• United States



Chief Executive Officer, Security Innovation

How I learned to love my HR department

Apr 20, 20072 mins
CareersData and Information SecurityIdentity Management Solutions

Many technical folks I know (myself included) have a natural distrust of the folks that reside over in HR. It’s not instinctual, but has been learned over time as these are the same folks who are always badgering us to update our personal info, fill out form XYZ, and attend the company Spring BBQ at noon next Saturday when I plan to be sleeping instead.

These same HR folks can help us secure our companies, though, and protect us from the most damaging of all attacks – those from insiders.

Insider attacks are emotionally damaging to a company, and they are usually highly effective from a financial or theft perspective because insiders know where “the crown jewels” are and have access to sensitive info and infrastructure.

To protect yourself and your organization, there are two tactics you can take to be better prepared:

  1. Conduct regular threat modeling. The basic concept is to define a set of attacks and/or negative scenarios that _could happen and then assess the probability, potential harm, priority, and business impact of each threat. There are plenty of good free threat modeling resources available, e.g., NIST’s Publication 800-30 (“Risk Management Guide for Information Technology Systems”), the Microsoft Threat Modeling Process, and the forthcoming ITL v3 which advocates threat modeling as part of best practices for IT service delivery.
  2. Embrace the HR team. Include them in security activities, especially activities they’re good at such as the hiring process, background checks, and employee awareness. HR often has something IT doesn’t – budget for training!

I also learned that my HR team knows more about people than I do (imagine that, they were actually trained in the subject), and they have access to some pretty cool research about when and why employees go bad and commit crimes. My HR team even helped me write (and better yet implement) some new policies to mitigate threats from employees and educate employees to watch for signs of malcontent or suspicious behavior.

So yes, I am a tech-weenie-converted-to-HR-lover … I admit it. But I’m ok with that! 🙂

Chief Executive Officer, Security Innovation

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks. The company has delivered high-quality risk solutions to the most recognizable companies in the world including Microsoft, IBM, Fedex, ING, Sony, Nationwide and HP.