Just to make things more challenging, our end users are expected to export data from PeopleSoft into a file on their desktops and use the third-party software client to import that data directly into the application. Educating our end users, who are not technically inclined, on the use of PGP or something similar will be an uphill climb. But so will getting the vendor to build encryption capability into its service offering.

By the way, after a little digging, I discovered that this vendor doesn't seem to have any large clients, so we get to be the guinea pig. I'm sure that once it establishes encryption capability, its application will be much more marketable. So it's to the vendor's benefit, really. But this would all be much easier if we had had this discussion at an earlier stage, such as during vendor selection.

Well, I guess I picked a career that doesn't have a lot of easy answers. I'm confident we'll get this resolved, but not without delays to the project and another black eye for security, as we reinforce our reputation for slowing things down.

"J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at .

Join in