The Human Firewall: Why CHROs Need to Play a Larger Role in Cybersecurity Defense

Common wisdom holds that the responsibility for protecting an organization’s computer networks and sensitive data from cybercriminals falls almost exclusively to a chief information security officer (CISO) or chief technology officer (CTO)—executives who have such defenses as a central part of their job descriptions.

Yet cyberattacks are growing ever more sophisticated, and they’re more likely now to be directed at an organization’s employee base than at some weakness in its technology stack. As a result, experts say the CHRO’s role in cybersecurity needs to grow more pronounced and integral to fully protect the organization.

The arrival of deepfake technology and generative AI (GenAI) tools, coupled with the growing scale and severity of ransomware, phishing, and business email compromise attacks, requires a new level of awareness and education in the workforce that falls squarely under the purview of CHROs. Cybersecurity experts say that CHROs—working in closer concert with CISOs and CTOs—need an expanded role in crafting training initiatives, collaborating on policies, and building a security culture that constructs stronger “human firewalls” within organizations.

A People Problem

The great majority of cybersecurity problems (95%) can be traced back to human error, according to a 2022 World Economic Forum global risks study. And insider threats represent 43% of all data breaches. These cybercrimes are increasingly costly to businesses: An IBM study says the average cost of a data breach to organizations in 2023 was $4.45 million, up 15% over the past three years.

Consider these two recent ransomware attacks. They weren’t accomplished via shadowy dark-web hacking, but largely through “social engineering” strategies that prey on employee emotions or failures by unsuspecting workers:

• MGM Resorts was hit with a ransomware attack in September 2023 that cost the company an estimated $100 million in lost revenue. Hackers accessed MGM’s computer system by impersonating an MGM employee and calling the company’s IT help desk to convince workers there to reset a password.
• Change Healthcare, part of UnitedHealth Group, experienced an unprecedented ransomware attack early in 2024 when cybercriminals stole credentials that allow employees to remotely access company systems. The company eventually paid a ransom estimated at more than $20 million.

As technology has evolved, so too has the nature of today’s cyberattacks. For example, garden-variety cybercrimes such as phishing—where bad actors try to trick employees into clicking on malicious links so they can steal login credentials or other sensitive data—have spread far beyond email and now regularly involve such links being embedded in QR codes, social media content, or text messages. Plus, the arrival of GenAI has allowed cyberattackers to create more believable phishing scripts at greater speed and volume.

Business is trying hard to keep up. A 2024 global study from security company LogRhythm found that 95% of organizations have altered their cybersecurity strategies within the past year because of ever-changing cyberthreats and regulatory mandates. The study also found that the perception of cybersecurity has shifted from a purely technical issue to a more central element of business strategy and corporate governance—a change that requires more involvement from non-IT executives, including CHROs.

The Value of Strong CHRO-CISO Partnerships

Many CHROs have found that increasing the collaboration between themselves and IT executives allows them to build more knowledge of emerging threats into their HR training initiatives and workforce communication tied to security.

“An organization’s people are at the heart of cybersecurity,” says Katya Laviolette, chief people officer for 1Password, an information security firm in Montreal. “You can have all of the systems and technology protections in place that you want, but human error remains critical from a data security standpoint.”

Perry Carpenter, chief evangelist and strategy officer for cybersecurity company KnowBe4 in Clearwater, Fla., and co-author of The Security Culture Playbook (Wiley, 2022), says a strong relationship between a CHRO and CISO is increasingly important in today’s threat environment.

“There is a lot that can be broken in terms of cybersecurity when the relationship between a CHRO and CISO or CTO isn’t what it needs to be,” Carpenter says. “Conversely, there is a lot that can go right when that relationship is healthy.”

CHROs have four increasingly vital roles to play when it comes to cybersecurity, experts say:

• Modernizing and improving employee training to contend with evolving cyberthreats,
• Bolstering recruiting of cybersecurity professionals, where there is an ongoing labor shortage in many industries,
• Enhancing the organization’s security culture and policies, and
• Collaborating with legal and IT to communicate key details to the workforce when a cyberattack strikes a company.

Rethink Your Cybersecurity Training

Employee training is a key element of making organizations more immune to cyberattacks—and more resilient when one does occur.

More than half of employees (54%) admit to being lax about their company’s security policies, typically because of a desire to get things done faster, according to a 2024 study by 1Password. And a full one-third of employees in the survey admitted to using “shadow” tech tools on the job—unapproved apps or tools, including GenAI technology such as ChatGPT—a trend that poses daunting security challenges for cybersecurity teams.

While organizations have long used employee training as a means to mitigate risky security behaviors, cybersecurity experts say the strategies many companies employ today fall far short of best practices.

“CHROs are instrumental in cultivating a culture where security awareness is engrained in a workforce,” says LeeAnne Pelzer, director of the cyber risk management consulting team at Palo Alto Networks, a cybersecurity company in Santa Clara, Calif. “One of the biggest ways they can do that is by creating continuous education that is engaging, tied to real-world threats, and not just check-the-box in nature. That training also can’t be static, because security threats are constantly evolving and it’s important for employees to stay ahead of the curve.”

Pelzer says it’s important to think of employees as “human firewalls” capable of defeating things like even the most skilled social engineering attempts that hit MGM Resorts and many other organizations.

“But just as a technical firewall requires regular updates and configuration to guard against new cyber threats, employees also must be continuously educated and engaged to create a strong defense,” she says.

The way many organizations conduct cybersecurity training—as a once- or twice-yearly event meant primarily to meet compliance requirements—makes employees vulnerable to the evolving tactics of bad actors.

