AppsLab FAQ: Have You Spoken to HR, Legal and Security?

Here comes another installment in my FAQ series. This one isn’t a question I get asked, but rather one I ask.

Inevitably, when you start a community or release an application to customers, you’ll need to make sure you’ve got the blessing of three groups within your company.

  • Human Resources
  • Legal
  • Security

In any size company, you’ll need to do this, and failure to do so always ends in tears or worse for you. My advice is to engage these groups as soon as possible and plan for a very long approval process.

I don’t mention IT in this list because IT isn’t always in charge of security. When they are, then Security means IT, and by security, I mean network, not physical security. But you knew that already.

The first meeting of our (now dormant) Working Group covered how to approach Legal and Security with advice from members of our Legal and Security teams. We’ve been very fortunate to have allies in Legal and Security that have helped us understand what needed to be done to complete our projects and helped us get there as quickly as possible.

However, a lot of teams I speak to have only a vague sense that they need to work with these teams (and sometimes HR) before they can launch, and often, they haven’t allocated enough time in their plans. And they don’t know where to begin. Luckily for them, our work with Connect and Mix has acquainted us with the right people in these groups, so I can recommend a starting point.

This isn’t a revelation. Most people know you need to get these groups to approval, but they assume the approvals will go quickly. They don’t usually, and not because HR, Legal and Security want you to suffer, but because they are tasked with responsibilities for the company and its employees. So, they have to ensure these responsibilities are executed properly and according to guidelines. They’re not working against you.

Sure, one of the tenants of Web 2.0 is empowering the community, but in order to to do that at a company, you have to jump through the hoops. Welcome to Enterprise 2.0, where your privacy and identity aren’t the only things at risk.

Case in point, the iPhone 2.0 firmware include support for Cisco VPN, which we use. However, there are a few things missing to get it working. The iPhone inspires hacking like no other gadget I’ve seen recently, witness how quickly it was unlocked and jailbroken.

That spirit drove some industrious gadget hounds to suggest ways to decrypt certain passwords in order to use them for iPhone setup. Needless to say, this was met with a stern warning from Security. After all, decrypting a corporate password managed by Security should sound like a bad idea.

This wasn’t an E 2.0 project, but the same care is required when you put up an application in or outside the firewall. There are security measures in place you’ll need to follow in order to comply with Security.

You’ll want to make sure the t’s are crossed and the i’s dotted by providing links to all the appropriate corporate policies, including but not limited to the privacy policy, the terms of use, the blogging guidelines, revenue recognition policies et al. This will keep Legal satisfied.

If you’re using employee data, say for an internal social network, you’ll want to chat with HR, both in the US and abroad. You’ll find that other countries have different, sometime more strict policies protecting employee data and its use. Planning ahead could save you costly lawsuits.

The problem is that these aren’t very sexy parts of your overall project. They don’t involve cool new features or showing off your ninja coding skills. Mostly, they involve scary meetings where you’ll feel like your project and possibly your job are in jeopardy. Not to worry though, if you’re armed with a solid business case and are willing to do whatever it takes to comply, you’ll be just fine.

Take it from me. I’m glad to have friends in HR, Legal and Security.

Share your experiences and advice in comments.



Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.