HR Software Security is a big deal for us at CoreHR. So when we found out our security score had topped the leaderboard, we spoke with David Keating, CoreHR CISO and Data Protection Officer to learn more about the important role he plays in providing high levels of security for our clients.
Q. What do you do at CoreHR?
A. I have quite a broad level of autonomy – I am the person who asks our product team questions to ensure that from a data information security perspective, everything is in the best interest of the customer.
I ask those awkward questions like: Why we have to do things a certain way? What risk does it introduce to the business? Is the risk worthwhile or not?
I’m not always very popular in meetings! But I have to ask the awkward questions in order to ensure we are compliant with all legislation before a product is finalised for a customer.
Q. How engaged are you with customers?
A. Three or four years ago, information security teams were not involved in the software procurement process. You spoke to a sales team, the HRD, the head sign-off on the funding and, if they were happy with the software, the sales team did their pitch, the contract was signed and that was it.
In the last three years this has changed dramatically whereby the in-house information security teams have to sign up to the process and complete due diligence. Given the type of data we hold, CoreHR would be classified as Priority 1 Supplier; we have your bank account, sort code, union membership, ethnic origin etc which accounts for highly sensitive data under GDPR legislation.
Today no deal will go through, no contract will be signed unless the Information Security teams are 100% happy and have done their due diligence on how we handle data security. I have a security pack which I share with customers on how we manage data, our environment architect and infrastructure. The discussions I have range from someone who is a security architect who is highly technical to someone who is on the legal side of it and wants to talk about the data protection act.
Q. What information do you provide customers with?
A. UK legislation requires our British customers to conduct a Privacy Impact Assessment which essentially is something that, if there is a data breach and your data was released and it was reported to the Information Commissioners Office in the UK, they will check you undertook the right assessment of the supplier concerned before the contract was signed so that you knew the level of risk or security you were exposing your business to. We pre-populate and create our own Privacy Impact Assessment and give that to our customer in advance, proactively giving our customers the answers to the questions they need. So we have done as much as we can to remove the security concerns as possible. It also removes initial concerns about how safe cloud services are.
Four years ago, one of our biggest customers required us to sign a contractual agreement that we would achieve ISO27001 (that’s the international standard specifically to information security). That’s what started us on this journey and we’re very happy to report that we’re now ISO27001 certified.
Q. Do conversations and touchpoints with customers vary industry to industry?
A. Yes, there are different sensitivities with the Public Sector involving unions, or with Retail where they use short term contracts. In Retail you might not give every individual who is employed a corporate email address – especially if they are coming in for seasonal cover – so they are using their personal email address. I have the conversation with the customer to ensure they take responsibility of the risk of choosing to use personal email addresses.
Q. So you’d recommend anyone with part-time or temporary employees take this step?
A. That’s right. For example, documenting the use of personal email addresses provides a paper trail which makes it easier to explain to the UK ICO. And if someone leaves, it is also the company’s responsibility to remove that person’s data after a reasonable amount of time. Sometimes people may not understand the legislation surrounding data because the area can be a bit grey in places. And that’s where we step in – to provide that clarity.
Q. What are your ambitions for the future of security at CoreHR?
A. I guess first and foremost my goals centre around IS data protection. As a cloud service provider, especially for customers who traditionally have been on-premise and have been adverse to cloud, its giving them confidence that they would reduce risk by moving to a cloud solution. CoreHR are taking on some of the risk which would traditionally be left with them. Then looking at international standards, making sure we are aligned with those as there are always new standards being introduced.
We are constantly evolving and striving to be the best in breed for security with our product is an ongoing objective of mine that I take very seriously and take great pride in.
Q. What is your biggest achievement in the security space?
A. To be honest there have been so many because it’s such an agile environment. It moves so fast. Our ISO27001 certification from a data security perspective, our data centre and how we have evolved since I first joined is a real achievement for me. What we have done as a family – we talk about Core Family and it really is – everyone wants to see each other be successful and that’s key a part of what makes our achievements so special.
Want to learn more?
Click on the button below to visit our Resources page to view the latest news, blogs, events, reports and white papers