Canadian HR Reporter is the national journal of human resource management. It features the latest workplace news, HR best practices, employment law commentary and tools and tips for employers to get the most out of their workforce.
Issue link: https://digital.hrreporter.com/i/1017611
CANADIAN HR REPORTER SEPTEMBER 2018 20 NEWS NATIONAL CAREER DEVELOPME NT CONFERENCE | CONGRÈS NATIONAL EN DÉVELOPPEMENT DE CARRIÈRE Centre Shaw Centre, Ottawa, Canada January 28-30 janvier 2019 The largest conference of its kind, Cannexus brings together 1,000 professionals to exchange information and explore innovative approaches in career and talent development. "The balance between practitioners and researchers makes this a unique opportunity to share ideas and hear perspectives we don't ordinarily have access to in our own environment." – Lisa Taylor, President, Challenge Factory CHOOSE FROM 130+ SESSIONS INCLUDING: • Optimizing a Multi-Generational Workforce Within the AI Revolution • From Barriers to Resilience: Building Sustainable Youth Employment • Talent Revolution: Longevity and the Future of Work • Innovative Approaches to Supporting Newcomer Jobseekers • Creating a Canadian Soft Skills Consensus • Linking Improved Career Development & Mental Health Together REGISTER BY NOVEMBER 7 FOR EARLY BIRD RATES! Cannexus.ca MEDIA PARTNER: Deborah Saucier Mary McMahon Right Hon David Johnston Photo credit: Sgt Johanie Maheu, Rideau Hall © OSGG, 2017. "By asking the right questions, a board can certainly help to prop- erly assess the level of risk, they can relativize corporate priori- ties, they can greatly infl uence the level and direction of investment. And, from my own experience on boards, they can certainly trigger a whole chain of activity needed to strengthen an organization's cybersecurity posture," said Kosseim. But before board members can ask those questions, they should know exactly what they are talking about, according to a consultant who educates boards of directors. " e fi rst thing they should do is actually get educated because if they're not educated about what it means, they will be asking questions that will be counter- productive to the organization's ability to deliver results," said Nadya Bartol, associate director at BCG Platinion North America in Washington. "Something we fi nd very eff ec- tive is an educational simulation or tabletop exercise, where we put a board through a series of situ- ations where they role play and discuss any security challenges that come at them, or put them into situations as a board mem- ber," she said. "And it achieves dynamic learn- ing, instead of just saying, 'Here's a PowerPoint presentation.'" e risk to companies from cy- ber incidents can be so profound that board members should pro- actively educate themselves in "understanding the level of risk, because they also have to actively inquire into the mitigation strat- egy and measures that the orga- nization has in place to be able to assess the residual risk that the organization faces," said Kosseim. "It's one thing to understand the external risks, but with the right mitigation strategies in place, the level of residual risk is really what is operative in terms of decision- making at the board level," she said. " e fi rst part of the board's responsibility is to insist on be- ing properly educated about the business and having access to the information it needs to discharge its oversight responsibility." As well, providing the leader- ship to help companies move on after a serious incident is one of the most crucial roles for a board, said Kosseim. "And, most importantly of all, the board can drive organizational culture towards greater awareness and protection." Who's responsible? What is clear, according to Bryson, is not just one department in the organization is responsible to fos- ter cyber resilience. " e big diff erence really tends to be in ownership and responsi- bility," she said. "Whereas cyber- security can be owned by one de- partment, or we tend to see a very delineated centre responsibility, cyber resilience really stretches across the whole organization and brings together key functions to ensure business continuity." "That's more than just IT or your security department writ large," said Bryson. "Wherever an organization kind of slots into cy- bersecurity, it's a much bigger role." Companies would do well to spread out the responsibility in an eff ort to boost cyber resilience, said Kosseim. "A typical and fl awed assump- tion is that it rests entirely on the shoulders of the chief information security offi cer (CISO)," she said. "But, in fact, a healthy gover- nance structure will promote a shared responsibility between the CISO… and the chief privacy of- fi cer. And in some organizations that have really put some thought into this, both those senior posi- tions may co-chair a