Still Grappling With Data Security

Today I was going through airport security with my wife.  I got randomly selected for a screening, which consisted of wiping my hands with a cottonish fabric and sending it through the scanner that detects explosives or something like that.  After the screening, I commented to my wife, “so don’t all the terrorists know to not go to the gun range or handle their explosives within 24 hours of going to the airport?  It seems to me that this particular screen is really not a deterrent.  Any half intelligent terrorist worth their salt has got to have investigated TSA, right?  ((if I end up on some FBI watch list for this post, I’ll be both highly amused and highly irritated at the same time))

I’ve been trying to figure this out for ages.  You see, the problem is that even if you have stricter limits on access to fields and tables in your security setup, even if you limit the number of users to sensitive information, you should not assume that your data is any more secure from unauthorized sources.  All you have done is make it harder to access.  Now, I’m not saying that making it harder to access is not a worthwhile exercise.  It is.  But let’s be honest with ourselves.  Harder was not the goal.  Impossible was.

Pretty much every reporting engine in the world allows you or the user to somehow download the data.  Before we lay blame on the vendors, let’s realize that it’s our own fault – we placed it as a requirement in every single RFP, or we “ooh’d” and “aah’d” when they demo’d how easy it was to download to MS Excel.  Either way, we lose all control over data security once data is downloaded by the user.  Privacy controls are voided, confidentiality issues arise, and we have no idea where the data ends up.  Not that this is all our fault either.  People who have security access to compensation data for example should know better than to email that stuff around.

There are a couple of nice solutions though, but I’m not sure how perfect anything is since at some point most of our organizations need to have data stored or downloaded.  We could of course disable downloading, and every manager, finance person and HR practitioner would just have to pull up a dashboard and view the data in real time.  Right…  At the same time, I’ve been advocating that all HR decisions are based in facts and data, and I can envision a world where meetings get really dull when we gather executives around the table but were not able to prepare decks full of analytics beforehand.

Here are a few things you can do to improve your reporting data security:

  • Make sure managers are certified and trained regarding their data responsibilities when they become managers and every year.
  • Review your security access periodically to make sure sensitive data is being accessed by the right roles – some roles may no longer need the permissions over time.
  • Build a prominent warning at the top of reports when data is loaded to ensure that dissemination of sensitive data is a breach of security.
  • Scrub your reports frequently – you may find old reports that are run with sensitive data that is not necessary based on the purpose of the report.

This is just one of those problems I keep grappling with.  We keep giving managers and non-HR functions access to more data – I do believe the business requires it.  We want everyone to be able to make decisions in real time, but we don’t trust our partners fully either.  I’m also completely uncomfortable giving up and going with the idea that some data is just going to slip through or saying that it’s just a change management problem.  Anyone have any thoughts about what they have done?  Please ping me.

Cedar Crestone HR Technology Survey: Create a Winning HR Function

All too often, I get an industry report to read and end up saying to my colleagues, “wow this is crap.”  Case in point, at the end of 2012, I got a widely read industry report that rated a halfway decent HCM provider’s payroll engine to be better than one of the major payroll outsourcers.  They stated that a vendor’s almost non-existent compensation functionality was a top pick.  Each year, I go through the CedarCrestone HR Technology Survey, and hope there is something wickedly out of sync with conventional wisdom.  Each year, Lexy proves why she is the queen bee of HR surveys and is meticulously above reproach.  I just can’t stand it.

What’s great about this particular survey is that it’s not just gathering data and spitting it back out at you.  I know we all care how many people are buying Workday versus Fusion versus Employee Central versus … this year.  I know we all are interested how many of us are still on premise with our core HCM.  That’s so not the point.  What Lexy does is far more interesting.  She takes all of this data and compares it to company profiles.  What’s the correlation of profitable companies to those people who are running Software X or Technology Y?  This makes up the part of the report I’d like to chat about.  Lexy published 7 habits, and I’m going to summarize so you’ll just have to ask CedarCrestone for the report to read the whole thing.

The attributes that defined successful companies were pretty much higher than usual revenues per employee, profits per employee, operating income and return on equity.  Pretty good measurements.  I’m not sure if CedarCrestone evaluates which is causal, but they do evaluate correlations, so in that sense, go after what you can control, which in our case is the HR side.

  • User Adoption – “If you build it, they will come.”  What a load of crap – wasn’t that some baseball movie Kevin Costner was in?  I don’t remember, but it certainly does not apply to HR technology.  Instead, we have to implement ridiculous change management strategies just to get our managers and employees engaged with us.  If not, we only hear from them when their payrolls are wrong, or to complain about the vacation policy.  The reality is that organizations who successfully implemented solutions, had good change management programs resulting in high user adoption also ended up being among the more successful companies.
  • Buying Habits and Governance – Governance always seems to play into things.  I’ve found that the few organizations that are great at governance tend to be awesome places to work, make good decisions, and have high employee engagement.  So I’m stretching Lexy’s observations here, but basically when I reflect on her finding that successful companies have more technology and spend less per employee, I almost immediately translate that into good governance.  How do you get to better utilization of what you have, and only buying what you need after all?
  • Technology Decisions – There was also a couple of themes that I translated into low maintenance overhead, but also the ability to use industry best practices.  It kills me when I walk into a client that is so highly customized they really don’t know what they are doing anymore other than accepting new requests and implementing full time.  Most of these organizations don’t even know why or what the business case is – they just do it.  Successful companies are correlated to low customization, which is also correlated to SaaS purchases.
  • Data – One would automatically think that successful companies are good with data.  It seems obvious.  The survey actually points out a couple of great tactical elements to get you there.  The first one was integrated talent management with your core HCM product.  Companies that were there tended to have a significant advantage than others.  The second was the utilization of mature business intelligence models, along with the deployment of that data into manager’s hands where agile business decisions can be made.

