Know what data you’re processing and where your most sensitive data is. Create a data inventory of the hosts, applications, databases, and other systems that process or store sensitive data. Then start assessing the risk of each system. This doesn’t have to be perfect but should help guide your efforts.
Embrace automation but know it’s not a silver bullet. Automation can be great to help spot anomalies or streamline assessments, but it will fail if you don’t have a clear picture of your environment and where the gaps are. As companies solve the items above, they should look for ways to gain efficiency through automation.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Tom Conklin, Chief Information Security Officer at Fivetran. He is responsible for ensuring the security of the Fivetran SaaS platform and the company’s digital assets. Prior to Fivetran, Tom built security programs at Druva, Vera Security and Zuora. He has extensive experience building and leading security programs at SaaS companies where protecting customer data is paramount.
Tom has in-depth experience architecting security programs to meet multiple compliance frameworks, including FedRAMP, PCI/DSS, SOC 2, ISO 27001, HIPAA, FIPS 140–2, SOX, GDPR and others. He has also led application security, incident response, vulnerability management, and product security functions throughout his career.
Tom is passionate about building data-driven security organizations where teams use a modern data stack to gain valuable insights and shape their security programs to stay ahead of the rapidly evolving global cybersecurity landscape.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a very tech-savvy house. My dad was a teacher and would bring home old IT gear that his school was disposing of. So when the school updated their network to Cat-5, we got some of the Cat-3 gear. At one point, we had a dozen Mac/PC computers on a local network.
I have three brothers that did most of the tinkering; they probably are still more technical than me, so I learned a lot from them. I never knew what profession I wanted to pursue but had to declare a major when I went to college so I chose Business Administration since it was quite broad and I could decide on a concentration later.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I sort of stumbled into this profession. I was studying finance in college and took a course on information systems. I loved it way more than my finance classes so I added a concentration in Management of Information Systems (MIS). This led to opportunities in public accounting doing compliance audits where I got exposed to SaaS startups. I knew I wanted to build companies and saw that the CISO role was new and a place where I could excel, so I made the jump to this industry.
Can you share the most interesting story that happened to you since you began this fascinating career?
Unfortunately, my most interesting security stories are under NDA and I can’t talk about them. What does come to mind is that I was able to make an introduction that helped one of my close friends land a job as a pilot with the USAF. I don’t work in the public sector, nor do I have experience in the military, but I knew a past co-worker’s husband was a pilot at an Air Force base my friend was interviewing at, but with a different squadron. I connected the two of them, and my friend is now a pilot in the squadron. What’s even more interesting is a month later my friend’s sister was looking for a new job and I introduced her to my former coworker, and she hired her! So, husband and wife hired brother and sister because I sent some texts. Kind of funny how we influence people’s lives.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
No one person comes to mind. I’ve always been fairly independent and intrinsically curious, so when I am thrown into new situations, I just figure it out myself. I guess my success has been being at the right place at the right time mostly by luck. Early on in my career I happened to work with some remarkable SaaS companies (Box, Okta, Zuora, etc.) right when SaaS was first taking off. This gave me exposure to many new technologies and operating models like AWS and zero trust before many other people. Being able to see how 100 really smart people have built enduring companies has been instrumental in helping me apply pieces to Fivetran’s security program.
Are you working on any exciting new projects now? How do you think that will help people?
One project that I’m really passionate about is enabling security teams to be more data driven. The security industry has a tool for just about anything, but often data is siloed in specific applications that prevents it from being used or correlated with other datasets. Other departments have this problem too: marketing needs to understand the effectiveness of campaigns, sales has their funnel, customer success has a 360-degree view of the customer account, but security is very much still locked in point solutions. This is something that Fivetran wants to change starting with our internal security team and the security teams at our partners like Snowflake and Sigma, who to be honest, are further along in adopting data than my team is.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Ask for the help you need. Company leadership has goals and objectives we are trying to hit. If we don’t have the perfect picture of what it takes to get there, then we need to speak up. If you’re working long hours or not making progress, it’s likely something beyond your control is impeding your progress. Let others know so you can work together to solve the issue.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
I’m most excited about how cybersecurity is maturing as a discipline. We’ve seen significant investments in security in the last decade, but we’ve also seen larger and larger breaches. While I think we will still see huge challenges, we’re getting to a point where there’s a common language and set of capabilities that defines good security. In other domains like Finance, Sales, and Marketing, we have established metrics that tell if a company is bad, good, or great in that area. I’m most excited about how security can embrace a similar set of comps. Companies usually don’t want to share their state because it may reflect poorly. My hope is that as programs get much better we’ll see an arms race of stats that companies market around. A company I really respect in this regard is Cloudflare — their transparency when disclosing details of incidents is great. They have it down to a minute-by-minute log of what happened and how they responded. Of course they would want to disclose this, as their incident response program is top notch. I hope many other companies start doing the same.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
