Your business could easily spend ten million dollars on computer security technology and still not be as secure as if you had only spent ten thousand. How can this be? I’ve always maintained that security is not solved with technology. It starts with people, and when it comes to your company’s people, the human resources department is where it happens.

Let’s go through a scenario to illustrate the point: Say your organization has just spent the majority of its IT budget on the best firewalls, routers, antivirus, antispam, and even intrusion detection systems. Your IT department is staffed with some of the best personnel money could buy, and they’re completely up to date on security issues. Yet, employee productivity is on the decline, and worse, your strongest competitor has somehow been able to get their hands on your top-secret future product offering. Some of your best customers refuse to do business with you because their personal data was compromised in a well-publicized security breach. Despite your network infrastructure being the best in the industry, the network is performing poorly and slowdowns have become a daily occurrence. Management is stumped, morale is low, and profits have declined. How can this be?

The reason is simple. The importance of information security has been wrongly placed in the hands of the IT department. Corporate management, along with the human resources department, is unaware of the importance of security, and because of this, employees do not know how to properly go about their use of computer resources. There are no specific policies regarding acceptable use, so a disgruntled employee emailed copies of that new product prototype to a friend who works for the competition. As there is no policy stating against it, a majority of your staff is using Facebook on company time. The network is slow because several security-unaware staff members opened a link in an email that stealthily installed a malicious program on your network, which placed your client’s data at risk. The email was able to easily penetrate the firewalls, and other security measures put in place by the top-notch IT Department.

I realize that the scenario I’ve laid out is pretty simplified, but I’ve seen this happen. A lot. It happens much more frequently than you’d expect. A company without the proper computer security policies in place and without a strong buy-in from management and human resources is pretty much helpless against the issues I’ve mentioned above. Over and over, time and time again, businesses place their security hopes on technology and neglect the people aspect. I’m not at all saying that technology is not important it certainly has a very important place in the security infrastructure. However, it is absolutely imperative that the technology is enhanced with policy and awareness. It is time for our human resource departments to embrace security and bring it to the forefront of corporate culture.