{"id":2679,"date":"2025-04-09T06:00:00","date_gmt":"2025-04-09T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2679"},"modified":"2025-04-09T06:00:00","modified_gmt":"2025-04-09T06:00:00","slug":"is-hr-running-your-employee-security-training-heres-why-thats-not-always-the-best-idea","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2679","title":{"rendered":"Is HR running your employee security training? Here\u2019s why that\u2019s not always the best idea"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In today\u2019s fast-changing threat landscape, relying solely on human resources to deliver employee security training can leave an enterprise vulnerable. While HR excels at organizing and overseeing internal compliance, IT and security teams bring the specialized knowledge needed to address various threats, such as phishing<\/a>, data breaches, and social engineering<\/a>.<\/p>\n

By working together, these departments can develop a comprehensive program that covers requirements and hands-on skills, ensuring employees are well-prepared to protect themselves and their organizations.<\/p>\n

On the surface it might make sense to have HR deliver training initiatives to staff, after all, they are the professionals whose job it is to manage the relationship between corporate leadership and a company\u2019s workforce. And security teams tend to be focused on immediate technology needs and don\u2019t always have the skills or tools to teach hundreds or thousands of employees.<\/p>\n

But all too often, there\u2019s a lack of communication between HR and security when these programs \u2014 whether developed in-house or provided by a third party \u2014 and that can create inconsistencies that can become costly down the line.<\/p>\n

Security threats change constantly<\/h2>\n

HR shouldn\u2019t be solely responsible for security training for the same reason that a security team shouldn\u2019t be responsible for HR training: they\u2019re two different roles with vastly different focus areas and backgrounds that demand specialization, says Rob Hughes, CISO at RSA Security.<\/p>\n

\u201cSecurity is always changing \u2014 cyberattackers make their livelihood by deploying new tactics and launching new campaigns,\u201d he says. \u201cHR shouldn\u2019t be expected to stay current on those changes or how security training needs to account for those evolutions.\u201d<\/p>\n

Hughes adds that it\u2019s beneficial for HR to help set up how training and onboarding will work, as well as to work with the security team on what happens if employees don\u2019t take the training. However, the security team should lead the way on what the training includes and why it\u2019s important to complete it.<\/p>\n

\u201cAt the same time, the IT team needs to work in tandem with security teams to explain the best practice mechanisms for working with data and managing threats such as phishing emails,\u201d he notes.<\/p>\n

There are a number of limitations to HR-led security training programs, according to Hughes.<\/p>\n

\u201cThe first is just visibility: HR doesn\u2019t know what it doesn\u2019t know, nor is it aware of the tactics that are currently targeting your organization\u2019s users \u2014 and the ones that your users are falling for,\u201d he says. \u201cSecurity teams are in the trenches and know what cybersecurity risks your team needs help with. HR likely won\u2019t.\u201d<\/p>\n

HR doesn\u2019t have specialized security knowledge<\/h2>\n

Another limitation is that an organization\u2019s security training can be a component in maintaining certain certifications, compliance, contractual agreements<\/a>, and customer expectations, according to Hughes.<\/p>\n

\u201cIf that\u2019s important to your organization, then security, IT, and compliance teams will know the subjects to cover and help guide in the importance of compliance and the risks of not complying,\u201d he says.<\/p>\n

Keavy Murphy, VP of security at Net Health, agrees that HR-led security training programs often face limitations due to a lack of specialized or up-to-date knowledge on security threats in their industries.<\/p>\n

\u201cHR departments may not be fully aware of current cyber threats or the organization\u2019s specific risks,\u201d she says. This can result in overly broad or generic training, which reduces its effectiveness. These programs can also fail to emphasize the practical, real-world application of security practices or offer enough guidance on addressing threats if they lack collaboration with security and IT teams.\u201d<\/p>\n

HR may not effectively tailor the training to the organization\u2019s industry-specific threats, Murphy notes. Without the security department\u2019s involvement, training content often lacks focus and fails to address the company\u2019s unique<\/em> threats, leaving employees unsure of what to watch for.<\/p>\n

\u201cFor example, in the financial services sector, data breaches related to payment card information are the most likely risk,\u201d she explains. \u201cTraining should focus on that and not the less likely scenarios, such as breaches of sensitive healthcare data.\u201d<\/p>\n

Bryan Willett, CISO at Lexmark, concurs that HR shouldn\u2019t be solely responsible for employee security training because HR professionals lack the daily operational experience in the cybersecurity field.<\/p>\n

\u201cThe HR team is well-versed in managing people and managing broader communications with the broad employee base,\u201d Willett says. \u201cBut when it comes to the intricacies of security awareness that needs to be done or even security alerts that we might need to send out to users, that\u2019s not their day job.\u201d<\/p>\n

The security team, by contrast, lives and breathes these challenges every day, according to Willett. They understand the specific risks that come from what employees do and can better explain what might happen if someone makes a cybersecurity mistake. Their expertise also helps them create training that\u2019s more focused and useful, not just basic compliance messages.<\/p>\n

