HRTech Interview with Jason Downs, Vice President, InfoSec & Global Compliance at O.C. Tanner

Hello Jason, it’s a pleasure to have you with us at HRTech. Could you start by giving us a brief overview of your background and your journey to becoming the VP of InfoSec of O.C. Tanner?
My journey at O.C. Tanner began 19 years ago, where I worked on the receiving dock in the warehouse while going to school. After graduating Magna Cum Laude from Strayer University with a Criminal Justice degree focused on Computer Forensics, I continued working at O.C. Tanner where I wrote and maintained user provisioning services and led the modernization effort to develop microservices like user provisioning, authentication, and authorization, which became the foundation for our Culture Cloud Platform. I was fortunate enough to have the education, experience, and ability to lead our global Information Security practice when the opportunity arose. Since then, I have been active in multiple CISO communities, earned the ISACA CISM certification, and received approval for the EC-Council Associate C|CISO certification.

O.C. Tanner is the first provider in the industry to achieve SOC 3 status. How did you and your team plan and execute the strategy to reach this significant milestone?
During my first year in my role as VP of InfoSec and Global Compliance, I worked closely with the team to better understand the compliance expectations of our clients, as well as the current state of our SOC 2 practice. We set some tangible but aggressive goals to better align our compliance strategy with business objectives, including establishing internal auditing processes, conducting a thorough control assessment and review, and establishing consistent engagement with our Control Owners, which led to this achievement.

Could you explain the importance of O.C. Tanner receiving a SOC 3, and how it supports the platform’s core functionalities?
Today’s threat landscape is ever evolving and constantly expanding. Data privacy and information security are of the utmost importance to O.C. Tanner and our clients, and SOC 3 not only affirms the consistency and quality of our internal compliance controls, but also conveys a deep level of commitment and investment in our ability to meet these stringent standards and our clients’ highest expectations.

Why is this certification such a critical achievement, and how does it help build trust with your clients?
Culture Cloud is the first rewards and recognition platform to receive the SOC 3, which further solidifies O.C. Tanner’s commitment to being on the forefront of innovation and safety for our clients and demonstrates our ongoing commitment to improving Culture Cloud. This achievement is a symbol of our mission to maintain trust not only with our clients but also to help them build and sustain trust with their employees, which is a key driver of a positive company culture.

How does a SOC 3 align with the evolving security and compliance demands of your clients, especially those in highly regulated industries?
Data protection and security are top priorities for all organizations, but industries like healthcare and financial services face particularly strict and evolving regulations. Our primary concern is ensuring our clients feel confident partnering with O.C. Tanner and that they know our platform evolves alongside their industry needs. Our commitment to serving clients in the safest ways possible drives us to proactively monitor regulatory changes.

In what ways does this reinforce O.C. Tanner’s mission to enhance client experiences and foster great company cultures with recognition at the core?
The SOC 3 certification takes the stress off our clients around security and compliance, and lets them put all their energy into fostering exceptional company cultures. We strive to provide clients with best-in-class technology that they can trust, and this achievement is tangible proof of our dedication to helping organizations give and receive meaningful recognition to build those cultures.

Looking ahead, how do you anticipate these changes will shape the future development of the Culture Cloud platform?
The threat and regulatory landscapes will continue to evolve and become more complex, and as a SaaS provider to some of the largest organizations in the world, O.C. Tanner is committed to ensuring that our software and our internal practices evolve along with these landscapes. Maintaining a secure software development life cycle, fostering a culture of learning and innovation, shifting security “left” into the hands of engineers, and maintaining a robust information security training program are all critical tools to ensuring that the software is not only valuable to clients, but safe and secure as well.

How do you think a SOC 3 influences the employee experience for organizations using Culture Cloud?
A key pillar of building a strong company culture, and in turn an outstanding employee experience, is trust. Employees who trust their organizations are six times more likely to report feelings of belonging in the workplace. Not all recognition through Culture Cloud is public, and sometimes the appreciation or kudos an employee receives is private between the giver and receiver. Employees can rest assured that any information sent or input into Culture Cloud is safeguarded so only the intended recipients will see that information, which fosters that critical culture of trust.

Are there other certifications or standards that O.C. Tanner plans to pursue in the future?
O.C. Tanner’s work in data privacy and security is never finished, and as the threat and regulatory landscapes evolve, our platform will evolve along with them. As the company continues to expand its global client base, we will continue working towards alignment with international standards.

Finally, what advice would you give to companies seeking to achieve a SOC 3 to support their growth?
Compliance and information security go hand in hand, so it’s crucial to bring these practices and teams together and foster a culture of knowledge and trust. Nurture the working relationships between these teams, as well as the relationships with legal and internal Control Owners. Compliance can be overwhelming and is often viewed as a burden or a box to check, but aligning information security and compliance practices to business objectives is crucial to help employees understand the importance of these practices and how they can contribute to them.