모멘텀 에피소드 17:
Johannes Wiklund와 함께하는 정보 보안

As technology has advanced over the years, online data and digital information have become intertwined with our lives and businesses more than ever before.

Yet demand for consumer privacy is at its highest, so in an ever-changing digital environment where online information is most prevalent, how do companies safeguard all the sensitive user data they need to collect?

Today we'll be talking to Jform's head of information security, Johannes Wicklund, to find out.

Welcome to Momentum, a podcast by Jform where we talk about technology, productivity tips, insights, and best practices that help us move forward in business and in life.

Let's get started.

All right, so I am here with Johannes Wicklund, head of information security here at Jform, talking about how companies like ours can keep their data safe or at least how they should keep their data safe. Johannes, welcome to the show.

Thanks so much for having me, glad to be here Elliot.

Yeah, I appreciate you taking the time. Obviously, this is a hot button topic in today's day and age and can really make or break a company or at least its reputation. We've all heard of data breaches or even been involved in them ourselves, so I think it's safe to say that general awareness around data security has probably never been higher than it is today.

So obviously, as head of information security at a software company like Jform that relies on data collection to operate, that does bear some responsibility. Do you want to start out just explaining sort of in layman's terms for those who may not be too familiar just exactly what information security is and why it's important?

Sure, so in a nutshell, it's really about protecting the confidentiality, integrity, and availability of the systems and networks that essentially the data resides on and that serve up the software functionality that we provide to our customers.

So there's a lot of layers to that obviously, but on a data security aspect, we have to make sure that the data doesn't get compromised, that the data is only available to the authorized users. No one else can edit the data or download data that doesn't belong to them.

Those are kind of the main functional requirements if you will. And what do we do? Well, basically I manage a program that constitutes a number of different things across the areas of people, process, and technology.

Really looking at application security, infrastructure security, as well as compliance to make sure that we comply with all the legal and regulatory frameworks.

Right, so there's obviously a lot of layers and a lot that goes into information security in general. What is really the risk, what's at stake if a company doesn't take data security seriously? Why is there so much fuss these days around information security, would you say?

Well, I think one aspect certainly is there's liability. So if you are a company collecting customer data for a variety of purposes and that customer data then gets exposed to the internet, let's say you have social security numbers as an example if you're a US-based company and those social security numbers associated with names get exposed, you as the data owner actually have a liability.

You may have to pay for credit monitoring for those individuals and you may have to report breaches to various regulatory authorities. Owning any kind of data, especially personal data, comes with a lot of responsibility and that's really why it's a big deal.

Many attackers obviously take advantage of that and they try to extort data owners by either encrypting files such as in a ransomware case or they try to hack in and essentially steal a company's data and then try to extort the customer to not leak that data on the internet.

There are many attempts and ways out there for hackers to steal data. Maybe we'll dive into that in a second here, but let's take a step back. What does your role specifically as head of information security at a software company like Jform entail? You said you oversee several different programs that deal with different facets of security, but how would you describe your job in a nutshell and on a daily basis what do you actually do to keep that data safe?

Good question. Let me try to describe a couple of different facets. First of all, as a software as a service company, Jform deploys new code updates to our consumers on a pretty frequent basis.

Every time we deploy a code update, there's a certain amount of security testing required because there's always a risk that a software update may have caused a problem.

We rely on a combination of both automated and manual testing to catch those problems before the bad guys do.

Now, in many cases, if a problem does exist, it can be theoretical. It doesn't necessarily mean it's exploited right away, but we also invite security researchers from outside the company to participate in our bug bounty program.

If someone in the outside world finds a problem that we are not yet aware of, and maybe it's a theoretical exploit but meaningful enough that it could have been used by a bad guy, we actually like when ethical hackers report those issues to us and we reward bug bounty hunters for reporting valid bugs.

Bug bounty hunters are security researchers who work for themselves on the basis of finding vulnerabilities at various companies and being rewarded for that. Some do it part-time, some full-time, and many large software companies have these bug bounty programs where security researchers are invited to report bugs and receive rewards depending on the severity and impact.

That's only one aspect of our application security program. We also do a lot of our own internal testing, both automated and manual, which is one of the pillars for software companies to ensure good application security practices.

The second pillar is infrastructure security. We run everything 100% in the cloud, so we don't have physical servers in our offices. Cloud providers have a shared security model where they take care of physical security, but as the cloud customer, I have to worry about network security and making sure servers are patched to withstand vulnerabilities and protected by network security controls.

Part of my program is ensuring our production systems are adequately protected.

The third important aspect is compliance. Jform participates in several compliance frameworks such as the Payment Card Industry (PCI) standard for companies that accept credit card payments, which involves rigorous certification testing every year.

We also have a HIPAA compliant version of Jform for healthcare industry users, which is subject to another set of controls. Personal health data gathered by customers needs to be encrypted so only the customer can see it, and health information can never be sent over plain text email.

By subscribing to our HIPAA version, medical providers or other covered entities can use Jform as part of their business processes. We also operate within the European Union and are subject to GDPR privacy laws, allowing European customers to have their data stored on servers inside the EU and not exported outside the union.

My compliance function continually assesses our processes to ensure we are compliant with these frameworks.

That was a lot between coding, compliance, infrastructure, PCI compliance, HIPAA compliance, and European Union compliance. It must be hard to know where to start with all that. Do you have teams under you whose only job is to facilitate these updates, or is this ingrained in every engineer's function?

