Cornerstone and privacy
Interview with Thyronne Winter, Senior Cloud Security & Compliance Consultant, Cornerstone OnDemand
Want to keep learning? Explore our products, customer stories, and the latest industry insights.
Publicação em blog
Blockchain Poised to Improve Future HR Operations
This article was originally published on WorldAtWork. Blockchain has become somewhat of a buzzword over the last few years, but the technology famous for powering bitcoin has more utility than many of us give it credit for. In fact, blockchain has shown enormous potential in areas like real estate, capital markets, health care and financial services. Starting today, and continuing into the decade to come, blockchain will add human resources to the long list of industries it is sure to disrupt. Even in a rapidly changing work landscape, prompted by the global skills shortage that’s only been accelerated in a COVID-19 world, the fundamental things you need to know about a person — who they are, what their professional background is — haven’t changed. Roles and the demand for new skills have been affected, as has the increased ability to see an individual’s potential when matching them to a job. For those displaced workers who are eager to get back to work, employers can accept and instantly verify credentials, which include their employment and identity, a process that historically takes as long as two weeks to complete. So what, exactly, can HR managers expect to see as blockchain technology realizes its full potential? Here are several ways blockchain will add value to organizations over the next decade. Improving Job Matching The job description and the resume are both formats that are designed to match talent to need in an era when careers were more linear, and jobs didn’t flex with change nearly as much as they do now. The nature of work today includes more jumps between companies, roles or even skillsets than what the labor market saw in the past. Not to mention that employees today are constantly learning new skills and competencies — and not every single one translates specifically to a certificate or degree. The new resume should be able to reflect these credentials. Blockchain provides an opportunity to better understand the skills, work experience and other value a candidate brings to the table. It also helps us to see jobs in terms of their fundamental components, which can help match with better clarity, speed and accuracy than what is available today. When we can better understand how someone does their work, their attitudes and interests, and how they work with others, we can move past how long someone operated in a certain role and understand how their unique perspectives and background can match critical needs of a company to support growth. That includes external hiring, but even more critical in our current environment, what talent is already available within the company. A Better Baseline for Recruiting and Talent Acquisition The problem of "resume fibbing" has crept up over the last few years — and it only seems to be getting worse. A 2017 survey found that a whopping 85% of employers have caught people lying on their resumes, up from 66% five years prior. These stats are disappointing but not necessarily surprising. After all, with fierce competition from all-star candidates who boast Ivy League diplomas and experience at Fortune 500 companies, many job applicants feel the pressure to stand out. With blockchain, however, hiring managers looking to fill open roles with the most qualified people will be able to trust the integrity of the information candidates provide — and avoid misleading or completely false resumes that currently plague the industry. Blockchain can also help level the playing field by highlighting additional accomplishments and presenting information in a clear, objective way rather than weighting certain credentials, like a college affiliation, too strongly. And as a result, resumes become more than a list of an employees’ accomplishments. With the support of blockchain, candidates could provide employers with additional insight into what it might be like to work with them from the very start of the hiring process. Giving Applicants More Control Over Their Information When someone applies to a job, it can often feel like their information is going into a black hole. But with new data privacy regulations like GDPR in Europe and CCPA in California, people are becoming increasingly aware of how their data is being used and who has access to it. With blockchain, applicants have more control over their information and can request that their data be deleted. Instead of contacting all of the jobs they have ever applied to, they can make changes to their blockchain network and control who sees their data. Blockchain also enables applicants to set a time limit for how long a company can see their data. So, for instance, when someone applies to a job using their blockchain credentials, they can elect to only allow that company to access their information during the recruitment process. This functionality also benefits employers because they won’t need to manage expectations around compliance amid new data privacy regulations. Blockchain will do that work for them. Powering the Gig Economy With blockchain, someone who works multiple gigs will be able to add a portfolio of projects and skills to their blockchain record, helping them get hired quickly for the jobs they do best. As we continue to talk about the future of work, technological advances that bring artificial intelligence and machine learning into the workplace or home office tend to comprise the majority of the conversation. But it’s time we add blockchain to that list of innovations. By 2030, 30% of commercial activities will be supported by blockchain. There’s a lot of work to be done to bring the real-world applications of this technology to life, but one thing is clear: Blockchain has the potential to become a game-changing tool for HR departments and employees alike. Video of Blockchain in HR? - What the Future Ep 25
Publicação em blog
Cornerstone Among First Organizations to Achieve ISO 27701 Gold Standard in Data Privacy
At Cornerstone, we’re on a journey to continuously demonstrate our commitment to data privacy and people protection. Today, we’re thrilled to announce that we’ve been awarded the ISO 27701 certification for our Privacy Information Management System. Considered to be the first globally recognized privacy certification, and aligned with GDPR, ISO 27701 is an extension of the gold standard in security. It requires organizations to adhere to a structured framework of information security and personal data protection requirements and outlines practical guidance for managing privacy programs. "With this new certification, we are bringing the power of people protection to all of our clients across the globe," explained JosÃ© Alberto RodrÃguez Ruiz, Global Data Protection Officer at Cornerstone. "We are focused on offering all organizations we work with the reassurance for how we handle their data, providing compliance reporting and career protection. Ultimately, this enables our clients to also gain the trust of their employees." Achieving ISO 27701 was a top priority for Cornerstone after it was enacted last fall. "We believe this certification marks a key milestone for both us and data privacy in general," said JosÃ©. "It’s about more than protecting data: we protect the data to protect the people."
