Grace, the head of human relations, is in CEO Tom’s office for the last time before Tom is to present to the board. Tom said, “Well, Grace, I’ve heard nearly everyone mention something that also seemed to involve your HR function. Can you just spell out the basic capabilities for human resources security that you are responsible for in HR?”

If people are said to be the weakest links in any security system, then the HR function and its processes have a role to play. As the needs of organizations and their HR functions of varying size and maturity may differ, let us summarize in this chapter recommended capabilities expected of lower-, mid-, and higher-maturity HR functions. For more detail on what constitutes the HR function’s process maturity, refer to the SEI capability maturity model approach.¹

Needs of Lower-Maturity HR Functions

Some HR functions are small or at lower-levels of HR process capability maturity. Here, managers take basic and possibly some managed levels of responsibility for managing and developing their people within the cybersecurity and enterprise functions. No matter how small or immature, there is no excuse for not communicating to staff minimum protocols or a standard for HR cybersecurity.