Move great people around the Planet while keeping their data safe

CYBERS 21.05.2021

I enjoy working with start-ups. Primarily, because every time I get to talk and work with people who are very much reshaping our future. The same can be said for the rest of our team: “Blues” like to work with protecting infrastructure and business cases they might have never seen before. Red” penetration testers enjoy getting their teeth into new frameworks and boy do they enjoy trying social engineering on young ambitious people (probably too much as well).

So, it was a great pleasure to have Ronald Hindriks, Co-founder and Ops leader of Jobbatical, join me for a fireside chat about security and start-up challenges.

Natalja from CYBERS: Hi Ronald! Could you give me an elevator pitch of what Jobbatical is?

Ronald from Jobbatical: Sure. Jobbatical started as a platform focused on recruitment but we quickly realized that the real value we can provide to our customers is with relocation. Now, COVID19 aside, there is a huge lack of talent at any given company’s doorstep. But what do you do, as a recruiter from say Germany if the only candidate you could find is from Brazil? How do you go about moving them over? How do you make sure that their experience with your company is amazing? What do you do if you need to move 5 people each month? Recruiters and HR go crazy with Excels and forms trying to make it work, to ensure the best experience for their new team members. This is where the Jobbatical relocation platform and relocation service come in.

Natalja from CYBERS: Sounds meaningful. But then this means that you are processing quite a bit of personal data? How do you handle that, as a startup?

Ronald from Jobbatical: Well, I think we were lucky. From the very start, we were aware of GDPR and data protection, so once we hit it off, there was not much new for us. We had good advice on privacy from our early advisors and legal partners. Our engineers understood the value of security by design, so I think we were more mature about data protection than an average start-up out there.

Natalja from CYBERS: With this realization so early on, did you make any special steps towards ensuring your data protection strategy?

Ronald from Jobbatical: Again, we were quite fortunate, because we knew that we will be operating an international platform. And also, that we will practice what we preach, e.g. we will have people working for us from abroad and sometimes – moving to Estonia. That meant that the only feasible strategy was going cloud-native for pretty much everything. There are some constraints and it’s not ideal but you can get a lot in terms of protection when you rely on large cloud providers and their satellite services.

Natalja from CYBERS: This makes sense and many start-ups make this choice. Do you think there is any downside to that?

Ronald from Jobbatical: There is. It’s very easy to just forget about your infrastructure security altogether and become complacent when you go with AWS, Azure, etc. Some time ago, we had a meeting with a large potential customer and they asked us “What is your security strategy?” I, proudly, answered “Cloud!” and they just rolled their eyes at me. So, it was a wake-up call for us to re-evaluate what we were doing and seek more advice on improving our security posture.

Natalja from CYBERS: Yes, it’s an easy trap to fall into. But the marketing of the big cloud providers, Cloudflare etc just hammers that “you are totally safe with us” and you honestly want to believe it. What about your developers? How do they handle security requirements? Transitioning towards DevSecOps etc

Ronald from Jobbatical: There are a few things here. The most important one being that security by design has to be a part of the company’s culture. If a company accepts sloppy code with vulnerabilities and backdoors to be released then it’s doomed. I can’t really blame the devs for it. For the last 20 years, the name of the game has been doing it faster. Be agile. If there is an issue but you can complete the sprint – just shove it into the backlog. This stems from waterfall development and is quite enticing. Because many, especially younger coders think in terms of speed: who makes most commits, who pushes out a feature faster, etc. There is healthy competition but if red lines get blurry, your backlog gets full of really nasty stuff.

Natalja from CYBERS: So, how do you teach this methodology of security first?

Ronald from Jobbatical: The easiest way is to keep an open dialogue. Every dev knows that it’s much easier to fix the code before the release than X months later. If you explain that from a business perspective there is a similar story: we would rather handle a delay than a data leak. Then it becomes intuitive: it’s better to delay a feature than release it with a whole. And there is of course always pressure and light haggling but at least in our case, we have a clear understanding.

Natalja from CYBERS: You mentioned a customer rolling eyes. How do customers feel about security today?

Ronald from Jobbatical: It’s changing, for better or worse. We work a lot with ambitious international organizations and for them, security went to the top of the priority list over the past couple of years. We are regularly receiving security assessment questionnaires and the first one we got, we semi-failed. In the sense that we answered it quickly and the result was us being “in the red”. Fortunately, the customer gave us some time to review our answers and we improved. Lately, we work with you guys to make sure that our answers are on the level with our actual security. I will always remember how one of your analysts, Marje, said: “You are actually quite good with security, except you are not too good at telling the story.” So, today we are both fine-tuning our security but also, the story. We want to be transparent with our customers. At the end of the day, most of those are much larger and more experienced than us. This means that their questions and feedback to our responses allow us to learn and improve much faster.

Natalja from CYBERS: Couldn’t have said it better myself. If there are 3 pieces of advice you would give to other start-ups on security and data protection, what would those be?

Ronald from Jobbatical: The first one would be to seek advice early. We took advice on compliance and security almost from day 1 and I’mpretty sure it allowed us to avoid making many mistakes. The second would be to start working on an actual security strategy rather sooner than later. There are a lot of moving parts to it, lots of procedures which can be implemented and made “common”. Doing it fluidly is just much easier. Last would be to make sure that you include security into your growth and scaling. As you adopt new tools and platforms, it’s all too easy to evaluate those for security too.

Natalja from CYBERS: Thank you!

Latest blog posts

21.03.2024

Securing the future: uniting service design and cybersecurity for digital excellence

Explore the fusion of service design and cybersecurity in our latest blog post, inspired by KüberCAST’s enlightening episode with Andres Kostiv. Learn how this integration not only enhances digital service innovation but also fortifies user trust and safety in the evolving digital landscape.

Keep reading
07.03.2024

Unveiling LockBit: The Dynamics of Cybercrime and the Takedown Saga

Dive deep into the world of cybercrime with insights from Alexander Leslie of Recorded Future, exploring the LockBit ransomware’s rise and fall, the strategies behind its operation, and the collaborative efforts leading to its takedown.

Keep reading
23.02.2024

The Era of Data Security and AI: A Strategic Approach to Digital Transformation

Delve into the complexities of data security and AI, understanding how these pivotal technologies are transforming business strategies and operational efficiencies.

Keep reading