Ask what department is responsible for data security in an organization and the most likely answer is, \u201cIT.\u201d But some experts are saying it shouldn\u2019t be IT alone \u2013 that better security requires a closer collaboration with Human Resources (HR).One example, they say, is a breach this past Feb. 26 at the Federal Deposit Insurance Corporation (FDIC), when a departing employee inadvertently downloaded 44,000 customer records, including personally identifiable information (PII), to a USB thumb drive.Fortunately, officials said, there was no apparent harm done. The breach happened on a Friday, the agency\u2019s data-loss-protection software detected it the following Monday, the FDIC contacted the ex-employee immediately and she returned it the following day.She also signed an affidavit saying she had not used or shared the information. And the FDIC noted that the former employee was authorized to access the data. She just wasn\u2019t supposed to have brought any of it home with her.But this was not the only such incident. The Wall Street Journal reported about a month ago that the FDIC has reported seven such breaches in just the past eight months, all from departing employees taking data with them and potentially compromising the PII of 160,000 Americans.So, could better collaboration between IT and HR have prevented any of those incidents? Expert opinions are mixed.Even though this was very obviously a \u201chuman\u201d problem, and it has been obvious for decades that people are the so-called \u201cweakest link\u201d in the security chain, most security awareness training is done by IT, not HR.It is also IT that is responsible for protecting data, for knowing where it is and who has access to it when \u2013 otherwise known as Identity and Access Management (IAM). Even software designed to detect months in advance that an employee is exhibiting behavior that he is likely to leave is managed by IT, not HR.Still, Joseph Loomis, founder and CEO of CyberSponse, said it is, \u201calways good practice to have a strong connection between IT and HR.\u201dAnytime there is human behavior involved, HR should also be involved.When there is a failure, he said, it is likely due to \u201cbad process.\u201d In tracking an organization\u2019s, \u201cheadcount turnover, demands for talent and shifts in culture, all information is often lost with the former IT admin,\u201d he said. \u201cWe call this the \u2018House of Cards for IT.\u2019 Things go up and down every time someone comes and goes.\u201dAnd tracking the coming, going and transitioning of employees, he said, is very much within the purview of HR. \u201cAnytime there is human behavior involved, HR should also be involved,\u201d he said.Ira Winkler, president of Secure Mentem, said it ought to be obvious that, \u201cHR should inform IT when people are leaving. HR has very specific purposes in ensuring the appropriate separation of employees.\u201dCharles Choe, product marketing manager for Guidance Software, agreed. He said while data loss prevention (DLP) technologies focus on data-in-motion, \u201cthey are often turned off due to the high rate of false positives that effectively hinder effective business operations.\u201dIt is HR\u2019s responsibility to properly educate employees that any work produced during employment legally belongs to the organization.So, he said, it is important for HR to notify IT when employees are leaving, even when the separation is planned and amicable, so the activities of those employees can be more closely monitored. \u201cIt is also HR\u2019s responsibility to properly educate employees that any work produced during employment legally belongs to the organization, and not the individual, at least in the United States,\u201d he said.Dana Simberkoff, chief compliance and risk officer at AvePoint, said HR and IT should be \u201cjoint partners\u201d both in training and supervision of employees \u2013 especially those who are transitioning out of an organization.At a minimum, she said, organizations should enforce policies that require when employees are leaving that, \u201cthe data they are removing is reviewed and approved before they go, and their access to systems with customer data on them is limited and supervised.\u201dDo you need to put the same security protocols around protecting pictures from your company picnic as your \u2026 employees\u2019 benefits information?Trevor Hawthorn, CTO of Wombat Security Technologies, said HR, \u201cneeds to closely coordinate with IT to communicate when employees are leaving, if they are a security risk, and ensure that an \u2018off-boarding\u2019 checklist is followed. For employees that are moving within the organization, a strong IAM capability will allow the organization to audit user rights and privileges.\u201dAnd Steve Conrad, managing director at MediaPro, said he thinks many breaches, including those at the FDIC, are a result of multiple problems \u2013 among them training and data classification.\u201cData of different classifications seemed to have been comingled and the (FDIC) employee didn\u2019t readily identify PII was at risk,\u201d he said. \u201cThis breach may have been stopped with a more effective security awareness program. HR could definitely help IT design a better training experience that produces better overall results.\u201dNobody disputes that all departments in an organization need to work together, and that this may be especially true of HR and IT. But some experts say when it comes to breaches like those at the FDIC, the greatest responsibility lies with IT.Yonatan Striem-Amit, cofounder and CTO at Cybereason, said the FDIC was fortunate that the incident involving the ex-employee who took 44,000 customer records, \u201cwas not intentional and was without malice.\u201dBut he noted that since she had sufficient permissions to access the data, \u201canyone else could have as well if they simply impersonated her.\u201dIt is essential for companies to have control both at the data level and endpoint level and with it an improvement of policies overall.And catching an intruder impersonating an actual employee is clearly an IT responsibility. \u201cIt is essential for companies to have control both at the data level and endpoint level and with it an improvement of policies overall,\u201d Striem-Amit said.There is also general agreement that better data governance \u2013 knowing what and where it is and properly classifying it \u2013 will help organizations keep track of it and protect it. And that is an IT function.As Simberkoff put it, \u201cdo you need to put the same security protocols around protecting pictures from your company picnic as your customer\u2019s critical infrastructure design or build information, credit card information, or your employees\u2019 benefits information?\u201dBut she also said she believes, \u201cHR should play a critical role in ensuring that employees are not intentionally or inadvertently provided with too much access to data that they should not have.\u201cAs a general rule, employees should be given the least amount of access\/privilege possible to allow them to do their job,\u201d she said. \u201cUnfortunately, overburdened IT administrators tend to work in the opposite way, giving users excessive access so that they (IT) do not sink under the burden of excessive and sometimes impossible workloads.\u201dThe bottom line, Conrad said, is that each department can help the other \u2013 while IAM is nominally a function of IT, HR is more likely to know when an employee\u2019s privileges or access should change. They need to be closely linked, he said, \u201cto ensure privileges and access levels are in sync with the employees position and duties. Many times, once privileges are granted, they never go away. This definitely increases a company\u2019s risk profile.\u201dFinally, there is broad agreement that employee training should be both a regular event and a cooperative effort. It can\u2019t be, \u201ca once a year training course, but rather it must be pervasive throughout the culture of your company,\u201d Simberkoff said.Conrad said good training should involve the marketing team as well as IT and HR, since the goal is to \u201csell\u201d employees on good security practices.\u201cIT should partner with marketing to learn how to deliver a message that sticks and gets better results,\u201d he said. \u201cMost awareness training is of such low quality that it\u2019s a wonder it works at all.\u201dIndeed, the best technology in the world can\u2019t trump a careless or clueless employee. \u201cIf people aren\u2019t trained, then bad things can happen,\u201d Winkler said.