With so many companies working remotely and so many employees moving, I think companies should expect more phishing attacks that target HR departments to get employee PII like W-2s. If employers email the W-2 to an employee that has moved, how do you verify a request? We need to start training teams now to verify and report malicious requests.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I’ve been part of teams that have uncovered exposed credentials in public git repos. We did a full investigation and notified affected customers, and the whole process highlighted many areas the companies need to get right to prevent and respond to breaches. I could write pages on everything that’s needed but the main point is — you have to assume people will make mistakes and you can’t control where data gets placed. So we need to prevent sensitive data from being included in source code, detect when something is misconfigured, and we need a process to proactively hunt and find mistakes like this.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Fivetran is a SaaS company. Our services are hosted in AWS and GCP and all our business systems are SaaS applications. Our offices simply provide internet and physical security for our workforce, but we don’t run any systems in any office. With this model, it’s incredibly important we control access to our company apps so we use a Single-Sign-On (SSO) solution so that IT has a centralized way to manage access. We also use device management software to make sure laptops are properly configured, control apps are installed on laptops, and make sure operating systems are updated. We even tie our SSO to company devices so that employees cannot use personal PCs to connect to company systems. Within the Fivetran services, we have multiple tools to look for vulnerabilities. This includes tools that test our code (static code analysis), our third-party libraries (dependency analysis), our applications as they run (dynamic code analysis), and our hosts and containers. Each of these tools will report vulnerabilities that are fed to our engineering team so they can be fixed.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
This is going to depend on each company and the types of data you handle. Managed services can be valuable when resources are scarce. Every company uses some amount of “over the counter” software. Companies should evaluate their core competency and use third parties for things that aren’t in their company DNA. We have a great ecosystem of security tools — don’t try and reinvent something that already works. As for when to hire a CISO — companies should start with assigning someone who has formal responsibility for security. This could be another function lead or an external agency. Companies should welcome feedback from these parties and hire a CISO when the scope of responsibilities is beyond what they can handle. I can only speak to SaaS companies, but typically that happens between 250–500 employees, and has come down significantly in the last few years.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Look for unsolicited communications. For example, if you start getting unusual texts or emails. The challenge is that there’s so much marketing going on in every facet of life that people should just assume their data could be breached. So they should be proactive to limit the blast damage — some steps include using different passwords for each online account, use multi-factor authentication whenever you can, and don’t ever send personal info in response to a request. Instead, go Google whoever is making the request and find an independent set of contact information.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Companies need to have a clear incident response process for identifying, documenting, and responding to breaches. There are two parts to the response process. One is the technology response to contain and mitigate the breach. This includes preserving evidence and assessing the scope of data, customers, and individuals impacted. Then, there’s the organizational response: how does a company notify regulators and customers; what is the company going to do to compensate victims; how does the firm engage a forensic assessor; and who handles crisis PR. All of this needs to be ironed out before a breach, and regular training and exercises need to include the entire process.
These regulations have an immediate impact of forcing companies to understand how data is collected, used, stored, and protected. This leads to more scrutiny for any company dealing with data. As a company that provides data integration services, it would seem like this adds a burden, but overall, Fivetran is well positioned to be part of the solution to managing these obligations. Where before companies had several, potentially unmanaged ETL tools, they now have a centralized service that provides a clear picture of where data is being moved to. Fivetran never stores customer data, and we have features like column blocking and masking that customers use to meet their privacy requirements and prevent sensitive data from entering their data warehouse.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Misconfiguration issues are very common. Anything from exposing a public S3 bucket in AWS to getting IAM permissions wrong that expose private services. This is why it’s important to have a layered defense and ways to detect when one of the layers has an issue. For example, encrypting data before it’s written to S3 and making S3 buckets private. Then trigger alerts when one of the layers fails. Teams need to be constantly testing and trying to break their capabilities.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Personally I’ve not seen this impact my organization, but as an industry, we’ve seen an increase in the number of attacks. It’s a perfect storm of factors. We have more people working remotely for the first time which makes it difficult to verify requests, people are more stressed which leads to more mistakes, and lastly we have a surge in global unemployment which means more time on some hackers’ hands.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Know what data you’re processing and where your most sensitive data is. Create a data inventory of the hosts, applications, databases, and other systems that process or store sensitive data. Then start assessing the risk of each system. This doesn’t have to be perfect but should help guide your efforts.
- You have more apps than you think. Employees are using free apps or expensing them. Most companies have far more applications they are not aware of. These present a risk to the privacy and security of data stored in these apps.
- Train your employees on their responsibilities. Security and IT teams can’t solve this problem alone. You need to help educate all employees, so at a minimum, they know how to do the right thing. They should know you’re a resource when starting a new project to assess privacy and security risks.
- Invite “outside scrutiny” to accurately benchmark your capabilities. Outside can be other departments within your company or peers/partners you trust. As you improve your program and add new capabilities, you should welcome feedback and focus on the top risks and how to get to a more secure state.
- Embrace automation but know it’s not a silver bullet. Automation can be great to help spot anomalies or streamline assessments, but it will fail if you don’t have a clear picture of your environment and where the gaps are. As companies solve the items above, they should look for ways to gain efficiency through automation.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Practice empathy. 2020 has been a difficult year for everyone. Even if you’ve had great things happen this year, I’d bet money there’s something you set out to do that just isn’t possible. For many this is the worst time in their life. This means the range of emotion for 2020 is somewhere between frustrated and devastated, so keep that in mind when interacting with others.
How can our readers further follow your work online?
They can follow Fivetran’s blog (https://fivetran.com/blog) as our security team grows we will be publishing more to help share what we learn.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
Thank you so much.