Friday, October 21, 2016
Richard A. Spires may now be the CEO of Learning Tree International, but his background in cybersecurity goes much deeper. Having spent more than 30 years in IT, Spires was chief information officer of the U.S. Department of Homeland Security, as well as CIO for the Internal Revenue Service. He also served as the vice chairman of the Federal Government CIO Council and as the co-chairman of the Committee for National Security Systems, the committee that sets standards for the U.S. government's classified systems. Workforce editorial director Rick Bell caught up with Spires via email.
Workforce: What role does HR play in cybersecurity?
Richard A. Spires: Effective cybersecurity requires the proper application of technology, process and people. Having a staff with the skills and experience in cybersecurity is the most critical aspect for success. Given the reported 2 million person worldwide shortage in cybersecurity personnel, it is a virtual war for talent. An HR organization that works with the CIO and CISO in both support for recruiting, but more importantly development programs to develop cybersecurity talent from within the organization, is critical for success.
WF: What questions should recruiters be asking of candidates in regards to cybersecurity?
Spires: I look for individuals that have the general traits necessary to develop their abilities to become very skilled cybersecurity professionals. In particular, I look for individuals that have strong analytical skills and the ability to understand and deal with complex systems. They don't need to be computer engineers or scientists, but today's IT environment is highly complex and most cybersecurity tools require significant in-depth knowledge and analysis of information to be effective. Individuals that enjoy problem solving in a complex environment thrive with this type of work.
WF: Where does cybersecurity start in an organization? In IT? The CEO's office?
Spires: In today's environment, cybersecurity has become one of the leading (if not leading) risks to many organizations. As such, cybersecurity risk awareness and management needs to start in the C-suite and the board room. This is now way beyond the IT organization, and business units of an organization need to be involved in understanding the risks and helping in determining and executing plans to mitigate those risks.
WF: Is it really necessary to have about 100 different passwords that must be changed every few months?
Spires: If one is in an organization that still requires the use of a significant number of different passwords for access, it is a strong indication that the organization has a weak cybersecurity posture. The proper use of identity management systems in organizations today should simplify access for users and is a key component of a good cybersecurity solution. An organization should know who is accessing their systems and data and have knowledge, with a high degree of certainty, that an individual accessing a system is who they claim to be. Today's modern identity management solutions replace legacy system access controls (which leads to the many passwords) and will typically enhance access control through the use of multi-factor authentication, a system in which a user has to demonstrate they know something (such as a password or PIN), but also have something (such as a smart card).
WF: What was your biggest challenge as the CIO at Homeland Security and the IRS?
Spires: I loved my government service, not only for the camaraderie of working with dedicated people in public service, but also for the strong sense of mission, of doing something for the country. But government service has its significant frustrations. For me, the biggest challenge at both Homeland Security and the IRS was the amount of coordination and stakeholder work required to make any significant progress. It would typically be the case that I would need to convince up to 12 different stakeholders (a number of which were outside the agency) the value of an initiative to move forward. This takes significant time and effort, and if you do not get everyone to agree, usually the initiative stalls. I believe this is both the major reason it is so difficult to get things done in government and why it takes so long to make progress.
On the positive side of this, when you can get alignment among stakeholders, it can be amazing to see how much progress can be made, given the shear amount of resource federal government agencies can bring to bear on an initiative. I had enough of these positive events to say that I was proud to be part of both DHS and IRS and serve a collective eight years in government.
WF: Is cloud computing the answer to avoiding cyber-attacks?
Spires: Cloud computing is a particularly attractive model for IT in that it offers means to lower capital investment and enable organizations to pay for on-demand computing services when they need it. That being said, cloud computing by itself will not make one secure, even if the cloud service provider has extensive security controls in its cloud offerings. An organization must take a holistic approach to addressing its cybersecurity posture. Returning to the identity management example - a CSP must rely on the user organization for information regarding who should have access to a system or data residing in the cloud. If the identity management system itself has been compromised or the identity data is incorrect, it is not possible for the CSP to know or stop unauthorized access. Organizations can outsource their computing requirements, but really cannot outsource their cybersecurity operations.
WF: Do you ever hear this attitude? “We make widgets. Why should we spend money to negate cyber-attacks?”
Spires: The good news is that I rarely hear this type of statement anymore. The publicity of major breaches at places like Target, Home Depot and Sony Pictures has sensitized everyone to the reality that no one is immune. All major organizations have significant IT systems today, even if the organization has only the need for back office systems (like HR and payroll). Even in these cases, the organization is holding sensitive information on their employees. The awareness is a good thing for organizations, although I believe that many organizations are still under-invested and have a weak cybersecurity posture.
Rick Bell is editorial director for Workforce. Comment below or email him email@example.com.
Thursday, October 20, 2016
Zenefits wants to be the iPhone of human resources.
At its Z2 user conference in San Francisco, the HR and benefits technology startup announced Oct. 18 that it will launch a revamped user interface and offer the first online “app store” for HR services including recruiting, expenses and productivity.
While continuing to offer its core solutions in-house, the new Zenefits platform will allow users to download additional applications that can access employee information directly through Zenefits.
“We've made integration as simple as installing an app on your iPhone,” said CEO David Sacks.
The platform will initially include apps from 17 partners including Salesforce, Intuit and Google, but Zenefits anticipates more third-party companies using its developer platform to create hundreds of new offerings.
Other new features include a new online benefits shopping experience that allows employers to choose from over 10,000 preloaded plans and compare provider maps. Zenefits will also release a new payroll feature in California, with other states to follow.
Also new is the HR adviser app, a paid service that provides small businesses with a content library and access to expert advice to help guide decision-making.
Zenefits also will release an updated iOS mobile app and introduce its first Android one.
These improvements take place as the company nears the end of a turbulent year. After experiencing staggering growth in just three years - Zenefits has raised $584 million in funding - reports surfaced in February that the cloud-based health insurance and HR software provider failed to abide by licensing requirements for its brokers.
Zenefits recently settled with Washington state and Tennessee over these claims, paying $100,000 in fines to continue operating in those states. Since taking the top post from ousted founder Parker Conrad in February, Sacks has also laid off over 350 employees and changed the company's ownership structure.
Competitors are also closing in on the all-in-one HR market. Gusto, among others, provides similar cloud-based solutions and just reached 40,000 customers, twice as many as Zenefits.
Nidhi Madhavan is a Workforce intern. Comment below or email firstname.lastname@example.org.
The post Zenefits Woos Human Resources With App Store Approach appeared first on Workforce Magazine.