Security Basics mailing list archives
Re: HR and management - Was: CISSP Question
From: "Yousef Syed" <yousef.syed () gmail com>
Date: Fri, 11 May 2007 22:16:53 +0100
Hi Craig, Most of what you state about HR departments and the way that IT/Sec interacts with them is quite sound and it would be really great if things did run that way. My views of HR staff is based primarily upon mine and my colleagues experiences. In smaller companies, the hiring and main interviewing tasks are performed by the managers seeking to staff a project or team etc. Following this, HR step-in to finalise the hiring process and sort out all the legal issues and verify references etc. (I'm not going to discuss all the other tasks that HR perform). I see problems of varying degrees occuring in the larger corporations/consultancies. In a large proportion of these corporations, IT is generally considered a menial task or a service to the business that is carried out by the geeks, while the real business is carried out by the businessmen - this image is worsened further by the outsourcing of these IT functions to India/China etc... I.e. Our worth to the corporation is devalued. Furthermore, in large corporations you generally havepigeon-holed roles like Junior Software Engineer; Software Engineer; Senior Software Engineer; Team Leader; Manager... etc as cardboard-cut-out roles that HR just seek to fill. These generics are piled into corporations as bodies and are randomly picked off for various projects. Or they seek to fill some bodies into the Helpdesk etc. So as much as I'd like to see IT departments and their managers telling HR what they require, I don't see it happening in practice and nor do I see any signs of the status-quo changing. I believe that ALL IT persons would do well to learn a little about the business that they work in - even if they are working in an IT business. But not only don't I see that happening, I see the opposite - Software Engineers being stopped from taking security courses or OS courses because HR say it is outside their career-path; even though their managers have encouraged it and requested it. (and yes, I have seen this occur and heard of it happenning in many LARGE corporations) So my somewhat cynical view of HR depts has been developed over 10-years work in numerous Fortune 500 corps and Consultancies. As yet, I'm not high enough up the food chain to make any changes. :) ys P.S. I've broken off writing this about a dozen-times, so please forgive the disjointed appearance or if it came across as rude. On 11/05/07, Craig Wright <Craig.Wright () bdo com au> wrote:
Hello, This post will commence with a qualification to set the tenor or tone and then progress for those with the patience to read it to a point of conclusion. I am unusual in that I work and study [full stop]. I have a distinctly separate perspective on the world to most people in that I have experience that crosses many boundaries. I am currently completing my 10th degree and fulfil the idealistic characterisation of nerd. I am the atypical logically isolated realist. That stated. I have to say that I find the peer bashing unprofessional. Statements concerning HR managers such as "If you don't get past them, you're unlikely to see a real manager" get my hackles up. We have the privilege of knowing our own faults, but do not presume that we have an overarching right or responsibility to reflect on the failings of others in other fields and disciplines. The quote from Lucy Kellaway (in a prior post) reflects this author's incomprehension of HRM and the distinction from Personal Management. She specialises in satirically picking on the faults within business and does little to help promote it (personal opinion). Yes, HR often fail in what they do, they are also human. However, I for the most part place the blame squarely on the shoulders of those of us who are not doing our role effectively. When HR does not find the right person - it is us who have failed and not them. HR takes that which we the IT professional stipulate and mould this in to finding the people that fill the roles we occupy. When we fail to justify KPI's, roles and position statements and descriptive we are the ones who have failed, not HR. It is easy to sit back and blame HR. They are after all on the proverbial front line. They are the door keepers to the culture and tone within any firm. They however do not set the rules of entry. They are the caretaker who applied the controls we set in IT. HR are not expected to know IT, we are! By standing aside and saying, that is the role of HR, we fail. We miss the opportunity to add value to the firm we support. When working as contractor, work to change the controls on hiring, it is a control over security after all. When we are lazy, we leave work to HR - it is only Personnel... Let them do it. We have to be involved, active and participate in the firm to which we have attached our skills and aptitude. So basically, we (i.e. us in IT) have to work with business, we have to understand them. We are not here to make the world, we are just a cog and it all traverses better when we work together and stop blaming the other party. So if you are not happy with how HR is applying the hiring practices of your firm - do something. Stop bitching when you have no idea about what really occurs and take the time to learn something outside your restricted perspective. Performance appraisals are that occasion when, once a year, you are reminded who owns you, (Peter Block quoted by Lee 1996, p 44). For many, this quote sums up the view that performance management is not a tool to help them. Rather it is often seen as a irrational grasp by management to maintain power. "The essence of the concept of rationality is the relationship between means and ends. In all decision situations, certain ends will be desirable," Carter & Jackson (2000, p 98). What gives me the right to bitch? Well I have actually taken the time to look over the fence and see what they do in HR. I have completed University level education at a Masters level and published 2 papers on HRM (Rewarding IT staff in a changing environment, 2005 & HRM, it's not just hiring for compliance, 2004). I have completed my OH&S Diploma (Occupational Health and Safety) and have the inkling that maybe these are people - professionals even - who do not just sit on their butts waiting for the next time that a person needs to be hired. CoBIT "PO7 - Manage Human Resources". ISACA has defined the control of managing human recourses as: "The control over the IT process of managing human resources that satisfies the business requirement to acquire and maintain a motivated and competent workforce and maximise personnel contributions to the IT processes is enabled by sound, fair and transparent personnel management practices to recruit, line, vet, compensate, train, appraise, promote and dismiss." They