Great question. I have many smart individuals who can multitask and add value in several areas. We're a small, lean organization, so we don't have large teams for each function. I recently streamlined the group so those three functions each have a separate team lead, allowing individuals to focus more on their core mission while still sharing responsibilities around security operations and response to inquiries or issues.

That makes sense. I assume large companies like Microsoft have entire departments dedicated to facets like this. We're not that size yet, but it makes sense.

Taking HIPAA compliance as an example, could you talk about what it takes to be HIPAA compliant and maintain that compliance? Is it an ongoing process or just a certification once a year?

Interesting question. From a customer perspective, many small to medium-sized medical practices signed up with Jform's HIPAA solution during the pandemic to move paper forms online securely for telemedicine.

Jform's HIPAA compliant version allows integrating a form builder into business processes so medical practices can digitize paper forms. Jform becomes a data processor, but the medical office remains the data owner.

Compliance isn't just clicking a button to upgrade your account. Customers contract with Jform as a form builder, but what they do with the data is up to them. They must safeguard data inside and outside of Jform and track who views the data to stay compliant.

Annually, we have controls to prove compliance involving testing and auditing, which requires time and attention.

Just because you have a HIPAA compliant form builder doesn't mean your organization is immediately HIPAA compliant. Every organization must maintain their own compliance and ensure they have compliant vendors and partners like Jotform.

Thanks for indulging all these questions. I've been curious what a head of information security does at a company like this.

Happy to share. Many people in the industry have 20-plus years of experience, but 20 years ago, there were almost no information security professionals. The demand for talent is much larger than the supply.

I came from IT and software development, starting as a software engineer, then project management, IT operations, and enterprise architecture of large-scale business systems.

About eight years ago, I transitioned into information security, starting a cybersecurity program from the ground up at a small startup, building out people, process, and technology aspects while supporting company growth.

I joined Jform less than a year ago, taking over a good team with solid capabilities, aiming to level up the team and bring capabilities to the next level of maturity.

My software engineering background helps me be conversant in technical processes, especially for application security, while infrastructure security team members often have system administration backgrounds.

My day-to-day varies between strategic roadmap planning and troubleshooting specific issues with team members, combining managerial and hands-on activities.

Thanks for sharing. Shifting focus, what is the biggest threat to a company's data today? Cyber attacks, negligence, misuse?

Cyber attacks are getting more common, and no company is immune. Automated attacks look for open servers with default passwords or use phishing targeting anyone. If someone clicks a phishing link, attackers may gain access without detection.

Small companies can outsource cybersecurity programs or use fractional CISOs to establish policies and conduct penetration tests, even with minimal infrastructure.

A big threat is not knowing your responsibilities regarding data. Data owners must safeguard data and understand regulations to avoid costly mistakes.

Jform facilitates data collection but does not collect data for itself. Users must do their part to protect data and understand their responsibilities.

By subscribing to Jform or similar solutions, small businesses may become accidental IT administrators with significant responsibilities, so they should understand those responsibilities.

Are certain companies more susceptible to data security issues? Anyone with servers or business email systems is susceptible, but larger companies have larger attack surfaces and attract more sophisticated attackers.

Sophisticated attackers move fast; ransomware attacks that took days now take minutes, so defenders must be equally fast.

Information security has evolved from isolated professionals to a mission everyone shares. Education and awareness are key to rallying the entire company around cybersecurity.

We conduct phishing campaigns targeting different job categories and encourage employees to report suspicious activity without fear of punishment to solve problems early.

Phishing scams often impersonate executives, sometimes targeting new hires by exploiting social media and personal contacts, asking for favors like buying gift cards.

Policies require confirming unusual instructions, like wire transfer changes, by voice call to prevent falling for scams, emphasizing verification before action.

Attacks have accelerated due to more sophisticated scripting and automated toolkits, making attacks faster but also easier to detect with proper defenses.

Common steps companies take include employee training, protecting account credentials with strong passwords and multi-factor authentication, which can thwart many attacks.

Password policies have become stricter with requirements for complexity and length, and two-factor authentication is increasingly required, improving security.

Avoid reusing passwords across systems to prevent attackers from leveraging breached credentials in automated attacks like spray and pray.

Consumers should look for relevant certifications like HIPAA for healthcare, PCI DSS for credit card processing, and SOC 2 for general security controls, which Jform is pursuing.

SOC 2 certification shows customers that a company follows security controls across multiple categories, making it easier for enterprise customers to trust and reducing custom reviews.

For startups or small businesses, don't ignore information security. Invest in training and education for the person handling data and systems, and consider consulting services to ensure protection.

Take information security seriously regardless of industry. If you have any online presence or servers, you're at some risk, so get educated or bring on the right people.

Building a successful security program is like a three-legged stool: people, process, and technology. You can't rely on technology alone; you need capable staff and solid processes.

At Jform, we are raising all three legs simultaneously, acquiring technical solutions, training staff, and establishing processes to account for changes, testing, and protecting customer data.

You can't build a program without considering all three aspects, and that's a crucial perspective.

Thank you so much, Johannes. This has been very informative and educational. It's remarkable how much goes into information security, a world many of us might not be familiar with but should be aware of at least on a service level.

You're welcome. This was fun. Have a good one.