Do not use production data in testing environments. Not only is it illegal, but you are exposing your customer’s data to hackers. This can ruin the foundation of your business.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Omed Habib.
Omed Habib is the VP of Marketing at Tonic.ai. A developer at heart, Omed fell in love with fake data as a way to improve developer productivity. He formerly led Product Marketing teams at AppDynamics, Harness.io, and helped launch startups from inception to unicorns. When not faking data, Omed keeps busy geeking out on all things tech, photography, and cooking.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Born and raised in San Diego. I’ve been coding since I was a teenager. I started my own software consulting company when I was 17, and the rest was history. I’ve been in the startup scene throughout my professional life.. I eventually joined AppDynamics, which was acquired by Cisco. From AppDynamics I moved on to software delivery platform Harness.io and then to fake data startup Tonic.ai. I built my career and identity in enterprise software.
Is there a particular story that inspired you to pursue a career in data privacy and cybersecurity? We’d love to hear it.
Enterprise software development has gone through different stages of maturity as it continues to push it’s DevOps sophistication. Ten years ago, it was performance monitoring, a few years ago it was deployment speed, and today the most pressing challenge for software teams is how to make software more secure.
Can you share the most interesting story that happened to you since you began this fascinating career?
I once learned and observed the ability to correlate the number of times a company released new features to its stock price. By that same logic, I was able to analyze the opposite. The fewer times a company released software, there was an impact on revenue, and thus an impact on stock price. It was an incredibly fascinating perspective on how markets would react to consistent updates of software and something you’d only learn in enterprise software.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
One of my closest mentors and friend, Prathap Dendi, who is the current COO/President of Gem.com. Prathap is the embodiment of leadership.,He redefined what I thought leadership meant. I used to think it meant being aggressive and willing to break the rules. He taught me that leadership was about character, respect, humility and kindness. Leadership is important when taking care of your team.
Are you working on any exciting new projects now? How do you think that will help people?
At Tonic.ai, we’re adopting various machine learning methods to automate the synthesis of test data from production. As data complexity continues to grow, enterprises need to adopt more automated methods that leverage cutting-edge automation models.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I’ve worked at more than a dozen startups and learned there is no correlation to working more hours and being successful. However, there is a correlation to working smarter and being more successful. Burn out will hinder your performance so take the time to focus on the essentials and learn how to say no.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
First, the industry is increasing user privacy at a rapid pace. As a new father, I get very nervous about what type of information can be exposed about my child as he begins to build his digital identity. Advancements in regulation and the adoption of privacy practices to meet those regulations is going to improve the lives of everyone.
Second, solving issues around data privacy allows developers to focus on what they do best: build new features and products.
Third, once you have developers focus on inventing, it will exponentially increase innovation and technological advancements.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Absolutely. As software development teams become more distributed and everyone goes remote, there’s an increasing risk of sensitive data leaks. As you start to cross borders, you also cross regulatory controls. What is best practice in one country isn’t necessarily the best in another region.
Organizations need to have strict practices around data privacy without hindering employees in other countries. This is a growing threat companies are struggling to find a balance around.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I’ve been unpleasantly surprised about the amount of engineering leaders who try to make the argument that using synthetic data for testing is an anti-pattern. They use production data which is illegal and unsafe.
When they see Tonic.ai, they very quickly learn that it’s possible to have data that looks, acts, and behaves like production data without compromising any user privacy. Do not use production data in testing environments, period.
What are the main tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
My latest tool added to my arsenal is a software called Syncary. It’s a data orchestration platform that helps us consolidate and normalize for clean and consistent data across all of our systems. It’s a level of control I’ve never seen before in a data pipeline. We use it to bridge the gap between our marketing, sales, and product teams. I’m really excited to see how we can implement it across the entire organization as we grow.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
It’s based on an amalgamation of a few different factors. First, the size of the company. Typically larger enterprises with thousands of employees will want an in-house CISO managing their security and systems.
Second, it depends on the regulatory controls around your industry. We typically see finance, insurance, and health as the most highly-regulated industries around data privacy. If you’re a HIPPA-bound company, the damage of leaking personal information can destroy your business. But a skateboarding company leaking customer phone numbers — although unpleasant — likely won’t take it down.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
First, there’s no culture around sensitivity of privacy. If production SQL dump files are being shared and passed around everywhere, something is off.
Second, a lack of audit trails indicates something is off.
Third, accessibility: how easy it is for any employee to be able to access private data. Access to production data should be tightly controlled within an organization.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
To protect themselves, companies should immediately lock down the system exposed where any breaches happened. It’s important to do this reasonably without halting all business. After that, determine the point of access where the data breach happened.
Once this is done, it’s time to begin working on patching up the vulnerability. Take the time to assess the best way to solve the problem without damaging or exposing other aspects of your business. Patching up the vulnerability depends on the nature of which software you’re using to secure your business. Keep all systems updated at all times, including security patches. Avoid using end-of-life (EOL) software that doesn’t have updates that are protecting you.
For your customers, inform your customers immediately. Assess what risk exposure your customers are put in and move from there. Depending on the nature of what type of data was breached (SSN, date of birth, address), you should come up with some recommendations for your customers to do such as changing password, setting up two factor authentication (2FA), monitoring their credit, and more.
Privacy measures are the strongest reason that Tonic.ai exists. We are built on protecting personal identifiable information (PII) and believe in securing all environments pre-production. The only place your customer information should live in is a highly secure production environment. A data breach can also happen internally, too. If an internal employee can access production data they can also compromise that data and we consider that a data breach.
Companies need to figure out ways to enable their employees to do their job without accessing customer information. That’s what Tonic.ai makes possible for all businesses.
Let’s take a look at a recent example with HBO. An engineer at HBO was conducting a regular integration test email that ended up going out to customers. This tells us that HBO populated their test database with actual customer data. We don’t know how much data they used for production but we at least know they were using customer email addresses. Thus, an anti-pattern was born.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Using production data in testing environments. This is in breach of governmental regulatory requirements and exposes your customers to risk if hackers can gain access to that data.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes. Almost all engineering teams around the world were forced to work remotely. While you can physically lock down an environment in a building (including the data that engineers access), you cannot physically lock down someone at home or a remote location. To reduce risk, you want to equip engineers with data that has PII removed while still providing a data set that maintains the statistical and behavioral fidelity of the data set.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Do not use production data in testing environments. Not only is it illegal, but you are exposing your customer’s data to hackers. This can ruin the foundation of your business.
- When in doubt, use fake data. By using fake data, you are eliminating exposure to breaches and hackers while using information that is safer and just as reliable.
- Build a company culture around protecting privacy. You’ll want every member of your team to buy into the philosophy that data is the most valuable asset you have. If there’s an easy option to breach it, your company is worthless.
- Stay on top of all your security software. It’s important to frequently audit all security software you’re using to ensure there’s no EOL software being used that can pose a risk to your business. Software should consistently be updated to be more secure and not just a one time thing.
- Always be transparent and compliant. There are always new laws and regulations to keep up with that ensure businesses are not exposing their customers’ data. Brush up on these laws and always stay on top of them. HIPAA, GDPR and CCPA are good places to start.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would love to inspire everyone to crowd-source knowledge and share their insight. We’ve seen the first generation of crowdsourced knowledge movements with mega projects like Wikipedia and Khan Academy. However, I think there’s a future opportunity for knowledge sharing among smaller demographics. This can be videos, community forums, and 1-on-1 sessions.
If we can democratize knowledge, we can educate the world.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!