I’ll be speaking in a few weeks at the Cyber Security: The Human Factor conference in Ottawa. My topic will be, in part, the role that human capital can and should play in security programs. But many people I speak with about human capital and people-centric security are more or less unfamiliar with the term. Human capital is something discussed a lot in other industries and fields, but not so much in information security. That’s a shame, really, because it means that security programs often allow a powerful source of wealth and value to go untapped in support of their efforts, even while fighting for the scarce resources they need to do their jobs. To better leverage human capital in support of cybersecurity, it’s important to understand what it is.
Human capital, put simply, means people. As capital is a term associated with economics, so it also implies money, or at least the potential to create wealth. Capital is broadly defined as the financial assets of an organization or individual. Capital can certainly take the form of cash, but it doesn’t have to. Wealth can be manifested in a variety of resources that can be put to use. Some of those things are tangible assets like real estate properties, factories, heavy machinery, vehicle fleets, or any number of other physical things. But wealth, and by extension capital, doesn’t have to be something you can experience physically. There are also lots of intangible assets available to people, companies, or governments. For individuals, things like education represent intangible assets. Intellectual property is among the most common forms of intangible wealth for companies, and includes such assets as corporate methodologies, patents, copyrights, and software. Corporate brands and the goodwill they can generate are another example of intangible capital.
Capital is necessary for a business to survive and thrive. And the way an enterprise manages and grows its capital is a strategic differentiator in terms of its competitiveness and the delivery of whatever products and services that organization specializes in. Companies that mismanage their capital, for instance by making bad real estate bets or acquiring inferior equipment, can find themselves suffering severe economic penalties for their mistakes. The same holds true for intangible wealth, and companies that don’t effectively harness the value of their brands or intellectual property see their competitive edge erode. Xerox provides something of a textbook case, as described in the 1988 book Fumbling the Future, which tells the story of how Xerox failed to capitalize on the innovative technologies the company was creating, including the invention of personal computing.
When we apply this idea of capital and economic wealth to people, we get human capital. People are, of course, physical and tangible things. But they are not corporate assets in the way that machinery or property is a corporate asset. Organizations do not own the people they employ – that would be an altogether different and darker economic system. Human capital instead generates wealth by contributing thought and labor to the enterprise, helping it to grow bigger, compete better, or function more efficiently. A good definition of human capital comes from Gary Becker, who described it as “…the knowledge, information, ideas, skills, and health of individuals.”
The objectives behind human capital development are the same as the strategic planning that goes into the acquisition and management of any other form of wealth. Human capital can be leveraged for strategic advantage, but it can also be botched terribly. Organizations that fail to understand how to effectively use their human capital resources and reserves are like a company that is sitting on a huge gold deposit but never do more than panning the river for nuggets. There are many reasons for such failures. It takes money to make money, and human capital often requires investments of other forms of capital before you can realize its full value.
Cybersecurity today remains, in capital terms, heavily weighted in the tangible. Ask most CISOs to talk about their capital holdings and you’re likely to get a lot of talk about equipment and gear, or facilities like SOCs and data centers. Most of the intangibles mentioned are likely to be the software running on all that gear. Really progressive security programs may even include their processes and security methodologies as part of their wealth. But despite the mantra of security being a combined people, process, and technology challenge, you are far more likely to hear security managers talk about human beings as a source of risk than as a source of economic value or wealth.
The one area where I’ve found this to not generally hold true is the security training and awareness space. Security awareness teams work with human capital like technology managers work with systems or facilities teams work with real estate and buildings. They acquire and grow their capital stores, they manage that wealth and attempt to return a profit (however profit is defined), and they try to innovate and come up with new ways to do both. Security awareness folks usually have to do it under much more difficult and spartan circumstances, because the value of human capital for security has yet to be widely accepted in the industry. But I’ve seen them do amazing things with what they’ve got. Enough to want to see the security industry in general invest a lot more into their efforts.