4 Ways Security Teams Can Holistically Mitigate Risks by Partnering with Human Resources and Legal
Tearing down departmental walls is essential for security teams, especially those tasked with responding to threats of violence or significant security events. Information-sharing silos within organizations hinder fast and effective responses. In extreme cases, poor communication can increase risks to a company’s employees and assets.
Business leaders recognize the value of cross-functional teams in their approach to risk mitigation. A team-based approach overcomes blindspots that stem from expertise and experience that tends to narrow a group’s focus. As a result, innovative companies proactively mitigate threats and dismantle silos by focusing on building relationships of trust across legal, HR, and security.
Establishing connections outside of traditional security organizations is key to risk mitigation, effective security intelligence gathering, and providing support to the company. Ontic’s Executive Director of the Center for Protective Intelligence, Fred Burton, sat down with a few industry experts to discuss modern methods for eliminating silos and empowering risk management efforts.
Finding Strategic Partners Before Crisis Strikes
The earlier security partners reach across the aisle to human resources and legal counterparts, the better. Frequently, decision-makers in legal and HR departments view security teams as a support function to carry out plans after they’re decided.
To overcome the collaboration gap, Melissa Muir, Director of Human Resources and Organizational Development for Shoreline, WA, suggested that security teams partner earlier with HR counterparts in more areas before problems occur.
“There will be fewer disgruntled former employees to worry about if we don’t hire them in the first place,” she stated. In addition, giving advice related to security concerns in the hiring, onboarding, and engagement process will lower overall risks and make sharing more likely.
Security teams add value when they educate people across the organization about indicators, potential security concerns, threats of violence, and other risks. Melissa shared that she often tells people, “Don’t talk to me about how to say goodbye to someone; talk to me about how to say hello.” Many corporate security programs have the resources and relative experience to find red flags and inform hiring teams before making formal offers to candidates that could otherwise turn into contentious relationships.
Creating a Large Tent for Effective Risk Mitigation
Rather than viewed as a company resource, proactive security leaders must establish themselves as a strategic partner, willing to work with partners before, during, and after security issues like sensitive terminations arise.
John Robert, Dow’s Director of Intelligence and Protection, said, “You can’t really address these types of threats holistically if you’re not engaging with those other strategic partners. So my first action would be to reach out to the HR partner, reach out to site security, and obviously legal, and all of those team members that would be partners in a holistic threat management program.”
He explained the importance of beginning outreach efforts before something terrible happens, and there are panicked calls to legal or human resources counterparts. Build those relationships early to ensure circling in strategic partners is an expected and welcome risk mitigation response.
Overcoming Concerns on Data Privacy and Information Sharing
Collaboration usually involves some form of information sharing. A focal point of meetings, working groups, etc., is to share insights, updates, and other relevant information. With regard to risk mitigation, sharing can mean the difference between safety and, in severe cases, harm to employees.
Understandably, there are concerns around sharing, particularly related to employee data. HR professionals are rightfully reluctant to share freely because they bear the responsibility if data is lost or abused. As a result, security managers seeking answers are often turned away.
According to John Robert, “Communication can break down around fundamental questions related to accessing employee data and what security will do with that information or how you’re going to store it. Treating HR concerns as legitimate is a crucial first step to building trust.”
Sometimes, the approach makes a difference. For example, Melissa Muir says, “Good relationships with security, especially related to employee data, start with sharing, not with asking.” Why do security teams need the data? What will they do with it? How will they store it?
When security counterparts bring what they have to the table, whether concerned over a threat of violence or insider threats, HR partners are more willing to share because they understand the risks involved.
Jeff Nolan, Partner at the law firm Holland & Knight, stated, “If we spent a quarter of the time focusing on exceptions to the laws that allow us to share information to keep people safer that we do enforcing the privacy side of it, we’d be a much safer world. It can be done. It just takes effort.”
He went on to say, “Courts have been very generous to employers and higher education institutions who had to say there is a direct threat exception under the law.” Successful corporate security programs learn the regulations around employee data privacy and applicable exceptions, which allows them to navigate with certainty in turbulent times.
Understanding Security’s Role in Risk Mitigation
Finally, teams work together best when roles are clear, stakeholders are defined, and everyone knows the desired outcome. Companies and other organizations vary in how decisions on firings, incident management, business continuity, and other processes are managed.
When mitigating risk, experts warn that sometimes compliance gets in the way of common sense. For example, when discussing making risk management decisions, Jeff Nolan says, “I would want security to be engaged while the decision is being made and after the decision is being made. We’re focused on safety rather than policy compliance.”
John Robert went on to share his current focuses in his role:
01
Observe Indicators – Watching for known and unknown security issues.
02
Establish risk mitigation plans around those indicators – Carry out the security mandate outlined by the company and risk management team.
03
Support and inform risk management – Make things easy for the decision makers.
According to John, security is a supporting element to risk management decisions. In addition, understanding roles in the mitigation process lowers risks to the company and best serves vital stakeholders, whether it’s the company, shareholders, employees, or customers.