How First Round Capital Orchestrates Employee Offboarding for Immediate Data Security and Precision

“Thirty seconds.”

That’s how much time Ryan Donnon needs before he can confidently look an investor in the eye and say: “We’re good. Everything sensitive is protected.”

That’s effective offboarding.

Donnon works as the IT and data manager at First Round Capital, a top-tier early-stage venture capital firm with over $700mm in capital under management, and 6 IPOs and 92 acquisitions under its belt. Due to the nature of the business, employees handle sensitive financials and proprietary information on a daily basis and thus Ryan understands the importance of offboarding.

 

Data simply cannot be publicly exposed. Mistakes and delays aren’t an option.

“If there’s ever a fire drill and someone needs to be offboarded immediately, I can’t say to a partner or a supervisor, ‘It’ll be two hours until their access is revoked.’”

As a result, Donnon has created a fully orchestrated offboarding process, which helps him ensure precision, immediacy, and reliability. As soon as an employee exits the building, Donnon’s offboarding process, which takes only a “couple of clicks” to complete, revokes access to SaaS applications like Salesforce, Slack, and G Suite.

Eliminating Exposure with Offboarding Orchestration

Like many IT professionals, Donnon agrees that the shift to SaaS has produced new opportunities and challenges. The challenges are particularly noticeable with offboarding, he says.

“SaaS creates a lot of exposure for me when employees leave the company.”

Using BetterCloud, Donnon eliminates this exposure in seconds.

When an employee exits, Donnon “fires off a BetterCloud workflow,” which does a “bunch of things” he used to have to remember to do manually.

“The workflow immediately removes them from all groups, deactivates two-factor authentication, resets their password, and revokes authentication tokens for all of the applications that the employee has connected to their account. And most recently, I’ve updated the workflow to actually deactivate their Salesforce account as well,” he says. While most of these steps are relatively simple tasks, each must be performed immediately when an employee is offboarded, making the workflow orchestration a critical value-add.

“I think offboarding, as opposed to onboarding, is where I have the most exposure. If I mess up, forget a step and an ex-employee still has access to company data, that’s where I could hurt my reputation the most.”

Next, because First Round Capital uses SAML for most applications other than G Suite, he “kills the ex-employee’s Okta account,” which “pretty much cuts off access to everything else.” Donnon views BetterCloud and Okta as entirely different, but complementary solutions. “Even if you use some deprovisioning stuff in Okta, it still can’t do everything that you need to do that I feel like BetterCloud really makes easier.”

Most of the typically manual work associated with offboarding is automated through these processes. Donnon says that after seeing this orchestration in action, it’s hard not to say: “Wow. IT’s really got it together.”

Handling the Dynamic Variables

Offboarding isn’t all about cutting off access. Of course, companies want to take care of physical access and assets, too. Turning off keycard access and collecting company devices are necessary steps that Donnon takes.

But on top of that, exiting employees often possess information others may need.

Donnon uses a checklist to help establish a timeline and manage the variables. “Everyone is going to be different,” he says. Offboarding a partner, for example, is going to be a much more complex scenario than an employee who was in and out in less than six months. How to handle email is one aspect of offboarding that varies more than any other.

Leading up to the employee’s last day, communication, establishing personal relationships, and doing the upfront “legwork” are all key, says Donnon.

“You don’t want to be reaching out to people to get the information you need to fully offboard them] for the first few months after somebody exits.”

The Final Steps

For the first two weeks after an employee leaves, the account is limbo, says Donnon. (G Suite cannot serve up an auto-reply if an employee is suspended or deleted.) “I use the BetterCloud interface to set the auto-reply.”

At the end of the two weeks, Donnon goes into BetterCloud again.

He takes care of what many forget: recurring calendar events, which often may be consuming shared resources like conference rooms. “If an ex-employee is the owner of any recurring events, I need to work with either their manager or the person that replaced them to figure out who I should transfer those events to.” If not, this can be an especially excruciating task to perform after the fact. “Google does not have a great way to transfer recurring events from a deleted user,” says Donnon.

Next, Donnon backs up the account, transfers all of their shared Google Docs (typically to their manager), and then, unlike many G Suite admins, will actually delete their email account. (Many companies choose to suspend accounts for various reasons, but deleting a user will reduce costs, since Google does charge for suspended users.)

With a standard two weeks’ notice, the entire offboarding process happens over the course of a month.

Donnon takes care of his part in a matter of minutes.

Sign up for your personalized BetterCloud demo today or download our free whitepaper with 15+ pages of expert advice on employee offboarding: Identifying and Eliminating Employee Offboarding Inefficiencies and Security Threats.