Imagine your CEO has heard the stories about ransomware and other cyber-threats; do they look for help from the CIO or do they ask the CHRO?
We can let that question hang there for a moment because two conflicting thoughts should come to mind. First, we know they’ll be calling the CIO, not the CHRO. Secondly, we know that most cyber-defences depend heavily on human behaviour. Based on that second fact, any cyber-defence that is not partly driven by the CHRO is likely to fail. So, is the CEO making the wrong call in going to the CIO and ignoring the CHRO?
A step in the right direction is for the CEO to ask the CIO, and then the CIO to ask the CHRO for help with behaviour change. That’s certainly better than the CIO trying to build a defence purely via technology and edicts (e.g. “You must change your password every week.”). But I’m still not happy with this approach. If the most important part of the solution is changing behaviour, then including HR shouldn’t be an afterthought.
We shouldn’t sit back and hope the CEO starts asking HR for help with issues like cyber-security. HR should recognize that cyber-security is important and that they have some tools to reduce the threat. They should be proactively making a proposal to the CEO on what needs to be done.
The proactivity test
There is a spectrum of HR functions from the passive ones that would wait for the CIO to ask for a training program to the proactive ones that would identify the issue long before anyone asked, come up with a plan, and present that plan to the CEO. Where does your HR function lie on that spectrum? Is it passive or proactive?
There is a reason HR often sits on the passive side of the spectrum, it’s because that’s what’s expected of them. If they raise the issue of cyber-security they may get blank stares, followed by being told to leave IT matters to IT.
To fix those expectations is a change management exercise. It involves gently (and sometimes not so gently) challenging people’s expectations so that a proactive HR function is eventually accepted as a normal way to do business.
For example, on the cyber-security issue, if the CHRO feels they can’t go directly to the CEO to discuss cyber-security then they should have a meeting with the CIO first. The tone shouldn’t be “What can I do to help?” it should be “Here’s what we know about human behaviour and here’s how we can get people to behave responsibility. How do we fit that in with your expertise on securing systems?” From there the CIO and CHRO would co-present to the CEO. When the CEO begins to see the value a pro-active HR function brings, then they’ll come to expect it.
If you’re not CHRO yet
You are probably not CHRO yet, so you won’t be leading the charge on corporate cyber-security. However, you can take the underlying lesson that HR should be proactive in identifying business issues and proposing solutions. And that’s the other lesson in this article that might have been overlooked. Cyber-security isn’t an HR issue, it’s a business issue which HR can help address. Don’t go to the business suggesting they need more training or higher engagement (those our HR issues). Go to the business and say, “Here’s how we can help you hit those deadlines”; “Here’s how to avoid a crisis of too many vacancies next year”; “Here’s how to get the production people to work more effectively with sales.”
If you focus proactively on business issues, and bring ideas of value to the table, then you can be sure that when you do become CHRO the CEO will be calling you on every big issue, not bringing you in as an afterthought.