I was recently presenting at a conference regarding HR Technology and how we must leverage it to advance HR. During the Q&A portion, I was asked a rather typical question about data security and how it is to be managed when technology is introduced. I provided my typical response which predictably focused on encryption, the need for an up-to-date audit (SOC1), and how important it is to involve IT in the decision making process. Everyone seemed to grasp the importance of data security and the need to ensure HR technology is locked down and water tight. It wasn’t until later that evening that I realized that there is a whole ‘nother part of the story that needs to be told. So, as Paul Harvey liked to say, here is “The Rest of the Story…” Based on a recent Forrester Research report, IT security investments climbed above $35 billion in 2011. The primary drivers behind these investments are fairly obvious: the rise of new security technologies, changing data security requirements, and the overall threat landscape. The issue with these investments is that they are largely reactive and, in many cases, don’t address the single greatest point of failure in our security systems: Humans. You know, that H within HR. After all, even if we could build the strongest security fortress in the industry, if we have the wrong people handling the data, then there are more ways than investment dollars (35 billion) for HR data can become insecure. From unwittingly opening email attachments, to inadvertently downloading viruses to loading Excel spreadsheets to thumb drives, well-trained and well-intentioned employees are all too often duped into doing something risky…whether intentional or not. This means employers must actively manage the data security risks posed by trusted employees. Without a doubt, employers have to trust their employees – and most of them do. However, the risks posed by even the most trustworthy employees must be managed over time. The problem is most companies only assess employee risk at the time of hire (via background check) and then focus all of their ongoing energy on ensuring data is secure within the technical environment. By no means am I downplaying the need for IT’s intense focus on data security. Only a fool would do so. If anything, I consider myself one of the industry’s staunchest critics with respect to data security and consult with my clients all the time in ensuring their providers have the most up-to-date security technology and independent audits. The point I am trying to make is that an organization should focus on the human element of data security as much, if not more, than focusing solely on their HR technology provider’s security. The top HR technology providers are laser-focused on their side of the equation and HR should match that focus by looking inward. IT departments will continue to invest in dongles, encryption, scanners, blockers, and firewalls, to keep up with the ever-threatening technology landscape. But it is HR that can truly have an impact on improving data security by addressing the consistent weak link – people. This is a MUST HAVE for your HR Technology Strategy and should be something that is audited on a regular basis.