cross-func- tional team that draws on com- munication, on fi nance, on audit, and particularly on HR." "More and more is the recog- nition that a healthy governance process for dealing and addressing a cybersecurity threat is one that positions itself horizontally across the organization but is headed up by both the privacy and security heads." And by properly discharg- ing the traditional role of gover- nance, boards can facilitate a bet- ter method of sharing information throughout the organization, said Kosseim. "Another is to ensure that there's the appropriate governance pro- cess in place in the organization to elevate regular reporting on cy- bersecurity to the board. at can be either directly to the full board or, more typically, it could be to one of its standing committees," she said. "Its audit committee, for instance, is particularly well-suit- ed to receive reports from man- agement on cybersecurity." "A board should probably be asking senior management about where cybersecurity responsibili- ties sit within the organization." Role of HR Rolling out the organization's overall cyber strategy is a key component for HR, particularly in infl uencing behaviour and en- suring a strong and positive work culture, according to Bhardwaj. "For eff ective management on security-related issues, all em- ployees need to understand this to be a priority," he said. "No one wants to believe that security was breached based on an action that he or she unknow- ingly performed. Understanding this potential risk at the individ- ual level is a behavioural change that is within the purview of the HR department." "By being a part of the manage- ment process, HR then becomes a strategic partner for the IT/CISO teams in relation to cybersecu- rity and the organization," said Bhardwaj. Post-incident, HR holds "a lot of policies around return to work; they'll hold a lot of information about how to contact employees in case of emergency. ey would be an important part of that kind of crisis playbook," according to Bryson. "By spreading information, spreading awareness, training, ongoing training, cybersecu- rity, all kinds of diff erent training against insider threats, against phishing, against whatever kind of issues facing your organization, HR should be an important part of ensuring that that is rolled into professional development and learning plans," she said. "As members of that crisis playbook, they'd be invaluable in terms of communication, in terms of normalcy, in terms of training people to work." Many companies are still not putting in place "seemingly basic cyber-related HR policies, such as ongoing security awareness training, identifi cation of at-risk employees and internal commu- nications after a security incident," according to the Willis Towers Watson/EIU report. Only 44 per cent of organiza- tions reported they participated in ongoing security awareness training or were able to iden- tify talent deficits in their IT departments. Once management of the risks has been put in place, a best prac- tice is for companies to undertake exercises that best illustrate weak points in the overall strategy, said Bryson. " is risk tolerance and map- ping exercise is step one, and that has to be undertaken by the board," she said. " en, really, (it's about) putting the fi nances and the resources be- hind a project like this." Proactive education encouraged for directors BOARDS < pg. 7 "Cyber resilience really stretches across the whole organization and brings together key functions to ensure business continuity." of ensuring that that is rolled into professional development and "As members of that crisis playbook, they'd be invaluable in terms of communication, in terms of normalcy, in terms of training Many companies are still not putting in place "seemingly basic cyber-related HR policies, such as ongoing security awareness training, identifi cation of at-risk employees and internal commu- nications after a security incident," according to the Willis Towers Only 44 per cent of organiza- tions reported they participated in ongoing security awareness training or were able to iden- tify talent deficits in their IT Once management of the risks has been put in place, a best prac- tice is for companies to undertake exercises that best illustrate weak points in the overall strategy, said " is risk tolerance and map- ping exercise is step one, and that has to be undertaken by the " en, really, (it's about) putting the fi nances and the resources be- Combating cyber risks Policies employed by global employers: • ongoing security awareness training (44 per cent) • identifi cation of talent/skills defi cits in IT/cyber (44 per cent) • post-breach workforce planning (37 per cent) • post-breach change management (32 per cent) • behavioural awards or incentives (30 per cent). Source: Economist Intelligence Unit