The financial industry’s longstanding practice of determining an individual’s suitability for a loan through the use of the personal credit score is widely accepted. Now get ready for the personal trust score.
Apple has just created one to help help identify and prevent fraud among users of its mobile devices. And Facebook is now rating the trustworthiness of its users with a reputation score, in response to several ongoing disinformation campaigns.
Nor is the practice confined to technology platforms and financial services with a clear stake in preventing malfeasance, or toxic loans. For years, the federal government has employed investigative teams and analytical software to continuously evaluate the trustworthiness of personnel with security clearances. And now, a growing number of private-sector firms are doing the same.
A recent Bloomberg article reported that ride-sharing platform Uber has adopted tools and techniques for continuously assessing the trustworthiness of its employees. Bloomberg also noted that while healthcare and financial services workers have undergone extra screening for years, within the past six to 12 months “the practice of running periodic checks or continuous checks is spreading to other sectors, including manufacturing and retailing.” The approach can even be extended beyond employees to include vendors, contractors and customers.
At Haystax Technology, we believe that private-sector security operations teams can significantly reduce their risk through broader adoption of solutions to assess what we call continuous trustworthiness, the idea that you don’t just vet someone once prior to hiring but regularly, to ensure their circumstances haven’t changed with the passage of time — due perhaps to unforeseen personal, financial or professional stresses. Gartner has its own term for this kind of periodic or continuous evaluation: employee monitoring.
There are of course critical tradeoffs involved here between personal privacy and security. No C-suite wants to cross the line into the realm of creepiness (or worse: think of the Chinese government’s recent embrace of individual social credit scores that will govern whether or not a citizen can get a job or travel or even have access to high-speed internet). Equally, however, no enterprise wants its name splashed across the news media because an insider threat was able to hide behind a cloak of privacy rules in order to do harm to people, facilities, systems or reputations.
Haystax is a strong advocate for balancing security with personal privacy in the workplace, and as a result we have addressed concerns about the latter in several ways. One is through a capability in our flagship Haystax Analytics Platform called redaction, which replaces personally identifiable information with strings of alpha-numeric characters so that only the senior-most security decision-makers can see telling details and actual identities, while lower-level analysts cannot.
Another crucial component of Haystax is that its analytic results are designed to be fully transparent and traceable, something not possible in ‘black-box’ solutions that rely solely on rules-based or machine-learning approaches. These features are especially important now that the European Union has implemented its General Data Protection Regulation (GDPR).
Given the huge expected increase in evaluations, there is also the issue of volume and throughput. According to the Bloomberg report: “Membership in the National Association of Professional Background Screeners more than quadrupled to 917 last year from 195 members when it was formed in 2003.” That’s great for the association, but finding enough investigators and screeners is unlikely given current shortages of qualified personnel. And because there is exponentially more analytically useful data to be had online, it will take software rather than humans to sift through it.
Haystax’s approach to handling the required analytic volumes and velocities is to continually feed evidence from a wide array of open-source and internal data sources into specialized Haystax models, which emulate expert judgments on complex problems like assessing and prioritizing workforce risk. Unlike people, the model-based analytics never need a vacation or coffee break or sleep. In other words, Haystax operates at a scale and speed that no human could hope to sustain, while acting as a force-multiplier for existing security analysts.
More broadly, we view the continuous evaluation of individual trustworthiness as but one critical element in a holistic approach to managing workforce risk, as do others. For example, the chief security officer of UK financial institution Barclays PLC put it this way in an interview with a Wall Street Journal cybersecurity newsletter: “Rather than focusing on security silos such as ‘cyber,’ ‘physical,’ ‘investigations,’ ‘insider,’ or ‘resilience,’ we are focused on delivering ‘security’ as a whole.” Regarding the concept of trust in particular, he noted: “Overall, it is important for every company that security and trust are addressed holistically to make sure security is part of the corporate DNA.”
# # #
NOTE: Want to learn more about Haystax user behavior analytics? Join us for our upcoming Fishtech Group Pro Tour sessions at the following Top Golf locations: Dallas on September 27 and Minneapolis on October 2. Each session will be followed by a networking social and — of course — golf!