Re: HR and management - Was: CISSP Question

["Yousef Syed" <yousef.syed () gmail com>]

Hi Craig,
Most of what you state about HR departments and the way that IT/Sec
interacts with them is quite sound and it would be really great if
things did run that way.

My views of HR staff is based primarily upon mine and my colleagues experiences.

In smaller companies, the hiring and main interviewing tasks are
performed by the managers seeking to staff a project or team etc.
Following this, HR step-in to finalise the hiring process and sort out
all the legal issues and verify references etc. (I'm not going to
discuss all the other tasks that HR perform).

I see problems of varying degrees occuring in the larger
corporations/consultancies.
In a large proportion of these corporations, IT is generally
considered a menial task or a service to the business that is carried
out by the geeks, while the real business is carried out by the
businessmen - this image is worsened further by the outsourcing of
these IT functions to India/China etc... I.e. Our worth to the
corporation is devalued.
Furthermore, in large corporations you generally havepigeon-holed
roles like Junior Software Engineer; Software Engineer; Senior
Software Engineer; Team Leader; Manager... etc as cardboard-cut-out
roles that HR just seek to fill. These generics are piled into
corporations as bodies and are randomly picked off for various
projects. Or they seek to fill some bodies into the Helpdesk etc.

So as much as I'd like to see IT departments and their managers
telling HR what they require, I don't see it happening in practice and
nor do I see any signs of the status-quo changing.

I believe that ALL IT persons would do well to learn a little about
the business that they work in - even if they are working in an IT
business. But not only don't I see that happening, I see the opposite
- Software Engineers being stopped from taking security courses or OS
courses because HR say it is outside their career-path; even though
their managers have encouraged it and requested it. (and yes, I have
seen this occur and heard of it happenning in many LARGE corporations)

So my somewhat cynical view of HR depts has been developed over
10-years work in numerous Fortune 500 corps and Consultancies. As yet,
I'm not high enough up the food chain to make any changes. :)


ys

P.S. I've broken off writing this about a dozen-times, so please
forgive the disjointed appearance or if it came across as rude.