At the end of the day, HR just wants to be heard.  Interestingly enough, there are elements of shoring up our own house as well as focusing on outcomes here.  If we make bad decisions and have crappy governance, well that’s problem number 1.  But if we also have crappy user adoption and poor data, we’ve also lost the game.

Note – nowhere in this did we correlate functionality to success!

Decision effectiveness

A few years ago, i had a custom set of wheels made for my bike. I had the rims specifically weighed and picked out of a set of about 10 rims. I had the spokes weighed and balanced to make sure they were the lightest ones. The spoke nipples (the threaded parts that are basically nut that the spokes attach to the rims through) were color matched to the paint on my bike. all said, the wheels weighed about 1435 grams. Not crazy light, but pretty darn light. And they were fairly aerodynamic having decently deep rims and bladed spokes to cut through wind. Being aerodynamic, they cut through wind pretty well, and being light, they accelerated and climbed well. But custom rims cannot be laced as tight as some of the manufactured wheels out there. The one thing I lacked was the stability that comes from an incredibly tightly laced wheel.

I decided to give up my beloved wheel set and get a mass produced one (ok, so I have not yet seen another set of my wheels on the road, but still, they are not custom wheels). They happen to be just as light, almost as aerodynamic, and insanely sturdy. There is so little flex in my wheels that on hard corners going downhill at 45 mph, I have absolute confidence in them and I know exactly what they are going to do. Nonetheless, it was a hard decision to make, to replace my perfectly good older wheels.

I’ll admit. Even I talk too much about governance and the structure and network it takes to have a good governance model. But regardless of the model, it is not about your governance model, its about the effectiveness of your decisions. Do you make the right decisions? How fast do you make a decision? How often do you execute your decisions as planned?

You can have a great governance model. You can be totally well informed about what goes on in the organization based on working groups that inform you about the state of HR. You can be well networked and statused. And with all of that, you can still make the wrong decisions or avoid making decisions.

I have seen organizations where the governance model was to include so many people in the decision that at the end of the day, nobody wanted to be accountable for the final decision. The group would reach a point of consensus so that if anything went wrong, nobody had to take accountability, and they were all both blameless and at fault. It was also an environment where when the group was close to consensus, if someone saw something was clearly wrong, nobody would stand up for fear of being the one having to be accountable for a different decision.  It was a governance model. It was inclusive, well networked, but it turned out it was a bad model. Either nothing got done, or often, the wrong things got done. When it comes right down to it, you need to be inclusive and networked in the governance model, but you also need to be able to react quickly and authoritatively when the circumstances call for it. You need to have accountability for the decision that is separate from accountability for the execution and implementation of that decision. And you need to have the ability and the willingness to switch gears in the middle when you realize that something is either wrong, or jut that something could be better.

I had. Perfectly good bike, with perfectly good wheels. I’m continuously amazed at the quality of my new ride. It feels smoother when i ride over bumps, more solid when I ride down a hill, but jut as light and aerodynamic. I was the right decision to make, even though it pained me to make it.

Nerves and Decision Governance

What makes us intelligent, able to make decisions based on our surrounding and pdictions of the future is not that we have an emmense amount of knowledge packed into our brains. Rather, what makes us different as human beings is that we have a great deal of nerves and nerve connections. It is these connections that is what makes us able to operate in. Different mode than the other animals around us.

Without these fundamental building blocks of connections, we would simply not be able to make the decisions we make. The same can be said for governance. Armed with only knowledge, we can make decisions based on some preferences, but armed with knowledge and connections through a network, we can make decisions based on probable outcomes.

I constantly see governance bodies that are made up of senior HR VPs who operate based on what they know as a senior body. Acting without the help of lower level working groups or sub governance teams, they don’t have the benefit of connections and networks that would help them be more successful.

Its not that we can’t make decisions ourselves, but that in complex organizations, just as in complex organisms, a single body simply can’t discover all of the nuances and have all of the information it needs on its own. In today’s businesses with multiple systems, multiple HR functions, business functions, divisions, political factions, etc involved, having appropriate inputs to help decipher what is really going on and deciding what decisions are actionable and important becomes critical.

And the fact of the matter remains: that managers and executives don’t really ever hear the bad stuff. People are actually afraid of poorly stat using their projects and functions, and often it’s too late for executives to act by the time they catch wind that something has gone sideways. While discussing projects with peers within governance sub teams, clear discussions can be had, and realizations that often the issues are more cross functional in nature rather than the fault of a particular person can be recognized.

Indeed, even our projects are so interdependent upon each other that governance sub groups and working groups are absolutely essential to the proper functioning of our programs. Take talent management for example. Thinking that performance can live in a vacuum can only lead to trouble. Functional processes must be coordinated with learning, compensation, succession, staffing, and others. At the executive decision level, they must integrate with the executives from the same functions to ensure that strategic level adherence is maintained.

Regardless of the topic, governance and decision making is all about coordination and networking. Its an impossibility to think in todays HR technology world that any of us can live on an island without others, but also that we can be independent of others and still have a complete understanding of our environment.