There was a long time ago I could pretty much build my bike from scratch. Yeah, I could assemble everything, that’s easy. Putting on gears, lacing up spokes onto wheels, getting the brakes on. I even used to pick out the individual ball bearings that went into my bikes. Then came a day when the ball bearings got sealed into cartridges making them last longer, roll smoother and easier to maintain. In a couple years, hydraulic brakes for road bicycles will be here. The industry has gone past my ability to build my bikes from scratch. I can still do most of it, but for the highly technical pieces, I rely on an expert mechanic.
A few months ago, I had a conversation with one of my clients about whether they should “buy it or build it.” Really? I honestly didn’t know those conversations even happened anymore. I really thought all the conversations these days were about should we use SaaS or stay on premise. I was reminded about this as I read the 2012 HR Technology Survey from Cedar Crestone. One of the charts noted the differences between HR, IT and executive perceptions and challenges to move to SaaS. Number 3 for HR and Executives? Security and Data Privacy concerns. Of course that was number 1 for IT.
I remember when I used to work for ADP a number of years back. This is old school, but their tax service center was in San Dimas, California… quite at risk of a major earthquake. It was in California for a number of reasons – primarily I assume because it gave them an extra 3 hours to file taxes in the U.S. But while ADP’s state of the art tax facility was at major risk of earthquake damage, their backup facility was somewhere on the other side of the San Andreas fault in Arizona. I remember talk about power lines coming in from all 4 external walls, just in case some guy with a backhoe ploughed through power lines on 3 sides by accident.
I also love conversations about data security. Let me be blunt: unless you are Citi, Amazon.com, or Walmart, you probably don’t have an entire organization dedicated to data security and the upkeep of your SAS-## (whatever it is these days). I’m sure you can do security well, but the chances you can do it better than the organization that does it as their core business, stop worrying about it. Back to ADP for a moment – I remember always having a personal chuckle moment when a client or prospect said to us that they had their own tax accountants, and felt better about that than using ADP. Guys, let’s be blunt again. ADP has probably hundreds of tax accountants, and they are probably better than yours.
Just like taxes are not your core business, you probably don’t host servers as your core business either. SaaS is here. Get over it IT.
Today I was going through airport security with my wife. I got randomly selected for a screening, which consisted of wiping my hands with a cottonish fabric and sending it through the scanner that detects explosives or something like that. After the screening, I commented to my wife, “so don’t all the terrorists know to not go to the gun range or handle their explosives within 24 hours of going to the airport? It seems to me that this particular screen is really not a deterrent. Any half intelligent terrorist worth their salt has got to have investigated TSA, right? ((if I end up on some FBI watch list for this post, I’ll be both highly amused and highly irritated at the same time))
I’ve been trying to figure this out for ages. You see, the problem is that even if you have stricter limits on access to fields and tables in your security setup, even if you limit the number of users to sensitive information, you should not assume that your data is any more secure from unauthorized sources. All you have done is make it harder to access. Now, I’m not saying that making it harder to access is not a worthwhile exercise. It is. But let’s be honest with ourselves. Harder was not the goal. Impossible was.
Pretty much every reporting engine in the world allows you or the user to somehow download the data. Before we lay blame on the vendors, let’s realize that it’s our own fault – we placed it as a requirement in every single RFP, or we “ooh’d” and “aah’d” when they demo’d how easy it was to download to MS Excel. Either way, we lose all control over data security once data is downloaded by the user. Privacy controls are voided, confidentiality issues arise, and we have no idea where the data ends up. Not that this is all our fault either. People who have security access to compensation data for example should know better than to email that stuff around.
There are a couple of nice solutions though, but I’m not sure how perfect anything is since at some point most of our organizations need to have data stored or downloaded. We could of course disable downloading, and every manager, finance person and HR practitioner would just have to pull up a dashboard and view the data in real time. Right… At the same time, I’ve been advocating that all HR decisions are based in facts and data, and I can envision a world where meetings get really dull when we gather executives around the table but were not able to prepare decks full of analytics beforehand.
Here are a few things you can do to improve your reporting data security:
- Make sure managers are certified and trained regarding their data responsibilities when they become managers and every year.
- Review your security access periodically to make sure sensitive data is being accessed by the right roles – some roles may no longer need the permissions over time.
- Build a prominent warning at the top of reports when data is loaded to ensure that dissemination of sensitive data is a breach of security.
- Scrub your reports frequently – you may find old reports that are run with sensitive data that is not necessary based on the purpose of the report.
This is just one of those problems I keep grappling with. We keep giving managers and non-HR functions access to more data – I do believe the business requires it. We want everyone to be able to make decisions in real time, but we don’t trust our partners fully either. I’m also completely uncomfortable giving up and going with the idea that some data is just going to slip through or saying that it’s just a change management problem. Anyone have any thoughts about what they have done? Please ping me.
Data Encryption with business intelligence and reports has always been a problem. Users are constantly requesting reports, and once data is in someone’s hands, it’s almost impossible to control data dissemination and what I’ll call data diaspora. One must admit, especially in large organizations, that trying to put controls from a procedural perspective is not particularly realistic. With hundreds or thousands of managers out there, controlling the actions of each person is particularly difficult.
In the good old days of ad hoc report files, excel spreadsheets, and powerpoints, any person who got their hands on data could easily forward it to someone else. The fact is that technology was sufficiently difficult to use that most organizations, even the very large ones, have used Excel as the easiest way to aggregate and analyze data from multiple sources. Even for single source reports, excel has long been the easiest way to communicate a data set. Managers didn’t really have robust capabilities to tap into reports on their own, and even then, one of the selling points from software vendors has been the ability to export data into excel where managers or practitioners could continue analysis.
HR technologists have been talking about dashboards and business intelligence for years, but it does seem that the lately emergent technologies are finding some adoption in larger organizations. Perhaps this is just maturity of the technology, perhaps the prices have started coming down from the fully customized ERP BI software to more vanilla and off the shelf analytics tools, or perhaps it’s possible that spending was just down so far in the last 2 years that nobody was buying the stuff. Whatever the reasons, the technology and the market seems to be ready now.
Certainly, increased controls are now much more prevalent with each manager going to their own dashboard to view data, and with the large number of analytics available in the HR and talent realms, ad hoc requests are hopefully going down. All this just means that if you can deliver a set of analytics to the manager desktop as opposed to frequent ad hoc requests, your data is controlled by the application security layer upon delivery. Since you have never sent an email with an excel spreadsheet, there is no data to be fowarded.
You’ll argue with me that this technology has been around for years upon years – at least a decade. I’ll absolutely agree that this is true, but I’m pretty sure that every single vendor out there (whether publicly or not) will agree with me that until recently the delivered reports were not sufficiently robust or comprehensive. ERP vendors are now also delivering robust prebuilt analytics with sufficient drill downs and drill throughs. The goal of the whole thing is to have enough data presented in a simple but detailed enough manner to eliminate most ad hoc needs. If you can create an environment that does this, you utilize your application’s security as opposed to releasing your data to the winds of fate.