On 11/05/07, Craig Wright <Craig.Wright () bdo com au> wrote:
> Hello,
> This post will commence with a qualification to set the tenor or tone
> and then progress for those with the patience to read it to a point of
> conclusion. I am unusual in that I work and study [full stop]. I have a
> distinctly separate perspective on the world to most people in that I
> have experience that crosses many boundaries. I am currently completing
> my 10th degree and fulfil the idealistic characterisation of nerd. I am
> the atypical logically isolated realist.
>
> That stated. I have to say that I find the peer bashing unprofessional.
> Statements concerning HR managers such as "If you don't get past them,
> you're unlikely to see a real manager" get my hackles up. We have the
> privilege of knowing our own faults, but do not presume that we have an
> overarching right or responsibility to reflect on the failings of others
> in other fields and disciplines.
>
> The quote from Lucy Kellaway (in a prior post) reflects this author's
> incomprehension of HRM and the distinction from Personal Management. She
> specialises in satirically picking on the faults within business and
> does little to help promote it (personal opinion).
>
> Yes, HR often fail in what they do, they are also human. However, I for
> the most part place the blame squarely on the shoulders of those of us
> who are not doing our role effectively. When HR does not find the right
> person - it is us who have failed and not them.
>
> HR takes that which we the IT professional stipulate and mould this in
> to finding the people that fill the roles we occupy. When we fail to
> justify KPI's, roles and position statements and descriptive we are the
> ones who have failed, not HR.
>
> It is easy to sit back and blame HR. They are after all on the
> proverbial front line. They are the door keepers to the culture and tone
> within any firm. They however do not set the rules of entry. They are
> the caretaker who applied the controls we set in IT. HR are not expected
> to know IT, we are!
>
> By standing aside and saying, that is the role of HR, we fail. We miss
> the opportunity to add value to the firm we support. When working as
> contractor, work to change the controls on hiring, it is a control over
> security after all.
>
> When we are lazy, we leave work to HR - it is only Personnel... Let them
> do it. We have to be involved, active and participate in the firm to
> which we have attached our skills and aptitude.
>
> So basically, we (i.e. us in IT) have to work with business, we have to
> understand them. We are not here to make the world, we are just a cog
> and it all traverses better when we work together and stop blaming the
> other party.
>
> So if you are not happy with how HR is applying the hiring practices of
> your firm - do something. Stop bitching when you have no idea about what
> really occurs and take the time to learn something outside your
> restricted perspective.
>
> Performance appraisals are that occasion when, once a year, you are
> reminded who owns you, (Peter Block quoted by Lee 1996, p 44). For many,
> this quote sums up the view that performance management is not a tool to
> help them. Rather it is often seen as a irrational grasp by management
> to maintain power.
> "The essence of the concept of rationality is the relationship between
> means and ends.  In all decision situations, certain ends will be
> desirable," Carter & Jackson (2000, p 98).
>
> What gives me the right to bitch? Well I have actually taken the time to
> look over the fence and see what they do in HR. I have completed
> University level education at a Masters level and published 2 papers on
> HRM (Rewarding IT staff in a changing environment, 2005 & HRM, it's not
> just hiring for compliance, 2004). I have completed my OH&S Diploma
> (Occupational Health and Safety) and have the inkling that maybe these
> are people - professionals even - who do not just sit on their butts
> waiting for the next time that a person needs to be hired.
>
> CoBIT "PO7 - Manage Human Resources".  ISACA has defined the control of
> managing human recourses as:
> "The control over the IT process of managing human resources that
> satisfies the business requirement to acquire and maintain a motivated
> and competent workforce and maximise personnel contributions to the IT
> processes is enabled by sound, fair and transparent personnel management
> practices to recruit, line, vet, compensate, train, appraise, promote
> and dismiss."
>
> They include the following key areas:
> *       Recruitment and promotion
> *       Training and qualification requirements
> *       Awareness building
> *       Cross-training and job rotation
> *       Hiring, vetting and dismissal procedures
> *       Objective and measurable performance evaluation
> *       Responsiveness to technical and market changes
> *       Proper balance of internal and external resources
> *       Succession plan for key positions
>
> These few areas only touch on what is the realm of the Human Resources
> dept. They have legislative concerns, payroll (one dear to most of us),
> OH&S, ergonomics, compliance controls and strategic alignment to concern
> them as well. They should be working with IT Security; we should work
> closely with them.
>
> Human resource management is a key control within the ISMS (AS/NZS
> 7799.2:2003 and now ISO 27001) framework. In particular, section 5.2.2
> (below) deals almost exclusively with the control over Human Resource
> Management:
> Section 5.2.2 Training, awareness and competency
> The organization shall ensure that all personnel who are assigned
> responsibilities defined in the ISMS are competent to perform the
> required tasks by:
> a)      Determining the necessary competencies for personnel performing
> work affecting the ISMS;
> b)      Providing competent training and, if necessary, employing
> competent personnel to satisfy these needs;
> c)      Evaluating the effectiveness of the training provided and
> actions taken;
> d)      Maintaining records of education, training, skills, experience
> and qualifications.
> The organization shall also ensure that all relevant personnel are aware
> of the relevance and importance of their information security activities
> and how they contribute to the achievement of the ISMS objectives.
