotal role in strengthening an organization’s cybersecurity posture:

1. Hiring the Right People

The first step in any cybersecurity strategy is hiring the right individuals. HR plays a critical role in sourcing cybersecurity professionals and ensuring that the broader workforce is equipped to follow security best practices. But recruitment is more than just reviewing resumes—it involves understanding the specific skills required for each role and evaluating candidates for their alignment with the organization’s security goals.

– Recruiting Cybersecurity Talent: HR should focus on attracting individuals with the necessary technical expertise and experience in cybersecurity roles such as Security Analysts, Network Security Engineers, and CISOs.

– Evaluating Cybersecurity Awareness in Non-Technical Roles: Even non-technical employees need to understand basic security principles. HR should assess candidates’ cybersecurity awareness during the hiring process, evaluating their knowledge of common threats like phishing and their ability to follow basic security protocols.

2. Developing Cybersecurity Competencies

Once the right individuals are hired, the next step is development. Cybersecurity is a rapidly evolving field, and it is crucial to ensure employees stay up-to-date on the latest threats and security protocols. HR can help foster a security-first mindset through continuous training and development.

– Onboarding and Training: HR is responsible for ensuring that cybersecurity awareness is an integral part of the onboarding process. New hires should be educated on the company’s security policies, best practices, and specific threats related to their roles.

– Role-Specific Training: Cybersecurity training should be tailored to each employee’s job function. HR can collaborate with IT and cybersecurity teams to create specialized training programs that address the unique security challenges faced by different departments.

– Simulating Real-World Threats: HR can organize phishing simulations and other training exercises to test employees’ ability to recognize and respond to security threats. This helps reinforce the importance of vigilance and quick action when faced with potential security risks.

3. Retaining the Right People

Recruiting and developing cybersecurity talent is crucial, but retaining that talent is equally important. Cybersecurity professionals are in high demand, and retaining skilled individuals can be challenging. HR plays an essential role in ensuring that the organization’s workforce remains engaged, satisfied, and motivated.

– Rewarding Secure Behavior: HR can implement recognition programs that celebrate employees who go above and beyond to ensure cybersecurity. This could include rewarding individuals who successfully identify phishing attempts or those who participate actively in security awareness initiatives.

– Creating Career Pathways in Cybersecurity: Employees are more likely to stay in a role if they see opportunities for growth. HR should work with leadership to create clear career progression paths for cybersecurity professionals, encouraging them to build deeper expertise and grow within the company.

– Supporting Employee Well-being: Burnout can be a significant issue in high-stress roles like cybersecurity. HR can support employees by fostering a positive work environment, promoting work-life balance, and offering stress management resources.

But even the most well-trained cybersecurity professionals can’t protect an organization if they are allowed to leave without a plan to close the gaps they leave behind. Take the case of Target’s 2013 data breach. While Target had a solid security team in place, the company failed to plan for the loss of key personnel in critical roles, particularly within its security team. Several senior security staff members had left the company in the months leading up to the breach, and there was no clear succession plan or process for transferring critical knowledge to new team members.

When the breach occurred, Target’s security team was caught off guard, with key personnel unfamiliar with the systems that were compromised. As a result, they were slow to respond to the attack, and the breach resulted in the theft of personal information from over 40 million customers. Had HR implemented a more structured and proactive approach to retaining key cybersecurity resources and ensuring smooth knowledge transfer, Target might have been better equipped to manage the breach and respond more effectively.

This situation demonstrates the importance of retaining the right people and planning for smooth transitions when key cybersecurity personnel leave. HR’s role extends beyond hiring and training—it must also ensure that the organization has a strategy in place for maintaining continuity in critical roles, particularly in a field as dynamic and fast-moving as cybersecurity.

4. The Critical Role of Background Checks

Perhaps one of the most important aspects of hiring in cybersecurity is conducting background checks. This vital step helps ensure that individuals hired for sensitive roles are trustworthy and do not pose a security risk.

– Detecting Past Security Breaches: A thorough background check can reveal if a candidate has been involved in previous security incidents, fraud, or other criminal activities that would pose a risk to the organization. This information allows HR to make informed decisions and avoid bringing in individuals who could jeopardize the company’s cybersecurity.

– Uncovering Risky Behavior and Red Flags: Background checks provide a comprehensive look at a candidate’s history, helping HR detect any signs of risky behavior. Whether it’s a history of financial fraud, unethical behavior, or discrepancies in their resume, background checks provide essential insights that protect the organization from potential threats.

– Ensuring Regulatory Compliance: In certain industries, background checks are not just a best practice—they are a requirement. HR must ensure compliance with these regulations to protect the organization from legal or financial repercussions.

At the intersection of People, Processes, and Technology, the people component is arguably the most critical when it comes to cybersecurity. Technology alone cannot protect an organization from the wide range of cyber threats it faces—human behavior plays a central role in safeguarding sensitive data and systems. By focusing on recruiting the right people, fostering continuous development, conducting thorough background checks, and creating a culture of security, HR can help ensure that an organization is both prepared and protected against cyber threats. In today’s world, a strong cybersecurity strategy hinges on one key factor: the people—so your role in HR has never been more essential!