back to article State of Maine threatens to tear up Workday HR contract and request $21m refund if it cannot remedy concerns

The northeastern US state of Maine is threatening to cancel a contract with enterprise SaaS provider Workday and request a $21m refund. The project, which was due to go live in the spring of 2020, was designed to overhaul the state government's ageing HR and payroll systems. Kelsey Goldsmith, a spokeswoman for the Department …

  1. ecofeco Silver badge

    Is Workday taking lessons from IBM?

    Well how about that?! Yes they are!

    https://www.ibm.com/services/workday

    I think I see the problem. (funny how this was THE very first thing I thought of AND IT TURNED OUT TO BE TRUE)

  2. Charlie van Becelaere

    Scat Occurs

    "Across the state's information technology infrastructure we've occurred technical debt in the purest sense,"

    Are they speaking English? What does that even mean?

    1. Sven Coenye

      What does that even mean?

      "Oh, look! A maineframe!"

    2. sabroni Silver badge

      Re: What does that even mean?

      It means "all our stuff is out of date (but we don't like admitting it)".

      1. Steve K

        Re: What does that even mean?

        "All our stuff is out of date and we are still paying off the finance/expensive support & maintenance on it"

    3. foxyshadis

      Re: Scat Occurs

      "Technical debt" is a very common and well-understood term in IT and software development, meaning putting off doing things right in order to do them quickly, which comes at a steadily increasing maintenance cost until it becomes impossible to maintain even the simplest of functionality ("technical bankruptcy").

      You do know you're on an IT blog, right?

  3. Denarius
    Unhappy

    survived an attack

    on a 1980s mainframe ? Probably did not speak TCP/IP well enough to be vulnerable to current attacks. Decades ago I heard of intruders doing update maintenance on servers so their attacks would work.. Another case of this and the usual PHB cult thinking maintenance is optional ? Seen it in housing, hardware, equipment and IT.

    1. Michael Wojcik Silver badge

      Re: survived an attack

      I don't believe it's clear from the article that the "cyberattack" involved any mainframe-hosted applications. The article mentions the attack in one paragraph, and the legacy mainframe-hosted HR system in another.

      That said, most IBM mainframes these days run a TCP/IP stack, and there's no question of "well enough" (whatever the hell you might have meant by that) to be vulnerable to attacks -- the vast majority of which take place above the IP and TCP levels. Many of those systems are on the public Internet; others are reachable once an attacker penetrates the internal network.

      As researchers such as Dominic White and Phillip Young have shown, while publicly-documented vulnerabilities in mainframe OSes are rare, lax security practices in administration and applications mean that a great many mainframe-hosted systems are vulnerable and exploitable. Common problems include discoverable and guessable credentials, APF-authorized load libraries that can be written by unprivileged accounts, and sensitive data in hidden fields in 3270-based applications. Nor are mainframe applications free of the classic low-level attacks, such as SQLi, BOF, and UAF, though fewer attackers have the low-level understanding of mainframe applications, environments, and OSes to exploit them.

      The relative complexity of configuring security features in many mainframe environments -- for example, the choice of security manager under SAF in IBM z, and the bewildering array of options for each of those choices -- also means a lot of mainframe sysprogs and operators have trouble creating and maintaining a robust, consistent security posture. And this is the sort of thing where many organizations will skimp on employing the necessary expertise and capacity.

      Those aren't issues unique to mainframes, of course. I'm just pointing out that mainframes, old or new, are not magically free from vulnerability.

  4. Little Mouse

    I'm anecdotally aware of good and bad Workday rollouts.

    For things to go well, a company needs to properly model/replicate/migrate its existing processes into Workday, which takes a lot of work.

    Some institutions though have treated Workday as off-the-shelf HR software, assuming it will fix their current problems, only to find that it didn't actually mend their bad business processes by magic.

    1. Anonymous Coward
      Anonymous Coward

      That's true... which is to say that Workday is just not enterprise grade. You need to implement Workday vanilla. If you have a somewhat unique process, like comp, it doesn't work. I used to work for a large tech company that had Workday. We built our own recruiting, our own talent management, used a different payroll because WD couldn't handle it, a custom comp system. Basically paying millions of dollars a year for an AWS object store which contained basic employee info with a Workday logo. If you scratch the surface of WD at any large org, you'll find a hundred work arounds and third party solutions where Workday didn't work.

  5. Anonymous Coward
    Anonymous Coward

    There are many of these stories with Workday. I know of two large banks that started with Workday, killed the project after many millions down the drain and implemented something else. Workday is also ridic expensive, even as compared to their rivals. It is routinely twice the price of Oracle for a less functional system. They seem to be en vogue among HR departments for no particular reason.

    1. Antron Argaiv Silver badge

      "They seem to be en vogue among HR departments for no particular reason."

      They've rebranded as "People Professionals" where I work.

  6. Missing Semicolon Silver badge

    If it's so bad, and so expensive

    Is it not really cheaper to just hire a bunch of pros and get then to whack something up in Django or something?

    1. Michael Wojcik Silver badge

      Re: If it's so bad, and so expensive

      The devil is in the specifications and testing. Back-end business systems tend to incorporate a ton of business rules. Developers won't know about those, so someone needs to provide exacting and correct specifications. And similarly with testing -- developers can write tests to the specification (well, they can, even if they rarely do), but ensuring the product meets the business needs is another question.

      Which is not to say that a commercial product would necessarily be any better.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like