Research from KnowBe4 found that if a phishing email is sent to an “unprepared” or poorly trained workforce, about 35% of employees will click on it. But when the frequency and quality of that training improves—when one phishing simulation is conducted each month combined with a short, related training event—within three months, the number of employees clicking on the email drops to about 15%. Within a year, that number is typically down to 5%.

“Doing regular phishing and social engineering simulations for the workforce gives them a chance to build muscle memory and gut instinct that significantly drives down their propensity to fall for scams,” says Carpenter.

Employees also remain vulnerable to an old-school tactic making a comeback: the cold call or “vishing” attempt from a bad actor, the strategy used with success at MGM Resorts. In these scenarios, hackers masquerading as company executives or co-workers make a phone call to an lower-level employee, asking them to share sensitive information or to transfer funds.

“Most employees aren’t trained to defend against that, because most of the focus is on email, text or social media, not on the phone,” Carpenter says. “People don’t get a chance to ‘fire drill’ a sophisticated social engineering phone call and thus haven’t built up a strong defense.”

Rather than relying only on periodic training to change employee behavior, some organizations instead have begun to use real-time, AI-based coaching to help instantly flag risky worker actions. Tools embedded in technology systems automatically deliver feedback and coaching to employees via email, text, or chat at the moment of their risky behavior, providing tips on how to avoid such actions in the future.

Build a Security Culture and Revise Policies

There’s also room for CHROs to play an expanded role in establishing an organization’s security culture. One way is by helping to cultivate a culture of openness that ensures employees feel free to report problems or concerns.

“CHROs can work with CISOs and also CEOs to help cultivate safe spaces where employees feel comfortable speaking up and saying, ‘I think there’s something suspicious or a potential problem here,’ ” says Laviolette of 1Password.

Brandon Johnson, CIO for global organizational consulting firm Korn Ferry, believes CHROs have an integral role to play in building a security culture that encourages employees to “see something, say something” when they spot red flags in the workplace.

“You want your people to look for and report things like phishing or social engineering attempts,” he says. “You also want them to feel comfortable reporting what they see as processes or policies that make the company more vulnerable to cyberattacks.”

It’s also a “missed opportunity” when CHROs don’t collaborate with CISOs or CTOs to help write and communicate cybersecurity policies, Johnson says.

“For example, one of the things not typically well understood by employees are the various categories of unacceptable behavior around cybersecurity and consequences for not following policy,” he explains. “While you don’t want to punish workers for making honest mistakes like clicking once on a convincing phishing email, you do want to make sure there are clearly communicated policies that address negligence for repeated actions that deliberately flout cybersecurity policies.”

HR leaders can help ensure security policies are written in a way that is more understandable and meaningful for nontechnical employees, Johnson says: “A lot of cybersecurity policies are written too broadly, and it’s easy for employees to miss the parts that are relevant to them and what they should be doing.”

Recruit and Upskill Cybersecurity Staff

CHROs also have a growing role to play in recruiting and training cybersecurity staff, particularly given the ongoing shortages of those professionals. Currently, the global workforce is facing a shortage of almost 4 million cyber professionals, with 71% of organizations reporting unfilled cybersecurity positions, according to a 2024 study by the World Economic Forum.

Experts say CHROs and talent acquisition leaders can address this talent gap with strategies such as:

• Expanding labor pools to historically underrepresented groups,
• Targeting workers recently laid off from tech firms who may have skills transferrable to cybersecurity roles,
• Having HR managers work with hiring managers to create more attractive job descriptions and salary or benefit packages, and
• Training entry-level cybersecurity staff in more advanced skills, including AI and machine learning.

“HR executives should work closely with CISOs and CTOs to define not just the changing competencies required of cybersecurity professionals, but of all roles in an organization,” Pelzer of Palo Alto Networks says. “Recruiting efforts need to be more robust and creative to address the cybersecurity workforce skills gap, and those who are hired without the necessary skills need to be upskilled once on board.”

Combat Emerging Threats

While tactics like phishing remain the bread-and-butter approaches of many cybercriminals, new threats have emerged that bring greater urgency to employee awareness and training efforts spearheaded by CHROs and chief learning executives.

One growing tactic is the use of deepfakes, in which AI technology is used to mimic audio or video of other people with the goal of stealing sensitive data or getting workers to transfer large sums of money to hackers. One example of a successful deepfake occurred early in 2024 when a low-level finance worker at a multinational firm in Hong Kong was tricked into paying $25 million to cybercriminals during a deepfake videoconference.

The worker was persuaded to attend a Zoom call with what he thought were real co-workers, but who were actually deepfake re-creations. He agreed to transfer the $25 million because the deepfakes in attendance looked and sounded like colleagues he recognized.

“The deepfake scam could have been stopped if the worker had known to ask for some type of formal authorization process for the transfer,” Carpenter says. “The reality is the technical sophistication of AI keeps ratcheting up, and companies have to be prepared for deepfakes and other AI-driven cyberattacks.”

Carpenter says technology that’s now widely available and inexpensive enables anyone with access to as little as 30 seconds of quality audio of someone’s voice to create a convincing “audio clone” of the voice. “And with about two minutes of publicly available video, someone could create a very convincing deepfake video from it,” he says.

Employees have to be more cautious than ever today about what they’re clicking on or what phone calls they’re taking. Cybersecurity and HR pros also have their work cut out for them in this new threat environment.

“The world of cybercrime moves very quickly, and there are always new threats,” Laviolette says. “And the more employees introduce their personal devices and shadow IT into a technology ecosystem, the more gaps and cracks you will have.”   

Dave Zielinski is a business journalist based in Minneapolis and the lead technology writer for SHRM’s HR Quarterly.