Why Size Doesn't Equal Security in Global Payroll
“Nobody ever got fired for hiring IBM.”
It’s a saying that’s been used in business for more than 20 years, and to some degree, it still reverberates today.
Used to justify the decision to choose one technology vendor over another, it’s a vote for the ‘safe bet.’ The understanding is that by choosing the biggest player in the game, those responsible for making the call would be shielded from any repercussions should things turn sour.
While new, disruptive providers have challenged this notion, it still rears its head today — particularly in projects that are heavily linked to risk and compliance, such as global payroll transformations and cloud migrations of ERP and HR systems.
Because data security and compliance are such important aspects of these projects (and the cost of getting it is wrong so severe), some decision-makers still feel assured that biggest is best. Many view newer ‘disrupters’ as an opportunity to provide a competitive advantage, as a result of some kind of breakthrough technology. But they are rarely associated with the ability to deliver reduced risk.
As the story goes, that role can only be fulfilled by the bigger players.
A New View
Yet business leaders only have to look at the rise of Workday — itself a small cloud newcomer not so long ago — to see that the established ‘safe bet’ isn’t always the right decision for their business. In fact, there’s clear evidence that working with a large vendor doesn’t necessarily protect your organization from costly security failings.
Recently, there have been numerous high-profile security incidents involving established tech monoliths. One of the most well-known data breaches in the last 12 months occurred at the Marriott hotel chain. According to the Wall Street Journal, Accenture is being sued for allegedly playing a part in the Marriott breach. The consulting firm is accused of a “failure to maintain adequate security controls to detect and neutralize known and obvious security threats.”
Such examples suggest that size no longer guarantees security — if it ever did.
With business risks growing and compliance becoming ever more complex, agility and adaptability, rather than size and status, are becoming more appropriate indicators of a vendor’s security competence.
In this article, we’ll explore further what best-practice looks like from a compliance perspective — and why it shouldn’t be assumed that the big service providers are best-placed to deliver it.
Data accuracy and auditability
Particularly for payroll, compliance in today’s digital world is underpinned by the maintenance of accurate, accessible, and auditable data.
Data quality, integrity, and singularity are key to meeting tax and other legislative responsibilities, as well as mitigating the risks of data exposure. And it’s the ease with which this can be centralized in the cloud that is enabling a cleaner dataset.
Vendors that have built their businesses around modern cloud technology can therefore gain an edge here, compared to established suppliers who may be working with older, more complex, and even on-premise systems, not geared as much towards data integrity. Older providers are forced to maintain these systems, too - due to the array of existing clients who still run their operations on legacy platforms.
It’s a point not lost on digital transformation expert Brian Sommer, in our latest Payday podcast: “The software vendors you’ve been dealing with for 20 or 30 years may not be the ones to take you into the digital age,” Brian explained, identifying how organizations can avoid the common pitfalls of vendor evaluation.
True worldwide focus
It could be argued that many of the more established global payroll providers aren’t really global payroll providers at all.
Many such organizations started out with a firm focus on in-country payroll (predominantly in the US), before building out their solutions on the back of increasing globalization — often partnering with separate payroll providers to accommodate other countries.
While these larger providers offer a strong and secure payroll solution for HQ, do they have the right model to manage global, regional and local compliance requirements across all countries?
It’s important to consider that the provider may not be the one to answer that question. Assurance of compliance is by no means the same thing as having it. Many vendors offer the assurance, but can’t demonstrate compliance in real-time — which means you don’t have line of sight of your risk and compliance position at all times.
Tracking changing legislation
With tax and data legislation evolving continuously, the challenge of staying on top of compliance (and adapting processes as necessary) is a considerable one.
Whether it’s reacting to the impact of GDPR or the Sarbanes-Oxley Act, a vendor’s size certainly gives no guarantees in this regard — with flexibility the key to timely change. As you seek to find the technology vendor that best fits your organization, it’s therefore important to look beyond big reputations and explore the finer details.
Investigate the procedures and policies in place at your vendor. Are they supported by appropriate levels of documentation? And what about training? Does the vendor have an ethos of continuous compliance improvement, constantly educating themselves on the latest cyber security issues and threats?
Perhaps they do — but it shouldn’t be assumed just because of their size or status.
Technology has and will continue to disrupt most industries, and it’s tough for established players to change business models overnight. They thrived when things stayed the same or evolved steadily.
Today technology is driving change at a relentless pace, making it difficult for inflexible companies to adapt. Even if they can keep pace with new developments such as artificial intelligence (AI) and blockchain, they must also stay ahead of the new security and compliance threats such innovations bring. And it may be that newer service models that are designed to adapt are best positioned to move with you into the future.