Security professionals are regularly informed that security should align to the business need. In most cases security professionals consider alignment to be meeting other business units half way or compromising on an issue. Another way to align to business need is to solve a non-security related problem for another department that has a beneficial outcome for security.
Cross training and personnel rotations can enhance your security program in addition to helping you meet some of the guidelines in ISO 27001/27002. Gaining support for personnel rotations for the sake of security is normally a difficult thing to win from management. What if it were possible to show that there is some business value to personnel rotations?
A recent WSJ article on big data reveals some interesting points about workers in certain industries that we should consider.
The bank gathered data on turnover, promotions, job changes and external pay to create a statistical model predicting why workers quit. Though the bank had used frequent pay raises to keep staff, the results showed that raising pay across the board by 10% might only shave a half point off the turnover rate.
Workers felt dissatisfied, not underpaid. More rapid job changes, even without promotions or corresponding rises in pay, made it much more likely that high-performing employees would stay, Mr. Nalbantian says.
Rather than sell personnel rotations as a security benefit to executives, we should partner with Human Resources to create a personnel rotation program that is designed to reduce turnover (thereby reducing the risk of disgruntled employees, or risks from hiring new employees) and increase job satisfaction. If HR gets executive support then it benefits security. It is also an opportunity to work closely with HR in designing the program. Any opportunity to take a break from APT, Cloud, DLP, and other BS Bingo phrases to establish better relationships with the business leadership could be a welcome change.
Personnel rotations by themselves have the benefit of potentially surfacing fraud or wrongdoing if proper observation and inspection are part of the program. The added benefit to personnel rotations is that the staff is now cross trained. That puts certain chapters of the business continuity plan ahead, such as the pandemic readiness portion. The complication of cross training personnel to be ready for the pandemic has already been taken care of.
These are some benefits to working with another part of the organization to help them to help us. HR can be a powerful ally in leading change. Giving them the encouragement and support can lead to positive security changes and recognition to the security team that goes out of their way to help another department look good.