The CHRO as Cyber Advocate – it’s a New Day

Explore this P-n-T Data guest blog post by Jennifer Palmieri, EVP and Chief People Officer at Westfield, where she leads enterprise talent, culture, and workforce transformation, including the integration of AI into core business operations and workforce strategy.

By Jennifer Palmieri

When one thinks of the C-suite and cyber, the immediate focus is the Chief Information Security Officer (CISO). While that role is clearly responsible for the oversight of cyber within corporations, it is a new day for HR teams when it comes to cyber risk. One cannot read a LinkedIn alert, online blog, or news post without seeing another announcement of a major cyber breach.

To that end, I would suggest that the Chief Human Resources Officer (CHRO) plays a critical role in managing cyber risk within an organization. The CHRO is at the center of organizational transformation and culture change. Cyber risk management requires creating a culture of data security and ensuring that the people strategy incorporates cyber in an integral way.

So how should the CHRO advance the management of cyber risk? First, it starts with communication. Cyber awareness begins with onboarding. Integrating cyber into onboarding means educating incoming talent with training on protocols, policies, and practices—reinforcing the priority the organization places on protecting data and assets from day one.

Next, the CHRO must ensure there is clarity and precision in roles and responsibilities, reflected in job descriptions. This is what drives effective role-based security and identity and access management. As employees move throughout the organization, ensuring that provisioning follows the role is critical so that access does not become amorphous. The term “human firewall” is highly relevant; over 90% of breaches trace back to some form of human error. That could be something as simple as clicking on a phishing email or as sophisticated as being socially engineered into exposing sensitive information. We now live in the era of the deepfake, and HR can play a meaningful role in mitigating these risks.

To sustain this focus, creating a culture of data awareness and cyber sensitivity is key. This means the CHRO must ensure that job objectives, performance plans, and compensation structures align with this imperative. Communications must be clear and continuously reinforced. The CHRO should be a visible voice in making this a priority, including embedding cyber strategy into internal communication channels.

The HR function also recognizes the challenges of recruiting world-class CISOs. Sourcing, recruiting, and retaining the right CISO enables a strong partnership that supports all of the above priorities.

Lastly, there is the HR technology portfolio itself. The CHRO does not want to be the poster child for a cyber breach. This requires a strong focus on security protocols across HR systems—owned, outsourced, and cloud-based solutions alike. The risks here can be significant, particularly when it comes to protected health information (PHI).

Some of the largest breaches of employee data have originated from healthcare clearinghouses. There is often no compelling reason for employee data to be stored at these entities, as they are primarily pass-through or transport mechanisms. Organizations should insist that employee data not be retained by outsourced service providers unless there is a clear and justified need.

The CHRO is an important stakeholder and sponsor for cyber protection. Taking on a leadership role in this area is a linchpin in protecting the organization and its data. The trust of customers, partners, and employees is at stake. A cyber-savvy CHRO can reduce risk, manage exposure, and help create a more secure workplace.

Jennifer Palmieri is EVP and Chief People Officer at Westfield, where she leads enterprise talent, culture, and workforce transformation, including the integration of AI into core business operations and workforce strategy. Previously, she served as Divisional Chief Human Resources Officer at Cigna for both the Global Technology Organization and the International Division.