Human capital management (HCM) and e-learning are at the forefront of enterprise change initiatives designed to enhance productivity, reduce costs and increase the value of human assets. This area has seen exponential growth due to the advances in technologies, methodologies and processes that make the ROI of such endeavors more attractive than ever before. However, one critical factor remains largely underdeveloped as this field continues to expand its influence: the essential issue of securing sensitive data that is used to create the content necessary for HCM to be effective.
The federal sector and private business may seem to face disparate challenges in regard to HCM and the solutions they are developing to meet these challenges. But the reality is that both types of organizations must address a common issue when protecting knowledge assets. Information lifecycle management, or the flow of educational content from creation to the end user, must be watched at all levels if security is to be maintained. It is in this regard that federal organizations and private companies can learn from each other by looking at both the successes and failures of their HCM programs.
Securing HCM: The Federal Approach
Federal agencies are realizing the benefits they can gain through HCM. Feature-rich functionality and mobile learning environments are attractive propositions to organizations that have agents in the field. The problem is that many agencies use an ASP model for their LMS and for all content distribution. Information such as standard operating procedures and case files could prove to be very damaging in the wrong hands.
In response to this, the Department of Defense has begun implementing standards, such as the 8570 training certification, to control the distribution and dissemination of sensitive data. The idea is that absolutely no classified information should ever find its way outside the federal server firewall. The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) is taking this a step further by realizing that protecting the transmission of data is not enough. Sensitive information must be protected from the source of creation all the way through the verification of end users. As a result, the ATF is looking to a biometrics solution.
The Private Sector
Many businesses are already strong adopters of HCM and e-learning technologies. The problem is that they do not see the need to enhance the security measures employed in their HCM environments. HCM security is seen as more of a requirement in the pharmaceutical and health care industries, where regulations driven by the Health Insurance Portability and Accountability Act (HIPAA) drastically increase liability. But new standards and regulations, such as ISO 27001, are creating a paradigm where business must start to take HCM security seriously. Additionally, private companies need to consider the competitive risks they take when data such as corporate goals and objectives, product descriptions and brand launches are available to access in cyberspace.
The problem is that most businesses still tend to focus their efforts on network security and the protection of data transmission alone. This is why an evaluation of what’s currently happening in the federal sector is of such value. The federal government is beginning to realize that user certification is a critical element in protecting learning content from improper access. The necessity of user access is weighed against the risks of granting that user access. End users are put through extensive screening procedures. Most importantly, their identity is verified every time they access a learning module.
Apply These Practices to Your Organization
To apply these practices and secure HCM in your own organization, the first step is to perform the proper risk analysis to determine the value your HCM initiatives provide versus any inherent risk in making the educational content available. All factors, including people, process and technology, must be considered when making such a determination. If the content is extremely sensitive, consider screening individuals to determine if providing access to the required information is really going to enhance their job performance. Remember, the one element of HCM where technological security has little effect is the human factor. Seventy percent to 80 percent of all security breaches are inside jobs, meaning that critical data was entrusted to someone who should not have been trusted in the first place.
The next step is to ensure that learning content reaches its destination intact. Your internal IT resources are probably already familiar with the network security and access procedures that must be put into place. Another critical vulnerability is the area of user access. Many organizations rely on certificates to verify access credentials, but certificates only verify the identity of the PC, laptop or other device in question—they do not verify the identity of the actual user. Biometrics is the primary technology used to correct this shortcoming. Biometrics authenticates the user, usually through a fingerprint, to ensure that only the individuals you’ve selected receive the required sensitive information.
Other Factors to Consider
Another way the government is tightening HCM security is by developing e-learning platforms that can be used across multiple agencies. By pooling their resources, agencies are able to raise their overall investment in HCM security and can unify their processes under one umbrella. How this could be adapted in the private sector—whether through partnerships or entire industries—remains to be seen.
One area where private industry can clearly benefit is by unifying learning content creation with information security. In the past, these areas have been distinct silos with completely different levels of accountability. These critical business functions must work together if an acceptable level of risk management is to be achieved.
When looking at the complete picture of HCM and security, this is the formula to follow for success:
- Evaluate how human capital management can benefit your organization in the most productive way.
- Determine the measures necessary to secure that process from end-to-end.
- Unify all necessary departments under the common goal of making sure all security procedures are adhered to.
With this approach, you can maximize your critical data protection, maximize your end users’ experience and minimize any vulnerability within your HCM infrastructure.
Marc R. Starzyk serves as managing director of e-learning strategy for Catavo. Billa Bhandari is founder and CEO of Akoura and serves on the Technology Board of ID World and Advisory Board of My Data Vault. Stephen Lashley directs marketing and public relations activities for Catavo. They can be reached at slashley@clomedia.com.
