Only capture PII data that you absolutely need and make sure to save it in a secure fashion and encrypted
Ensure that access to all business systems requires MFA (multi factor authentication)
Ensure that you have a proper password requirement and refresh cycle
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Udo Waibel who is currently the CTO at Oomnitza, a leading technology solution that delivers a platform to secure and manage a corporation’s digital estate. In this role, he owns the overall product strategy and execution. Prior to Oomnitza, Waibel was EVP Engineering at Sitecore, where he led the transformation for the organization from on-premises to SaaS-based and agile deployment for digital experience platforms.
Before Sitecore, Waibel held various engineering and product leadership roles, including CTO and SVP of Products at HEAT Software (now Ivanti). In this role, he had overall responsibility for all HEAT Software products, including product management and development, which made him very familiar with the overall ITAM and ITSM product space. Prior to HEAT, he was co-founder and CTO at Hara in the emerging software market for carbon accounting and energy efficiency.
Waibel started his career at SAP where he spent 15 years in various development roles, including SVP for xApps and mobile applications. He has more than 20 years of experience in software, business consultancy, and technology. In addition to his vast experience, Waibel was inducted into the 2015 class of Computerworld’s Premier 100 IT Leaders.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Growing up in Germany, security always has been a point for discussion. I moved to the US in 1998 to join a project focused on Employee Self-Service — again, with a huge focus on data privacy since we were dealing with very sensitive employee data like addresses, payroll and benefits data.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Leading software development, the idea of security always keeps coming up, and one time I conducted an external pentest with a vendor that came back all green. So far so good, but a few weeks after, I received a call from a customer who performed a pentest by themselves and that had plenty of red lights which was very surprising to say the least, and it made me wonder, wanting to understand it more.
Can you share the most interesting story that happened to you since you began this fascinating career?
This one was difficult to think of, separate from some of the other stories I share below.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I had the pleasure of working with many folks that inspired me. To me it’s not a single person that inspired me the most but it’s about how I can continue to be inspired and stay curious, wanting to learn more things and continue to work with new individuals that help me grow. It’s the journey that matters more than the end goal for me.
Are you working on any exciting new projects now? How do you think that will help people?
I just started working on an extensive implementation project using our Oomnitza product at a very large company. Security is an absolute key requirement there. Every device is a window into your network. If you don’t know what’s on your network, you are at risk. Good data security requires a comprehensive IT asset management strategy that couples world class asset tracking software with robust business processes tailored to an organization, and that’s the type of project we are working on with this company. I am very excited about this opportunity and am looking forward to continuing to learn more.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Always focus on the things that are most important to your project and your company. Prioritizing and not multi-tasking is the key. You may need to re-evaluate this every day since things change so quickly these days.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- The threat is significant and ongoing
- It is a genuine challenge, for those who like that sort of thing…
- Addressing the issue successfully adds a lot of value both to businesses and to their customers
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
- Increased threats associated with WFH that increases the attack surface
- Implied threats to the enterprise based on the IT ecosystem adapting to a hybrid model on very short notice
- Associated threats to the end user or consumer who continues to behave like everything is pre-Covid from an IT use perspective
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
On a more personal level, a recent website I used for e-commerce was hacked which resulted in me getting flooded with emails among which a credit card charge was hidden. Luckily, I was able to detect that quickly and stopped the credit card charge, but also reached out to the credit card company and the vendor to let them know about this and help as much as I could. I still ended up getting flooded with thousands of emails and now learned the term unsubscribe or remove me in at least 15 different languages. I wish websites would not expose an email field without a validation email being triggered and ask for permission to send more emails. Until then, I will continue to use my dictionary and Google translate to unsubscribe as quickly as new emails show up in my inbox.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
External penetration tests with rotating vendors
AWS Cloud Watch
I like AWS Cloud Watch since it allows me to do many things at once. From IDP to standard load and CPU, you can see all in a single tool and it is very easy to configure. However, you need to be aware of the fact that a single change can cause lots of headaches if you deploy it wrong, so change management is the absolute key.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Security requirements are steadily becoming more challenging. On top of having to monitor and secure our customers data, we are also tasked with having to fill out endless requests for information and security review questionnaires. Initially, I was hoping that once we have a SOC2 certification and audit completed that this requirement would lessen, but the opposite is the case. We are already contracting with an external penetration testing company since doing this in house is just not an option anymore, and having different people look at the app provides additional insights that otherwise would not be available. As we are continuing to grow, the next thing on my list is to hire a person to help with all the security review and questionnaires, and if this person develops well, this could eventually turn into a more senior position focused on security. So far, we are not yet ready for a full time CISO since we are still in our early stages. Once we reach well over 1,000 customers, we should be in a position to hire one.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
- Someone in a position of authority in your company asking for irrelevant or personal information
- Devices that have been disconnected from the network all of a sudden reconnecting and sucking huge amounts of data
- Most attacks come from internal people — as such, be aware of what authorizations users request and work on the minimal authorization profile that people need to perform their jobs
- Ensure that you disconnect users in a timely fashion if they change jobs or leave the organization. Simply removing them from SSO is not enough
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
- Keep precise and timely track of assets, where they are, and who they are associated with
- Enforce password updates frequently. This is unpopular, but do it anyway
- Ensure everyone is ready for a SOC-2 compliance audit (or CCPS. GDPR, etc.). This is going to happen, be ready
- For us, it’s been great. We are a compliance enabler
- For business in general, it requires a different way of behaving, it requires much greater focus on consumer data, where it resides, who has access
- Companies are better off inconveniencing employees than losing upset customers. The extra scrutiny that comes with tighter security needs to be the new paradigm
What are the most common data security and cybersecurity mistakes you have seen companies make?
- Not keeping AV software up-to-date
- Not securing remote access infrastructure (e.g. home Wi-Fi shared with family members who don’t understand the potential threat)
- Not instantly terminating systems access to an employee who has been let go
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
With the start of the pandemic, companies moved from a few offices to hundreds or thousands, since every home became an office. The threat profile changed significantly with that and thus the focus on protecting “the network” changed significantly.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Only capture PII data that you absolutely need and make sure to save it in a secure fashion and encrypted
- Ensure that access to all business systems requires MFA (multi factor authentication)
- Ensure that you have a proper password requirement and refresh cycle
- At some point in time, I worked for a company with pretty much no password requirement and lots of shared accounts. Needless to say, we have some security incidents that then took up a lot of time to fix. Since then, this is one of the first things I check (even before the official start date)
- Make sure that you not only deploy an endpoint security tool but that the tool is also properly running and updated with latest anti-virus signatures. Automate the process flow on this and even the “stick” to remove a device from being able to access the network if being out of compliance for too long
- The definition of the network is changing, and you need to identify the changes and how they affect your attack surface
- Nowadays “the network” includes all of the SaaS Systems as well as the cloud providers so keeping track of this entire estate is becoming a bit more daunting task
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Having visibility into a secure IT infrastructure that maps to how people use the technology (across silos such as hardware vs. software vs. mobile device vs. Cloud)) that is easy to maintain, easy to grow or adapt to changing market conditions. This is currently lacking in broad swaths of our economy (education, government, e-commerce, etc.) and the impact on users (nearly all of whom are not technical) is significant and has far reaching implications.
How can our readers further follow your work online?
#oomnitza on Twitter or follow us on LinkedIn
This was very inspiring and informative. Thank you so much for the time you spent with this interview!