Publicação em blog
The Security Development Lifecycle: Where Proactive Controls Save the Day
The connected world of HR technology is exploding, and more and more companies are trusting employee and company information in the hands of cloud software companies. The problem? Complex, public-facing cloud systems are hard to secure. That's just a fact. So, what can providers do about it? The answer is simple: Detect and minimize security risks and threats in your product before they are released. But to do that, you need a well-defined strategic framework—a Security Development Lifecycle (SDL)—to guide product development and help ensure that security is baked in by various teams. This is a cross-functional effort with the Product, Development, QA, Security and Release teams acting together for the common good. The SDL concept is not new, but growing pressure on software developers to adopt a formal framework is—especially when it comes to protecting critical and private employee information. Recent high-profile data breaches involving major retailers, financial institutions and government agencies have customers asking vendors more questions about security. They want assurance that developers are doing all they can to reduce risk and make safer products. Instilling greater confidence in your customers is an important reason to adopt an SDL process, of course, but there are other benefits. Reducing the need for firefighting is a primary one. Think of the resources you need to deploy to respond to a security incident after your product has been released—the time and cost involved can be significant. In fact, as Microsoft notes on its website about the "Benefits of SDL," the National Institute of Standards and Technology estimates that code ï¬xes performed after release can result in 30 times the cost of ï¬xes performed during the design phase. So, the bottom line is that it can be far more cost-effective to ask questions about security and address risks in the earliest stages of product development. Here's what you need to know about creating an SDL at your company. Tailor the SDL Framework to Your Needs SDL frameworks provide inspiration and tools for reducing software security risk, but you have to make sure you implement a framework unique to your organization's processes and culture. You will need to tailor your own blend of best practices to create a relevant and effective framework. Technical controls typically require particular customization and tuning based on internal process, technology and capability. Process-based preventative controls include verifying that project-based security activities occur prior to release, while technical controls include static analysis and dynamic analysis security testing. Technical controls often require a security toolbox including tools like SIEM (Splunk), static source code analysis (Checkmarx), static binary analysis (Fortify), and dynamic analysis security testing (WhiteHat Sentinel, Burp Suite, ZAP). We also build custom scripts and have meaningful manual processes for verifying that new features are free of severe and common kinds of security defects, including SQL injection, command injection, cross-site scripting, and authorization issues. That's what we’ve done at our company. Cornerstone's SDL framework is actually a hybrid of leading frameworks like the Microsoft SDL and the Building Security in Maturity Model (BSIMM). We've also added a core element that is a reflection of what Cornerstone is—a learning company. Continuous learning is the cornerstone of our SDL, with product security training forming the hub of our SDL "wheel": Educate Your Team Our goal is to make learning fun. We believe that education and training is the best proactive security control. For example, we have developed an application security game that is part of the mandatory curriculum for all of our technology personnel. It's multiple choice, but it's tough—and we can chart the progress of every developer as they move through that curriculum. What we are doing at Cornerstone is advanced for the talent management space. And it's enabling us to confidently answer three vital questions customers ask in security RFPs and audits: Do you have a strategic framework for secure product development? Have you implemented some level of control that indicates maturity across those practices? Do you conduct role-based application security training and measure the results? We leverage our internal implementation of the Cornerstone LMS to deliver annual training on security policies and guidelines for all employees, and provide focused, role-based application security training for Dev, QA, and the technical personnel responsible for delivering code-shipping products. Additionally, we provide specialized training on SIEM, static analysis, and dynamic analysis security testing tools. Further, Cornerstone is proud to be a member of Cloud Security Alliance, and frequently hosts monthly gathering in the Los Angeles area at Cornerstone’s Santa Monica headquarters. This educational forum helps keep Cornerstone ahead of the curve when it comes to cloud security. Proactive Product Security More importantly, our SDL framework allows us to confirm that we have done everything we could to build security into a product before we release it, answering key questions like: Did we specify secure design requirements? Were they met/satisfied/followed? Did we conduct secure code review? What did we find? Did we perform dynamic security testing? What was the result? Did we ensure new features were covered in per-release penetration testing? What was the outcome? Is the product security incident response team aware of the new attack surface, and do they know who to contact in the event issues are found? The whole concept of the SDL is to build proactive controls that reduce risk and the reactive need for firefighting. You developed a more secure product by bringing together all stakeholders at the outset—the product designer, the development lead, the quality assurance team, and others—to ask and answer, "What are we building? What are the risks? And what can we do to prevent them?" What’s the conclusion? The program and process has to be ongoing since technology changes and employees take on new challenges. Updating the programs frequently is critically important. The process is iterative and meant to support a "Maturity Model" mindset. Photo: Shutterstock