>
> A good and effective relationship with business and HR does far more to
> help promote security than the latest techno toy.
>
> From the perspective of the Human Resources professional, the key
> sections which need to be addressed include:
> 1       Segregation of duties,
> 2       Recruitment, and
> 3       The Monitoring of personal.
>
> However, the role of HR is to take the information and requirements that
> WE - the supposed IT Security professionals - give them. If they fail -
> it is generally as we have failed first - so who is really to blame? US.
>
> Christopher (2003) demonstrates that a lack of training can lead to
> employees making "one of the worst mistakes" and "giving out sensitive
> data". He highlights the point that training and education are essential
> components which may be used to effectively empower staff to make
> correct decisions.
> He further states that most breaches of corporate security are caused as
> a result of "weakness in human firewalls".  This details the need for
> awareness training for staff as technology will fail where staff are not
> fully educated in stopping attacks against the organisations information
> infrastructure.
>
> It has been further demonstrated that employee inclusiveness; increased
> personnel contribution; and improved resilience and information security
> within operations all return beneficial results within an organisation
> far exceeding the compliance requirements (Romeo 2002 and O'Bryan et al
> 1995). To achieve this ambition, we need to collaborate.
>
> HR are not the purported enemy, they are another foundation stone and a
> tool towards implementing the protected organisation. Our role is to get
> them the indispensable information to make their role effective. They
> fail when we fail.
>
> As "competency based approaches to management development are most
> likely to be useful in large, mechanistic bureaucratic organisations
> which have clearly delineated roles and functions that are well
> documented" (Toohey, 1995, p125), information technology professionals
> may face difficulties in adjusting to this style of control.
>
> "Faster and more flexible ways to respond to management development
> needs may be what is required in the present turbulent management
> environment" (Toohey, 1995, p126) of IT where change is a daily aspect
> of the job. IT roles are often fairly autonomous in nature, requiring a
> large degree of independence. Bureaucratic systems of control generally
> leave IT professionals feeling they are being watched too closely. Also
> unless supervisors are given a structure to work from, their
> observations may reflect their own biases, rather than the objective
> performance of employees (Lane, 2004) as they are not trained in
> behavioural assessment skills.
>
> IT Professionals set the structure. From the CIO/IT Director etc down,
> we are the people who set the structure. HR implements what we impose
> upon ourself.
>
> We have to learn first.
>
> Regards,
> Craig
>
> Dr Craig S Wright
> DTh MNSA MMIT CISA CISM CISSP ISSMP ISSAP G7799 GCFA  GNSA AFAIM
> PGD(Mgmt) PGD(logistics) PGD(Sales) ASC(Org Chem.) ASC(Phys) LLM (Cand).
> (And a partridge in a pear tree)...
>
>
> The following link is a journalistic article on me.
> http://www.infoage.idg.com.au/index.php/id;1151410747;fp;512;fpid;187429
> 0912
> (When the site works ;)
>
>
> References:
> Banerjee, Debasish; Jones, Thomas W. and Cronan, Timothy Paul, 1996 "The
> association of demographic variables and ethical behaviour of
> information system personnel", Industrial Management & Data Systems 96/3
> [1996] 3-10 MCB University Press
>
> Christopher, Abby, CIO Magazine, "The human firewall", 28/10/2003
> http://cio.co.nz/cio.nsf/0/CD50373FD1A06BD3CC256DCD00015C68?
>
> ISO 27001
>
> COBIT 4.0/4.1
>
> Mitchell, Ruth C. and Marcella, Rita, and Baxter, Graeme, 1999
> "Corporate information security management" New Library World Volume
> 100. Number 1150. 1999. pp. 213-227, MCB University Press
>
> Wood, Charles Cresson, 1993 " Background checks for employees in
> computer-related positions of trust (A further contribution on security
> system checks for employees)", Information Management & Computer
> Security, Vol. 3 No. 5, 1995, pp. 21-22, MCB University Press Limited,
> 0968-5227
>
> Coe, Kathleen, Aug 2003, "Closing the Security Gap, Data Protection
> initiatives should include employee training", "HR Magazine - Vol 48
> No8"
>
> Romeo , Jim, Dec 2002, "Keeping your network safe, HR must protect
> sensitive data from internal and external security threats", "HR
> Magazine - Vol 47 No12"
>
> O'Brien, James A., 1999, 'Management Information Systems, Managing
> Information Technology in the Internetworked Enterprise', 4th Edn, Irwin
> McGraw-Hill Ltd, US
>
> Lee, C. 1996 "Performance appraisal: can we 'manage' away the curse?"
> Training: 44, 46-48, 50, 53, 55, 57, 59.
>
> Carter, P. & Jackson, N. 2000 "Rethinking organisational behaviour."
> UK: Financial Times and Prentice Hall
>
> Toohey, S. 1995 "Competency based Management Education: What does it
> have to offer?" Asia Pacific Journal of Human Resources. 33, (2)
> 118-126.
>
> Lane, David, 2004, "Foundations of HRM, Performance and Compensation
> Management", Course Notes, University of SA
>
> Craig Wright
> Manager of Information Systems
>
> Direct +61 2 9286 5497
> Craig.Wright () bdo com au
> +61 417 683 914
>
> BDO Kendalls (NSW)
> Level 19, 2 Market Street Sydney NSW 2000
> GPO BOX 2551 Sydney NSW 2001
> Fax +61 2 9993 9497
> www.bdo.com.au
>
> Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
> those States and Territories of Australia where such legislation exists.
>
> The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
> read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
> received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
> system.
>
> Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
> You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
> Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
> viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
> result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
> statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.
>
> BDO Kendalls is a national association of separate partnerships and entities.


--
Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb