Keep Security Staff out of HR Investigations
Unfortunately it is far too common for information security (IS) staff to become embroiled in human resources (HR) investigations. Ask anyone who has worked in security and they'll tell you about a time they were asked for a report of browsing habits for a certain user, for a forensic investigation of a hard drive of an employee who is being disciplined or fired, or to perform a search of an employee's e-mail. There are a variety of reasons that HR might make such requests from IS but security leadership need to do a better job of rebuffing these requests. It is not only distracting, but also demoralizing and potentially damaging to an IS group to engage in these activities.
For some, having IS perform HR investigations may seem like a routine part of IS operations. I think this is an unfortunate state of affairs and firmly believe that IS should have little, if any, invovlement in HR investigations. This article will seek to lay out the reasons I believe having IS perform HR support functions is an extremely bad idea, in hopes that it will empower organizations to better articulate resistance to such integration. Having IS perform HR investigations is a deviation from IS purpose, requires training IS is not given, and fails to deliver positive outcomes for IS in all but limited circumstances.
Misdirection of Purpose
Having IS perform HR investigations usually presents itself as a good idea mainly for expedience: IS have access to data of interest to HR. Although the essential purposes of IS and HR staff differ, information security staff utilize and have access to a number of tools and data sources that can be useful for tracking violations of HR policy. Examples include employees who might be looking at pornographic websites during work or who might receive or send e-mails with regulated data. IS staff have access to network logs, server resources, and forensics techniques to be able to identify violations of policy (such as prohibitions on browsing habits or data handling) and are therefore often placed in a precarious position between HR and IS. One should be very wary of the jagged edge between these two disciplines because it can cut quite deeply, and quickly, if not treated with extreme care.
IS responsibilities are traditionally driven by risk. Security risk guides resource allocation, training, and capabilities, in security. IS are typically tasked primarily with finding malware, stopping hackers, and proactively identifying vulnerabilities in the enterprise. Conversely, HR are focused on business driven goals including maximizing workforce performance, reducing conflict, and enforcing policy.
The orthogonal purpose of HR and IS presents the first problem to joint investigations. Information security staff are primarily tasked with risk reduction and mitigation. Utilizing IS staff for investigations diverts resources from these responsibilities. Thus, every investigation should be measured against a benchmark of a missed opportunity to perform risk reduction or threat identification. IS staff are focused on adding value to the organization while reducing risk, a goal which is in no way accomplished through involvement in HR investigations.
If Synergies Exist
The practice of information security typically bifurcates among two broad groups of practitioners. The first are driven by adding value to an organization through service offerings. That is to say that this group seeks to further business goals in the safest manner possible, seeking to enable users to accomplish their tasks with the greatest modicum of security with a minimal impact on experience and productivity.
The second large group of information security practitioners are enforcers. This group is focused on maintaining order though controls. This approach is typified by practitioners who outline rules and seek to identify and punish users who deviate from these rules. This approach is fundamentally adversarial and builds information security as a cost center that might reduce compliance liability but which engenders negative feelings with user communities and typically impedes business processes and projects.
While a synergy between HR investigations and the second approach to security might be successful, involving a staff focused on service in an enforcement operation degrades their achievements and can be demoralizing and destructive to a team. Great care should be taken when diverting IS staff focused on service towards an enforcement responsibility, and even more so one that falls outside of the boundaries of IS responsibility such as investigating or enforcing HR policy.
A significant training gap also exists between HR and IS. Although IS staff might have access to data to support an HR investigation or action, IS staff are in no way, shape, or form, trained in HR matters or outcomes. HR staff are explicitly trained to deal with employee behavior, including problematic employee behavior. IS staff do not receive such training and there exists a grave potential that exposure to such behavior could negatively impact workplace interactions with the subjects of investigations.
Additionally, IS staff lack training sufficient to accurately identify violations of HR policy. The evaluation of data that IS might have access to should be left to HR staff exclusively. If IS conducts investigations they might not understand policy implications and could collect biased, incomplete, or irrelevant information to an investigation which could impact outcomes in unexpected and unintended ways.
Similarly, it is not uncommon in such investigations, for IS staff to be exposed to sensitive, private, or potentially illegal material. IS staff have no training on recognizing such material or on respecting legal, regulatory, or customary requirements around this material. Similarly IS staff are not trained to deal with the potentially negative psychological impacts of exposure to such material which can include offensive, deviant, or simply inappropriate content.
Finally, outcomes of IS involvement in HR investigations are never positive for IS staff. Performing such investigations degrades trust between IS staff and customers, which is essential for identifying and containing threats to the enterprise. In such cases IS take the adversarial role of enforcers and retard customer willingness to approach or initiate communications with IS staff.
Such investigations can also have a potentially career, or life, changing consequence on the subject and IS staff are not empowered to understand the full lifecycle of such investigations and measure the impacts of various evidence effectively. IS might collect data but never understand what it is being used for or the gravity or relevance of various data they might collect.
Finally, such investigations grant IS knowledge about co-workers that could impact interpersonal interactions or engender hostility to or from IS staff. Examining e-mail, browsing habits, or forensic data often reveals very personal details about subjects. There is no positive value in terms of security or risk reduction for having this insight, but there exists a very real possibility for harm.
Some might argue that having IS staff perform investigations is expedient, especially in time sensitive cases, or cost effective given the price for outsourcing. There is also an argument that IS staff have the capability so it is a waste to not utilize the capability. These arguments should be weighed against the facts that IS don't have the training or focus to effectively support such investigations and that, in the zero sum of resource allocation, utilizing IS staff in such a way exposes the organization to risk. There is also an immeasurable psychological cost to some portion of such investigations and before involving IS staff careful consideration should be given to the injury that could be caused to IS staff.
If an organization requires that IS staff support HR investigations they should carefully define such involvement and firewall IS appropriately. The three guiding principles below outline ways in which IS can successfully support HR goals with minimal harm:
- At most IS should produce automated, anonymized reports for HR to review and respond to requests for further information but should never, if possible, be aware of the subjects of investigations or the content of materials collected for an investigation.
- IS should never access or evaluate employee data in order to make a policy violation determination. This responsibility should rest with HR and can be supported with IS provided raw material, but as stated previously, IS lacks the focus or training to make such evaluations.
- In sensitive cases, if expert IS support is required that cannot be provided by HR, such as a forensic investigation, such cases should be outsourced. This insulates IS staff from exposure to sensitive material and potential violations of coworker privacy. If an investigation requires this sort of careful consideration then it deserves the capital investment required to outsource the investigation.
It is vital to insulate IS staff from HR investigations to preserve the integrity of their service and risk reduction mission as well as to protect IS staff from potentially negative exposure to material in an investigation. In a worst case scenario an IS staff might be so affected by an investigation that they resign. Careful consideration should be given to such an impact an outcome when weighing the expedience or cost savings of performing an internal investigation utilizing IS staff.