Podcast: What HR Should Know About Cybersecurity

Control Center

Transcript

Mark:

Welcome to PeopleTech, the podcast of the HCM Technology Report. I’m Mark Feffer. My guest today is Dave Martin. He’s the Global Chief Security Officer at ADP. We’re going to talk about the security issues companies are concerned about, how HR should stay on top of security, and of course about the data in security efforts. We’ll cover all that and more on this edition of PeopleTech.

Hey Dave, it’s good to see you. So what’s the state of cybersecurity right now in HR? I mean, vendors take it seriously, but do HR departments?

Dave Martin:

So, I believe we definitely get a lot of conversations from our clients that are kind of asking the right questions, partly driven by privacy and then also more directly in the cybersecurity space. And then more recently, perhaps over the last year or so, bringing more resiliency conversations into that question. I think after we’ve seen the pandemic and we’ve seen the rise, or increase in ransomware type attacks and resiliency’s very top of mind for HR.

Mark:

Is there a particular threat that would impact HR that nobody’s really talking about that they should be?

Dave Martin:

No, I think we’re covering it from the full spectrum of cyber attacks. We’re a converged security organization that covers the physical security space for ADP, fraud for ADP, and also cyber. So we see that full spectrum of conversation around the safety angles, the potential opportunities for fraud, and then obviously more directly cyber-related attacks. And then as I mentioned, that resiliency component that is also really important to process and service availability, often in the wake of cyber attacks.

Mark:

So how should HR stay on top of security concerns? I mean, that really means how educated do they have to be, I suppose, but they don’t have IT’s expertise, obviously. How deep do they need to wade in to manage things effectively?

Dave Martin:

So I think if they have it internally, obviously connecting with their internal technology and hopefully security organizations and making sure they’re aware of the services that are being provided, data that’s being transferred back and forth, how that’s happening. So partly reaching back inside their own organization, engaging with companies like ADP. We have a lot of information around what we consider the trust of our services and how we deliver those services. So we make general things available. We try in each of the conferences, online sessions that we hold at ADP, making sure that security and privacy have a voice there. So we’re out there on what may be considered HR education sessions, delivering topics in terms of business resiliency, privacy, and security. So we like to do our part in making sure that our clients and prospects are educated.

Mark:

Now, I’d like to shift gears a little bit. One of the things that you hear a lot about nowadays is the demand for security professionals, that there’s such a need for them. From your point of view, how’s the pipeline of security professionals? Are there enough coming through, people graduating from school and getting into this and sort of working their way up?

Dave Martin:

Yeah, it’s always been an issue in availability of talent over the last 20 years, as this kind of very nascent spaces continue to evolve. It continues to get larger in its importance, its necessity, and then also what it takes to keep a business safe and the data confidential and their services available. So the challenge for getting the right people with the right skills continues, and I think that’s also true. A large team would only happen at the largest of companies and that the number of security people in even medium and small companies is continuing to increase as the demand for professionals is there. I think the availability of talent is way better. They’re kind of starting from even down in high school, security is now increasingly part of the conversation, if not the curriculum. There are many degrees that are specific to cyber now that didn’t exist even 10 years ago.

And then also a lot of the technology and even business degrees either have, or provide for minors in security, or are definitely included in units as part of the curriculum. And this is great, right? Security is not something that small teams and companies should be doing. It really is a team sport. That it really does take a village to have conversations around, not just the technology side, very much like what are the business requirements? How do we have evolved conversations in business terms around risk? We’re used to talking about risk perhaps in businesses from a project execution, financial aspects, but how do we expand that conversation to include the investments that we might need to make in the security and privacy space?

Mark:

So. [inaudible]. I’m sorry.

Dave Martin:

So, just to make sure I answer your question, the available talent is there, but we’re also seeing the ability for security organizations to draw in talent from other areas, both emerging right out of school, and then also people that are further on in their career and make sure that there’s access to bringing them into the organization and being able to train the pieces of security they don’t have, but also leverage that important experience that they’ve already got.

Mark:

Well, that actually leads neatly into my next question, which is, there’s such talk about upskilling and internal mobility right now. Basically getting people within the existing team to move to another area and training them as necessary. Does that work in cyber security? Are you able to bring in people from other parts of the organization?

Dave Martin:

Yeah, very definitely and definitely, it’s a strategy that we pursue. So the most obvious internal hunting ground is in the technology, our product and our IT areas, but that’s only part of the promise, especially as we have this converged security organization, we need so many different skill sets and backgrounds. So we’ll also look to other areas of the business, because they have that innate understanding of what we need to do and what needs to be there to provide for customers. They also come with different types of degrees, different kind of prior company and industry experience. And having that very diverse background really helps us in thinking more broadly, if we just have a single set of background, single set of skill sets, often skewed to technology. That means we’ll always reach to that same muscle that we know very well to try and solve problems.

Technology’s not always the solution. Sometimes we can make changes to process. Sometimes just having an effective communication with the business can change how they’re delivering a solution and actually remove the need for a technology solution, which often can be quite clumsy and have other impacts. When I’m looking out to bring people in from the outside or elsewhere within ADP, that don’t have five years, three years, 10 years of security experience. We’re looking for what I would consider a sense of mission, that passion to really understand knowledge and curiosity, be self-learning, they’ll challenge data, and really have that passion.