include the following key areas: * Recruitment and promotion * Training and qualification requirements * Awareness building * Cross-training and job rotation * Hiring, vetting and dismissal procedures * Objective and measurable performance evaluation * Responsiveness to technical and market changes * Proper balance of internal and external resources * Succession plan for key positions These few areas only touch on what is the realm of the Human Resources dept. They have legislative concerns, payroll (one dear to most of us), OH&S, ergonomics, compliance controls and strategic alignment to concern them as well. They should be working with IT Security; we should work closely with them. Human resource management is a key control within the ISMS (AS/NZS 7799.2:2003 and now ISO 27001) framework. In particular, section 5.2.2 (below) deals almost exclusively with the control over Human Resource Management: Section 5.2.2 Training, awareness and competency The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by: a) Determining the necessary competencies for personnel performing work affecting the ISMS; b) Providing competent training and, if necessary, employing competent personnel to satisfy these needs; c) Evaluating the effectiveness of the training provided and actions taken; d) Maintaining records of education, training, skills, experience and qualifications. The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives. A good and effective relationship with business and HR does far more to help promote security than the latest techno toy. From the perspective of the Human Resources professional, the key sections which need to be addressed include: 1 Segregation of duties, 2 Recruitment, and 3 The Monitoring of personal. However, the role of HR is to take the information and requirements that WE - the supposed IT Security professionals - give them. If they fail - it is generally as we have failed first - so who is really to blame? US. Christopher (2003) demonstrates that a lack of training can lead to employees making "one of the worst mistakes" and "giving out sensitive data". He highlights the point that training and education are essential components which may be used to effectively empower staff to make correct decisions. He further states that most breaches of corporate security are caused as a result of "weakness in human firewalls". This details the need for awareness training for staff as technology will fail where staff are not fully educated in stopping attacks against the organisations information infrastructure. It has been further demonstrated that employee inclusiveness; increased personnel contribution; and improved resilience and information security within operations all return beneficial results within an organisation far exceeding the compliance requirements (Romeo 2002 and O'Bryan et al 1995). To achieve this ambition, we need to collaborate. HR are not the purported enemy, they are another foundation stone and a tool towards implementing the protected organisation. Our role is to get them the indispensable information to make their role effective. They fail when we fail. As "competency based approaches to management development are most likely to be useful in large, mechanistic bureaucratic organisations which have clearly delineated roles and functions that are well documented" (Toohey, 1995, p125), information technology professionals may face difficulties in adjusting to this style of control. "Faster and more flexible ways to respond to management development needs may be what is required in the present turbulent management environment" (Toohey, 1995, p126) of IT where change is a daily aspect of the job. IT roles are often fairly autonomous in nature, requiring a large degree of independence. Bureaucratic systems of control generally leave IT professionals feeling they are being watched too closely. Also unless supervisors are given a structure to work from, their observations may reflect their own biases, rather than the objective performance of employees (Lane, 2004) as they are not trained in behavioural assessment skills. IT Professionals set the structure. From the CIO/IT Director etc down, we are the people who set the structure. HR implements what we impose upon ourself. We have to learn first. Regards, Craig Dr Craig S Wright DTh MNSA MMIT CISA CISM CISSP ISSMP ISSAP G7799 GCFA GNSA AFAIM PGD(Mgmt) PGD(logistics) PGD(Sales) ASC(Org Chem.) ASC(Phys) LLM (Cand). (And a partridge in a pear tree)... The following link is a journalistic article on me. http://www.infoage.idg.com.au/index.php/id;1151410747;fp;512;fpid;187429 0912 (When the site works ;) References: Banerjee, Debasish; Jones, Thomas W. and Cronan, Timothy Paul, 1996 "The association of demographic variables and ethical behaviour of information system personnel", Industrial Management & Data Systems 96/3 [1996] 3-10 MCB University Press Christopher, Abby, CIO Magazine, "The human firewall", 28/10/2003 http://cio.co.nz/cio.nsf/0/CD50373FD1A06BD3CC256DCD00015C68? ISO 27001 COBIT 4.0/4.1 Mitchell, Ruth C. and Marcella, Rita, and Baxter, Graeme, 1999 "Corporate information security management" New Library World Volume 100. Number 1150. 1999. pp. 213-227, MCB University Press Wood, Charles Cresson, 1993 " Background checks for employees in computer-related positions of trust (A further contribution on security system checks for employees)", Information Management & Computer Security, Vol. 3 No. 5, 1995, pp. 21-22, MCB University Press Limited, 0968-5227 Coe, Kathleen, Aug 2003, "Closing the Security Gap, Data Protection initiatives should include employee training", "HR Magazine - Vol 48 No8" Romeo , Jim, Dec 2002, "Keeping your network safe, HR must protect sensitive data from internal and external security threats", "HR Magazine - Vol 47 No12" O'Brien, James A., 1999, 'Management Information Systems, Managing Information Technology in the Internetworked Enterprise', 4th Edn, Irwin McGraw-Hill Ltd, US Lee, C. 1996 "Performance appraisal: can we 'manage' away the curse?" Training: 44, 46-48, 50, 53, 55, 57, 59. Carter, P. & Jackson, N. 2000 "Rethinking organisational behaviour." UK: Financial Times and Prentice Hall Toohey, S. 1995 "Competency based Management Education: What does it have to offer?" Asia Pacific Journal of Human Resources. 33, (2) 118-126. Lane, David, 2004, "Foundations of HRM, Performance and Compensation Management", Course Notes, University of SA Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities.
-- Yousef Syed "To ask a question is to show ignorance; not to ask a question, means you remain ignorant" - Japanese Proverb
Current thread:
- HR and management - Was: CISSP Question Craig Wright (May 11)
- Re: HR and management - Was: CISSP Question Yousef Syed (May 14)
- RE: HR and management - Was: CISSP Question Craig Wright (May 14)
- Re: HR and management - Was: CISSP Question Yousef Syed (May 14)