Many technical folks I know (myself included) have a natural distrust of the folks that reside over in HR. It’s not instinctual, but has been learned over time as these are the same folks who are always badgering us to update our personal info, fill out form XYZ, and attend the company Spring BBQ at noon next Saturday when I plan to be sleeping instead. These same HR folks can help us secure our companies, though, and protect us from the most damaging of all attacks – those from insiders. Insider attacks are emotionally damaging to a company, and they are usually highly effective from a financial or theft perspective because insiders know where “the crown jewels” are and have access to sensitive info and infrastructure. To protect yourself and your organization, there are two tactics you can take to be better prepared: Conduct regular threat modeling. The basic concept is to define a set of attacks and/or negative scenarios that _could happen and then assess the probability, potential harm, priority, and business impact of each threat. There are plenty of good free threat modeling resources available, e.g., NIST’s Publication 800-30 (“Risk Management Guide for Information Technology Systems”), the Microsoft Threat Modeling Process, and the forthcoming ITL v3 which advocates threat modeling as part of best practices for IT service delivery. Embrace the HR team. Include them in security activities, especially activities they’re good at such as the hiring process, background checks, and employee awareness. HR often has something IT doesn’t – budget for training! I also learned that my HR team knows more about people than I do (imagine that, they were actually trained in the subject), and they have access to some pretty cool research about when and why employees go bad and commit crimes. My HR team even helped me write (and better yet implement) some new policies to mitigate threats from employees and educate employees to watch for signs of malcontent or suspicious behavior.So yes, I am a tech-weenie-converted-to-HR-lover … I admit it. But I’m ok with that! 🙂 Related content opinion My Concerns with CyberSecurity Legislation – no teeth, paper audits, and “security” auditors By Ed Adams Jan 06, 2012 3 mins Data and Information Security opinion Sony CISO Reporting to Executive Management. Maybe Cyber Security Czar will follow suit? By Ed Adams Nov 17, 2011 2 mins Data and Information Security opinion Sony appoints CISO in response to PlayStation attacks……but reports to the CIO????? By Ed Adams Oct 28, 2011 2 mins Data and Information Security IT Leadership opinion Q&A with Myself - Thoughts on Sony, DOD, RSA, IMF & Lockheed Martin By Ed Adams Sep 22, 2011 3 mins Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe