Gartner's 4 Steps for CHROs to Lead HR Cybersecurity amid Rising Breaches

CHROs: Take the Lead on Digital Security in HR

Gartner is clear: CHROs should take a more active role in digital security as HR adopts AI and automation. The risk isn't abstract. Breaches are hitting HR tech vendors, associations and large employers, exposing personal data and damaging trust.

One recent example: a 2024 ransomware incident involving ManpowerGroup reportedly exposed files such as Social Security cards, passports, hours worked and worksite details. Incidents like this carry legal risk, harm the employer brand and shake employee confidence.

Why HR must lead

"CHROs often take more of a passive role in making technology investment decisions, however, when data breaches occur, there are massive implications on talent, including the risk to the employment brand and IP theft," said Emi Chiba, senior principal analyst at Gartner. "Many CHROs do not have strong digital awareness and are struggling to lead and influence AI and digital transformation."

Translation: security is a people issue. HR owns the data, the processes and the trust. That means HR must help set the guardrails, not wait for IT to clean up the mess.

Gartner's four moves for CHROs

• Make security a strategic part of HR automation.
• Identify threats proactively.
• Establish third-party risk management for HR tools.
• Strengthen a culture of security.

1) Build security into every HR tech decision

• Embed security requirements in business cases, RFPs and success metrics for any AI, recruiting or payroll automation.
• Adopt data minimization, role-based access, encryption at rest/in transit, logging and retention policies before rollout.
• Run privacy impact assessments and model risk reviews for AI features (prompt injection risks, data leakage, bias and auditability).
• Document who owns what: system owner (HR), security owner (InfoSec), data owner (HR), and approval flow for changes.

2) Identify threats proactively

Only 43% of cybersecurity leaders say their companies run regular audits on AI tools, per Gartner's May 2025 survey. Fix that gap with a simple cadence and shared ownership across HR, IT, Security and Vendor Management.

• Threat model HR use cases: AI screening, chatbots, payroll, benefits, employee data requests and offboarding.
• Watch common attack paths: phishing, prompt injection, data exfiltration, account takeover, API abuse and insider access misuse.
• Set a quarterly audit: access reviews, prompt logs, red-team tests on AI features and verification of data flows.
• Track KPIs: time to detect, time to respond, phishing-report rate, least-privilege exceptions and vendor patch latency.

3) Treat HR tech vendors as an extension of your risk posture

• Require SOC 2 Type II or ISO 27001, recent pen test reports, subprocessor lists and data residency details.
• Confirm SSO, MFA, SCIM provisioning, granular permissions and audit logs. No exceptions for "pilot" tools.
• Negotiate a DPA that covers processing purposes, retention, incident timelines, deletion on termination and liability.
• Document who reviews what: Legal (DPA), Procurement (commercial), Security (controls), HR (use case and data scope).

4) Build a culture of security employees trust

• Encourage workers to flag issues fast; reward reporting and remove blame.
• Run anti-phishing training with short, frequent simulations and instant feedback.
• Hold blameless reviews after incidents. Share fixes, not shame.
• Nominate "security champions" in HR, recruiting, payroll and benefits to keep practices current.

Incident response for HR scenarios

• Preparation: an HR-specific runbook, contacts, legal templates, regulator timelines, insurer steps and vendor escalation paths.
• Detection: train teams to spot unusual access, strange prompts, mismatched payroll changes and suspicious data exports.
• Containment: freeze affected accounts, rotate keys, disable risky connectors and switch to backup workflows.
• Notification: follow legal counsel, contracts and policy: employees, candidates, regulators and clients if required.
• Recovery: verify data integrity, restore services, force password resets and monitor for re-entry.
• Lessons: update controls, close gaps and brief leadership and the board.

30-60-90 day plan for CHROs

• Days 0-30: inventory HR systems and AI features, map data flows, appoint a security champion in HR and agree shared KPIs with IT/Security.
• Days 31-60: run access reviews, vendor attestations and a phishing baseline; add security requirements to all active HR tech projects.
• Days 61-90: complete an AI audit on one high-risk use case, update the incident playbook and brief the executive team on progress and gaps.

Metrics to keep you honest

• Phishing click rate and reporting rate
• % of HR tools with SSO/MFA enabled
• Quarterly access review completion
• Mean time to detect/respond for HR incidents
• % of vendors with current SOC 2/ISO evidence and signed DPAs
• % of AI features with documented risk assessments

What recent breaches are telling HR

Attacks target the data HR holds most: identity documents, payroll details, work history and contact info. The 2024 incident involving ManpowerGroup underscores two truths: attackers go where the data is, and third-party exposure becomes your exposure.

Your brand, candidate pipeline and retention depend on how you prepare and how fast you respond. Treat this as a standing priority, not a one-off project.

Upskill your team for AI and security

Digital fluency is now part of the HR skill set. Invest in targeted learning for AI, data privacy and vendor risk so your team can make informed calls and challenge weak controls.

• CISA guidance on phishing awareness
• AI and automation upskilling by job role

Bottom line

Security is now a core HR competency. Make it part of your automation strategy, audit it like a habit, hold vendors to your standard and build a culture where people raise a hand fast. That's how CHROs protect data and keep trust intact.