Move great people around the Planet while keeping their data safe
I enjoy working with start-ups. Primarily, because every time I get to talk and work with people who are very much reshaping our future. The same can be said for the rest of our team: “Blues” like to work with protecting infrastructure and business cases they might have never seen before. “Red” penetration testers enjoy getting their teeth into new frameworks and boy do they enjoy trying social engineering on young ambitious people (probably too much as well).
So, it was a great pleasure to have Ronald Hindriks, Co-founder and Ops leader of Jobbatical, join me for a fireside chat about security and start-up challenges.
Natalja from CYBERS: Hi Ronald! Could you give me an elevator pitch of what Jobbatical is?
Ronald from Jobbatical: Sure. Jobbatical started as a platform focused on recruitment but we quickly realized that the real value we can provide to our customers is with relocation. Now, COVID19 aside, there is a huge lack of talent at any given company’s doorstep. But what do you do, as a recruiter from say Germany if the only candidate you could find is from Brazil? How do you go about moving them over? How do you make sure that their experience with your company is amazing? What do you do if you need to move 5 people each month? Recruiters and HR go crazy with Excels and forms trying to make it work, to ensure the best experience for their new team members. This is where the Jobbatical relocation platform and relocation service come in.
Natalja from CYBERS: Sounds meaningful. But then this means that you are processing quite a bit of personal data? How do you handle that, as a startup?
Ronald from Jobbatical: Well, I think we were lucky. From the very start, we were aware of GDPR and data protection, so once we hit it off, there was not much new for us. We had good advice on privacy from our early advisors and legal partners. Our engineers understood the value of security by design, so I think we were more mature about data protection than an average start-up out there.
Ronald from Jobbatical: Again, we were quite fortunate, because we knew that we will be operating an international platform. And also, that we will practice what we preach, e.g. we will have people working for us from abroad and sometimes – moving to Estonia. That meant that the only feasible strategy was going cloud-native for pretty much everything. There are some constraints and it’s not ideal but you can get a lot in terms of protection when you rely on large cloud providers and their satellite services.
Natalja from CYBERS: This makes sense and many start-ups make this choice. Do you think there is any downside to that?
Ronald from Jobbatical: There is. It’s very easy to just forget about your infrastructure security altogether and become complacent when you go with AWS, Azure etc. Some time ago, we had a meeting with a large potential customer and they asked us “What is your security strategy?” I, proudly, answered “Cloud!” and they just rolled their eyes at me. So, it was a wake-up call for us to re-evaluate what we were doing and seek more advice on improving our security posture.
Natalja from CYBERS: Yes, it’s an easy trap to fall into. But the marketing of the big cloud providers, Cloudflare etc just hammers that “you are totally safe with us” and you honestly want to believe it. What about your developers? How do they handle security requirements? Transitioning towards DevSecOps etc
Ronald from Jobbatical: There are a few things here. The most important one being that security by design has to be a part of the company’s culture. If a company accepts sloppy code with vulnerabilities and backdoors to be released then it’s doomed. I can’t really blame the devs for it. For the last 20 years, the name of the game has been doing it faster. Be agile. If there is an issue but you can complete the sprint – just shove it into the backlog. This stems from waterfall development and is quite enticing. Because many, especially younger coders think in terms of speed: who makes most commits, who pushes out a feature faster etc. There is healthy competition but if red lines get blurry, your backlog gets full of really nasty stuff.
Ronald from Jobbatical: The easiest way is to keep an open dialogue. Every dev knows that it’s much easier to fix the code before the release than X months later. If you explain that from a business perspective there is a similar story: we would rather handle a delay than a data leak. Then it becomes intuitive: it’s better to delay a feature than release it with a whole. And there is of course always pressure and light haggling but at least in our case, we have a clear understanding.
Natalja from CYBERS: You mentioned a customer rolling eyes. How do customers feel about security today?
Ronald from Jobbatical: It’s changing, for better or worse. We work a lot with ambitious international organizations and for them, security went to the top of the priority list over the past couple of years. We are regularly receiving security assessment questionnaires and the first one we got, we semi-failed. In the sense that we answered it quickly and the result was us being “in the red”. Fortunately, the customer gave us some time to review our answers and we improved. Lately, we work with you guys to make sure that our answers are on the level with our actual security. I will always remember how one of your analysts, Marje, said: “You are actually quite good with security, except you are not too good at telling the story.” So, today we are both fine-tuning our security but also, the story. We want to be transparent with our customers. At the end of the day, most of those are much larger and more experienced than us. This means that their questions and feedback to our responses allow us to learn and improve much faster.
Natalja from CYBERS: Couldn’t have said it better myself. If there are 3 pieces of advice you would give to other start-ups on security and data protection, what would those be?
Ronald from Jobbatical: The first one would be to seek advice early. We took advice on compliance and security almost from day 1 and I’mpretty sure it allowed us to avoid making many mistakes. The second would be to start working on an actual security strategy rather sooner than later. There are a lot of moving parts to it, lots of procedures which can be implemented and made “common”. Doing it fluidly is just much easier. Last would be to make sure that you include security into your growth and scaling. As you adopt new tools and platforms, it’s all too easy to evaluate those for security too.
Natalja from CYBERS: Thank you!