I really want to understand and get to the true root cause. What caused this thing? Not just assume, “Oh, maybe that thing’s always been that way.” No, we really want to understand what’s different in detail, but then leverage the diverse set of business knowledge they may have. They may have skills in process, data and analytics, people skills, education and influence. All of these can come together. We can give them more context and teach them additional specific elements around security, both with on the job training that we have, some training modules we’ve developed. And then also there’s a lot of great information on the market as well.

Mark:

So why are people skills so important in something like security?

Dave Martin:

So, sometimes you can look at our role as influence and behavior modification. We’re trying to appeal to people to do what we see as the right thing, make sure they understand how to do that right thing and appeal to them in terms of, if I come back specific to ADP, we have this kind of integrity is everything at our core, want and willingness to support and go the extra mile to support our clients. How do I appeal to those? Having people with those people skills that really understand, how to explain why we’re asking them to do perhaps a specific extra step, in those terms that they live and breathe every day. That makes it more likely that they’re not going to see it as an extra tax and extra step that is slowing them down and supporting their client, but they’re now doing it for purpose. They realize they’re keeping their client safe or their client’s data safe.

Mark:

So, if you look ahead, let’s say five or 10 years, what trends are you seeing right now that people in cybersecurity or possibly looking to get into the field. What are the things that they should be aware of and preparing for?

Dave Martin:

So I think more of the same, which is the really simple answer, but it’s the amount of data that we’re processing and need to analyze is going to increase. So really understanding data skills, data analysis skills, more and more of what we do has to be embedded in workflows, whether that be business process or in technology. So even things like basic automation skills, you don’t have to be a full stack developer, but really understanding how to set some business requirements, to be able to pass to a development community and basic automation skills.

Regulatory requirements are going to continue to evolve, perhaps exponentially and at the same time technology and business needs. So that one thing I come back to that, the first for knowledge, I can promise anyone that enters this field every day’s going to be different. Tomorrow, next quarter, next year, five years, 10 years, this is going to continue to evolve and being very agile, very free thinking about what we need to do and being willing to do some research, being willing to go, engage with other people outside of the field to think about different ways that we solve this really challenging problem.

Mark:

Now, let me ask the same question, but in the context of HR. Are people in HR, or talent acquisition, are there certain things they should be thinking about for that sort of longer term? Things that they should be on the lookout for, concerned about?

Dave Martin:

I think it’s really staying informed. This changes so fast. You may think, “Oh, I took that one hour class two years ago.” This really, really changes radically, whether as I say the risk and understanding about how we affect changing risk. The business environment, the privacy pressures that are on, and also just the sense of the possible. What should they be asking their providers? So, it’s definitely something that you can’t do every other year. You want to try and find some continuing education resource that kind of plugs you into this area of the HR field, at least on an annual basis. So you’re prepared to ask the right questions and in some cases, understand the responses.

Mark:

Looking at security people again, as opposed to HR, what particular areas of knowledge and skills do you think people are going to need in cybersecurity in the future?

Dave Martin:

I’ve talked about that requirement to understand and be able to communicate with the business. I think that, that may be optional in some parts of the field right now, but it’s going to become absolutely critical across it. Particularly as you rise in leadership roles, that ability to understand the business, communicate very technical things in business speak. And in a simple risk understanding is definitely going to be critical. The evolution of technology with so many different fields, like the field of cryptography, which is grounded in mathematics, that’s evolving very rapidly now. And as we think about quantum computing and how that’s going to change that field, every aspect of what we do is continuously evolving, but some are going to have to see very radical shifts. So maintaining a broad set, if you’re a risk practitioner, technology expert, you can’t just chase your own domain and how that’s evolving. You’ve got to look to the other areas of such a broad profession.

Mark:

And the last question is, again, thinking about people that would come into security from another area, do you think people who have the core of their experience outside of cybersecurity are more successful than people who mainly stick with the same career track? Or do you think it varies, or do you think you really need to be a security specialist from the get go?

Dave Martin:

You certainly don’t need to be a security specialist from the get go in any of the domains. In the most, very technical areas it certainly helps to have technical aptitude, but I think to your other point of creating that kind of more broad visibility instead of just staying very narrow and in a silo channel, you’ll always be a better practitioner. You’ll always be able to see different solutions to a problem with the broader exposure that you have. That may mean different, the physical security domain, the fraud security domain, and other areas. It also can take you out into the business, into consulting roles. Anytime when we talk about that diverse experience, the more diverse your experience and the more diverse experience that the team has, will make them overall a better team and better individual practitioners.

Mark:

Dave, thanks very much for taking the time today.

Dave Martin:

Absolutely. I really enjoyed the conversation.

Mark:

My guest today has been Dave Martin, Global Chief Security Officer for ADP. And this has been PeopleTech, the podcast of the HCM Technology Report. We’re a publication of Recruiting Daily. We’re also a part of Evergreen Podcasts. To see all of their programs, visit www.evergreenpodcast.com. And to keep up with HR technology, visit the HCM Technology Report every day. We’re the most trusted source of news in the HR tech industry. Find us at www.hcmtechnologyreport.com. I’m Mark Feffer.

Image: iStock

Previous articleNamely Merges to Expand Scope of Product Line; Launches New Feature
Next articleBeamery Launches Features to Help Employers Make Better Use of Data