Don't get sassy with SaaS.
Choosing the right HR technology partner is a major decision. Watch Part 3 of our cybersecurity series for tips on what to look for when you evaluate a new tech partner.
Marcy: Hello from Businessolver and welcome to our third installment of our series on cybersecurity tips for HR professionals. I'm Marcy Klipfel. I lead the engagement team at Businessolver and this is my friend and coworker.
Tom: I'm Tom Pohl, I'm the vice president of IT systems here at Businessolver.
Marcy: So welcome back. Today I'm really excited because we're going to get down into the weeds a little bit and discuss technological considerations as we select benefits administration solutions, right? So as we get into this, Tom, we really want to understand what is the most common misconception that you encounter in regards to SaaS? And if I could explain really quickly to my friends out there, yes sass is what my nine year old gives me from an attitude perspective every morning before school, but in regards to what we're talking about SaaS is ...
Tom: SaaS, S-A-A-S, it stands for software as a service. In this day and age, so many organizations are turning to and using the cloud, like Office 365, or your payroll and applicant tracking systems, your LMS learning platforms for training and so forth that aren't hosted on premise within your IT infrastructure, but it's someone else's computer out in the cloud.
Marcy: Okay, so as we look to evaluate those SaaS solutions or SaaS providers, what would be the common misconception that you see that someone in my shoes could potentially make a mistake?
Tom: So the biggest one that I've seen, and this isn't true of everyone, but the most common one I've seen is when they're looking at different SaaS platforms they look at all the customers. They'll see XYZ PDQ, big name brand and they assume, "Oh, they must have been evaluated from a risk perspective that they're doing all the right things". Whereas, maybe they are, maybe they aren't, I guarantee you they haven't evaluated it against the risk framework for your organization. And so that's super important to do when evaluating any kind of a SaaS platform.
Marcy: I can see how that would be easy to do. So you're in a share group or some sort of networking group and you're about to look for an LMS and it's really easy to say, "Oh, this company that I respect is using that and so of course they've looked for it." So when you have the urge to do that, right, and I bring something in, what would be the types of questions that someone like me should be asking of a potential vendor to make sure that their cybersecurity is where it needs to be?
Tom: Yeah, so there's probably about 1,200 questions that should be asked, right?
Tom: But what's most critically important is to bring in your risk and security people up front in the conversation so that before you get way too down a path looking at vendors, making sure that they get evaluated because you don't want to waste your time looking at a platform if there's no way that they're protecting your information appropriately.
Marcy: And I know you've advised me in the past when I've been looking at different solutions to ask them to prove it.
Marcy: So what would be the top one or two areas that I should say, "Hey, make sure you show me" or what are the things that I should be asking for to make sure that they're proving it to me?
Tom: I mean there's a whole host like are they encrypting your data at rest, how are they vetting their employees, what technical controls are they putting into place in order to ensure that only the appropriate people have access to the data that should have access to the data, and the ones that don't, don't. So those types of questions to ensure that your data is being maintained and they're not being cavalier in their security in serving you as a customer.
Marcy: And I would say we're used to that here, right, I mean our clients ask us to prove it-
Tom: All the time.
Marcy: All the time.
Tom: We love it.
Marcy: So it's appropriate and right to ask for that, I think, I think that's great and I think too with annual enrollment season drawing to a close the next big project for many of employers is the RFP from HR technologies, right, because you're taking a step back, you're saying how did annual enrollment go and how do I want to move forward and do I need to go through an RFP process. So what are the three most important requirements that we should make sure are included in our RFPs?
Tom: Yeah, so definitely from if we take a step back, not only evaluating from a security risk standpoint, but from a financial aspect and also from an aspect of can this vendor manage the volume of me as a customer. Am I a big enough company or a small enough company that they're putting enough attention and resources into servicing me as an organization?
Marcy: So when we're looking at our request for proposals, it's safe to say that if we're not asking those questions up front we could get surprises on the-
Tom: On the back side.
Tom: Yup. Exactly.
Marcy: That makes sense. So that's all the time that we have for today, Tom, but thank you. I always enjoy my time with you. And next time we're going to be talking about how individual employees can be cyber secure both in their office and in their home. So I'm really looking forward to that discussion.
Marcy: Thank you for joining today, make sure you share this out with your friends and your colleagues and we'll see you next time on our next installment.
Tom: Take care, have fun.
Convinced? Download our full guide, How to Avoid Becoming a Security Breach Headline here
Want to build a culture of cybersecurity at your organization?
Want to start from the beginning? Watch Part 1 here.