CHAPTER 3: WHOSE RESPONSIBILITY IS IT ANYWAY? – IT Induction and Information Security Awareness

CHAPTER 3:
WHOSE RESPONSIBILITY IS IT ANYWAY?

Who is responsible for employee education in your organisation? The responsibility often lies within the HR department or a separate Learning and Development unit. However, it is not unknown to have subject matter experts scattered across the organisation that have individual educational responsibilities. And, increasingly, learning and development is outsourced to third party organisations.

Quite frankly, it doesn’t really matter who has the responsibility, as long as employee education happens. This does not imply that the relevance and quality of the educational programmes are not important, but to simply underline the fact that someone, somewhere, has to have a recognised responsibility for the development and delivery of specific employee education. So, who would or should have the responsibility for the IT Induction programme? This really depends on your organisation and where the subject matter expertise resides.

Let us first consider the subject matter-expertise that is required to develop an IT Induction programme. Firstly, the subject matter expert should have a fundamental understanding of the organisation’s IT infrastructure. This just means having an overall understanding of the platforms used across the organisation and how they connect, so the subject-matter expert can relate this to the type of services that the infrastructure will deliver to the users, for example, mobile or flexible working opportunities. Secondly, the subject matter expert should be knowledgeable about the software used on these platforms. Again, this does not imply having expertise in using this software, but to understand the services and facilities offered to the user through the software strategy adopted by the organisation. Thirdly, the subject matter expert needs to know about the range of web-based resources available to the users and whether any of these are restricted to certain user groups or restricted by location. Fourthly, the subject matter expert needs to be fully aware of what constitutes good IT working practice and have a good knowledge of information security issues. Finally, and perhaps most important of all, they need to know the users. So who is this subject matter expert? Is it the IT director, a senior IT technician, the information security officer, an IT trainer, an IT representative, an HR specialist or a risk manager? And, does it have to be one person? You will know the answer to these questions based on your organisation structure and staff expertise, and it may well be a third party responsibility in your organisation. Irrespective of who is most suited to this task, their commitment to developing and maintaining the IT Induction programme will be key to the effectiveness of the programme you adopt.

What has not been addressed here is who will have the skills to deliver the IT Induction programme. A well-informed IT Induction development deserves expert delivery, thereby increasing the probability of a memorable experience for the user, leaving them in no doubt about the IT systems available to them, codes of practice and expected behaviour. This is the focus of Chapter 5 which will address the various methods of delivery to help you decide which approach would most suit your organisation.

Having established that a certain amount of IT expertise is required along with a good knowledge of your users to develop and deliver an IT Induction programme, does this imply that the responsibility for IT Induction is unlikely to sit within your HR department or equivalent body? The Chartered Institute of Personnel and Development4 state that the role of HR is to ensure an induction policy is in place, and the role of HR professionals is to oversee the development and availability of induction programmes and evaluate their effectiveness. Would this exclude IT Induction? Perhaps not. In practice, it is likely that the development and delivery of IT Induction would be delegated to experts outside the HR department. Nevertheless HR, or your equivalent, will still retain overall responsibility for the induction of new employees, including IT aspects of this, as induction is a necessary undertaking for the management of personnel.

Does this leave the chief executive officer off the hook with regard to IT Induction? Whichever management book you have read, and for whatever purpose, it is certain that there will have been mention, if not a dedicated chapter, on the importance of senior management buy-in, a sponsor for your cause or support from the executive board. Why should IT Induction be any

different? After all, it is the point at which an impression is made with new staff and standards are set. And who will be legally responsible for any mishaps? Who would have the most to lose? Whilst you would not expect senior staff to get involved in the detail of an IT Induction programme, unless they are especially impassioned by the topic, you should expect them to understand information security risk at a high level, and support any effort to educate users in reducing risk within the organisation. The detail can be left to the experts they employ. Nevertheless, undertaking the IT Induction programme themselves and expecting all other staff to do the same is the standard you want them to set.

Question

You joined the organisation four weeks ago as a financial administrator. To date, neither the HR department nor your line manager has offered you any information on IT, associated policies, procedures and employee-expected behaviour. Do you:

A. Say nothing. Being glad you got away with it, as these things are so boring and badly done.

B. Mention it to a colleague over coffee, as you may be missing something.

C. Approach your line manager and ask for assistance in getting access to relevant information and people who can fill in the gaps.

D. Go to HR and complain that the organisation is putting you and them at risk, and they really should do something about IT Induction.

Choice A is simply not an option. IT Induction is the responsibility of everyone.

Choice B is a start, assuming your colleague can help by giving you some background information. However, their understanding may be out of date or even prejudicial, so you would need to be able to keep yourself detached from any harboured resentment or bad habits.

Choice C is a better approach as your line manager should be expected to ensure that you have received the required employee induction. This does assume your line manager is conversant and supportive of any IT Induction process in operation.

Choice D will probably depend on your charm and gift for communication, as complaining to HR so early in your appointment may not be a good move. However, you should expect to find out if there is an IT Induction, and if so, how you can access the programme. If there is no specific IT Induction, then at the very least you need to know where to find IT user policy and guidelines. Did you receive or sign an Acceptable Use Policy document? Also, do you think as an end user you have the responsibility to draw attention to the risk of not providing adequate IT Induction for all users? I would say so.

What this question aims to reinforce is that all staff should have the opportunity to undertake IT Induction and Information Security Awareness, education, and it is everyone’s responsibility to make sure this happens.

In summary, this chapter has explored who should develop an IT Induction programme, and where the responsibility lies for ensuring IT Induction reaches all new users. Whilst a number of specific roles have been identified regarding IT Induction development and for taking the responsibility for ensuring IT Induction happens, it is clear that neither senior executives nor the end user are excluded from this responsibility.