Collaboration leads to more effective training<\/h2>\n

However, while HR shouldn\u2019t run employee security training, Willett does view the HR team as a key partner. He suggests a collaborative approach where HR and security teams work together, leveraging their respective strengths. He explains that HR can help translate complex technical information into understandable language, while the security team provides the core content and technical expertise.<\/p>\n

Hughes seconds this assessment.<\/p>\n

\u201cAny large-scale change or training initiative needs collaboration to be successful,\u201d Hughes says. \u201cAt RSA, the HR, IT, legal, and security teams all collaborate on our annual compliance training to make sure that our team has what they need to continue working safely.\u201d<\/p>\n

HR has skin in the game for employee onboarding, compliance, and adherence to company policies and practices, according to Hughes. But they need to work hand in hand with the experts in the IT, legal, and security teams to ensure that the security awareness and compliance issues that relate to legal matters and privacy are properly covered.\u201d<\/p>\n

\u201cOne best practice we\u2019ve made use of is compartmentalizing our training to allow each department to go as deep as they need to: I\u2019m not weighing in on HR policies because that\u2019s not my superpower,\u201d he says. \u201cLikewise, the other department leaders aren\u2019t defining security training. By keeping each module independent of one another, every team can focus on what they know best.\u201d<\/p>\n

Like Hughes and Willett, Chad Thunberg, CISO at Yubico, says that while HR often is an important collaborator for employee training, it is the security organization that should be responsible for the training content.<\/p>\n

The security team has an in-depth understanding about the threats that are relevant for the company, insights into the types of attacks that have been successful in the past, and a catalog of known areas of concern or vulnerability, Thunberg says.<\/p>\n

\u201cSecurity training that is either sourced or developed by non-practitioners runs the risk of not feeling relevant or actionable,\u201d he says.<\/p>\n

Security experts must be actively<\/em> involved in employee training<\/h2>\n

Harlin Lipman, head of information security at Chronosphere, says security has been growing into a very specialized role and department based on the expertise and growing importance it requires. As such, HR should not be solely responsible for employee security training because several key challenges and limitations come with HR-led security training programs.<\/p>\n

\u201cOne common challenge is that the training content can quickly become stale, irrelevant, or does not match the risk profile of the organization,\u201d Lipman says.<\/p>\n

Security threats evolve rapidly, and without input from security professionals, training materials may fail to address current risks effectively, according to Lipman.<\/p>\n

Another challenge is getting full buy-in from employees.<\/p>\n

\u201cIf \u2018off-the-shelf\u2019 training materials are being provided, i.e., not custom-made, there could be a risk of users not being aware of organization-specific processes and policies, e.g., how to specifically report a security incident, what type of policies exist at the organization, etc.,\u201d Lipman says. \u201cThis is oftentimes overlooked and leads to confusion internally.\u201d<\/p>\n

That\u2019s why it\u2019s essential for security experts to be actively involved in designing and delivering these training programs, Lipman notes.<\/p>\n

\u201cHR, IT, and security should work closely together to develop and deliver training,\u201d he says. \u201cSpecifically, they should assess what type of content might be relevant for the organization. These teams should also collaborate to see who should specifically announce and deliver training. And if there is a dedicated security department, training is recommended to come from this team directly.\u201d<\/p>\n

Traditional training methods may not be enough as threats evolve<\/h2>\n

Dan Potter, senior director of cyber drills and resilience at Immersive, says that a successful security training program deploys frequent, up-to-date cybersecurity simulations that depict real-life scenarios employees may face in their day-to-day operations.<\/p>\n

\u201cDue to the fast-paced nature of the threat landscape, traditional trainings are often too infrequent and by the time they\u2019re rolled out, the material is no longer relevant or impactful for the latest threats an organization faces,\u201d he says. \u201cWhile HR plays a critical role in a wide variety of training and development programs, they aren\u2019t able to provide the specificity and speed required to develop a robust security training program.\u201d<\/p>\n

By leveraging insights from a business\u2019s security team, training programs can be developed with unique roles in mind, according to Potter. An operations team member\u2019s work streams look very different from a communications team member\u2019s, so their training and cyber drills should too.<\/p>\n

Not only do more in-depth trainings empower employees to address potential cyber attacks, but they also create a broader culture of security within an organization, something tick-the-box trainings could never do, he adds. Potter says that when it comes to employee security training, HR can be responsible for the logistics<\/a>, scheduling, and organizational rollout of the training, while IT and security should provide the content and ensure it\u2019s tailored to the company\u2019s specific risks and technology.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In today\u2019s fast-changing threat landscape, relying solely on human resources to deliver employee security training can leave an enterprise vulnerable. While HR excels at organizing and overseeing internal compliance, IT and security teams bring the specialized knowledge needed to address various threats, such as phishing, data breaches, and social engineering. By working together, these departments […]<\/p>\n","protected":false},"author":0,"featured_media":2680,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2679","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2679"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2679"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2679\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2680"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}