One good employee can make or break a system. Zero trust is being adopted by most enterprise organizations with even the US DOD being on track to implement its zero trust cybersecurity framework by the end of fiscal year 2027. There is, however, a flaw with zero trust, as it is often scoped around the critical product technical systems and environments.
Systems related to employee collaboration, human resource management, client communication and invoicing are frequently overlooked by small and medium-sized companies, both internally by process owners and technical teams as well as externally by assessors when it comes to different frameworks or interpretations of systems’ risks. It is my opinion that, in the modern day, it is inexcusable to overlook the impact of the human element of your company. We live in a world where social engineering attacks such as the wild Lapsus$ hacks are becoming more common and we check the news every day for the latest military secrets to be leaked for clout on social media.
I’ve worked with and around highly certified security personnel and Big 4 security compliance veterans, and often it is controls related to the management of these systems that are overlooked. They are not seen as an important part of security, allowing them to be inefficiently managed. People purposely pick frameworks or standards to avoid having these parts of their companies evaluated. It’s typically seen as “HR stuff” and “low-risk data,” and therefore is often managed by personnel with an employee-to-process owner ratio of 1:50, who are often handed new tools without ever being truly trained on how to manage them.
I believe that the lack of security, bloat and inefficiency plaguing these systems can potentially be resolved with a change in perspective and terminology. During many engagements, I observed that organizations that viewed job duties related to personnel management, communication, operations and retention as People Operations (PeopleOps) and not just “HR,” were commonly easier to work with and had stronger core systems. They had defined boundaries and duties, centralized control of the flow of information within their companies, and strong procedures and workflows. I believe avoiding the black box term of Human Resource allows a better, more holistic view of these roles and their duties. The dissection and quantification of those duties allow organizations to see the risk and value of these controls as well as the lost value of overworking operations personnel because their job “is just HR” or accepting non-functioning processes because “that’s just how HR works.”
Better duty segregation, as well as duty allocation, allow systems to be proactive. Instead of permitting your Salesforce and shared drive to become some non-euclidean mess that allows anyone with access to exfiltrate customer data or proprietary information, you can ensure you can have PeopleOps and IT perform a joint review of the access rights and information architecture of your collaborative tools. This will ensure that the new sales associate can’t download or view your build documentation to try to close a deal – or worse, lose it at an after-work happy hour while networking.
HR and operations personnel need a bigger seat at the table when discussing security and their impact for all the reasons stated above in addition to thousands of other amusing edge cases. If anything I have said strikes a chord, I highly recommend reading about PeopleOps as well as trying to map out and evaluate all that your HR team members do. For the people who know where we all live and make sure our insurance premiums aren’t too high, a change in perspective is the least we can do.
