Welcome to the inaugural edition of “Spotlight Series, Voice of Your Peers,” DataGrail’s interview series featuring Q&As with privacy, legal, and security industry leaders. In this series, we aim to educate industry professionals and help advance their privacy programs and careers by presenting insights and perspectives from experts at the forefront of the ever-evolving data privacy space.
Please enjoy the debut of “Spotlight Series” with our customer and friend, Eric Richard, the CISO for HubSpot. A former engineering leader now dubbed a “SaaS CISO” by his peers, Eric thinks differently about how to protect HubSpot’s employee and customer data.
“If I’m trying to protect our customers’ data, I’m doing privacy.”
Tell us about your career experience that led you to running security at HubSpot.
Before becoming the CISO of HubSpot, my entire career I was a VP of engineering. First I was a founder of a startup, where I went on the wild ride of a startup including going public, the.com crash, and getting acquired. From there I experienced a series of different engineering leadership roles. Nine years ago I joined HubSpot as the VP of Engineering where I ran the entire product team through six years of rapid growth. Then, three years ago I took on the CISO role. My experience as an engineering leader informed how I think about security.
Can you describe the role of a modern CISO at a company like HubSpot at the highest level, what are your main areas of focus?
I don’t consider myself to be a traditional CISO—I don’t have the traditional pedigree. When I initially took over, I spent time talking to a bunch of other CISOs in the industry, and they’d call me “a SaaS CISO,” and I’d ask them, “Well, what do you mean by that?”
If you think about a SaaS organization like HubSpot, the most likely thing to make the front page of The New York Times is a product environment breach—since for a SaaS company, the product environment contains the crown jewels of our business. These CISOs acknowledged, who’s better to secure a company’s product environment, than the person who oversaw it being built? A SaaS CISO is different from a traditional CISO who’s responsible for securing corporate infrastructure—HubSpot doesn’t have much of a corporate infrastructure.
This is where it starts to shy away from more traditional security: I don’t spend a lot of time worrying if our laptops get stolen. If they are encrypted, it’s just a $2k loss. I am not going to focus a lot on traditional DLP (trying to stop that salesperson from stealing lists before he goes out the door to take to his new job. It matters, but it’s not the most important thing to prioritize). I care about our employees being protected. I care about our customers’ data being protected.
And, to your question, “what’s our focus?” In many ways our focus is the same thing any CISO would think about: What are the ways that a bad actor could steal our crown jewels?
What are our crown jewels? It’s our customers’ data. I’m thinking about how a bad actor might get there. What are the attack vectors? Where are the attack vectors? Everything that we think about is how we protect our customers’ data.
How do you think your role or the role of the SaaS CISO evolves in the future? Do you see significant change in the coming years?
There’s a really interesting trend going on. Three years ago, HubSpot was basically an all in office company, and an enormous amount of security protections were in our corporate offices— in our firewalls and networks. Today, however, HubSpot is about 10% in office culture.
It now means I’m asking the question to my IT peers, “Why is our office network any different than a Starbucks? Why should our office network be special, because 90% of our employees are not working on it most of the time.”
Why does the HubSpot corporate WiFi exist? Why have any special permissions associated with being on the corporate wifi? The modern way we work twists upside down some of the security thinking that we’ve had in the past.
I’ve met the founders of lots of startups who say they have zero corporate network. The Internet itself has become our corporate network and that means we need to think about security with that in mind.
The same goes for physical security solutions. I care about protecting our employees, but mostly they aren’t in the office. If I care about protecting the employees, I have to think completely differently. Do I need to have a 30 second SLA on every single door in every single office that’s been opened? I don’t think so. Instead, I need to focus on helping employees where they are.
Many companies are still very in office, but there’ll be lots of companies who are hybrid—or not in office at all—where you have to change your entire thinking about how you’re protecting everything. Looking at the world through that prism of work-from-home is something we’re all still adapting to in terms of how you evaluate your priorities.
You have a ton of priorities. How do you prioritize them and how do you balance that?
I would say there are two things that we’ve tried to do.
When I started, we very much had a security via compliance approach to the world where much of our security program was driven by compliance needs. So we’d create a security program for SOC and SOC2. It was very much about meeting the needs of those compliance programs.
When I took over, I wanted a security program based on risk. About three years ago, we decided that the Center for Internet Security (CIS) Critical Security Controls was going to be the basis for our security program. They’re very practical. They’re very risk-based. We marched down that list item by item and prioritized that way.
The second thing that we did was put together a comprehensive definition of all of our cyber risk. We track all of our cyber risks, and now we have a pretty darn good sense for what that risk is. Every risk we then rate by different factors that go into a high-medium-low. This drives what’s high risk: high likelihood, high impact. We try to close out high risks sooner rather than later. And, if you do have an incident, then prioritize initiatives to mitigate having that specific incident happen again. The good news is once you get a pretty comprehensive risk inventory, those two should not be divergent.
Where do security leaders generally get involved with privacy? Where does privacy sort of fit into that picture?
It’s a great question, one that I would say we’ve been evolving over time. I own everything related to security, cyber security, physical security. We have a parallel organization under legal privacy, and we work incredibly closely with them. We have Venn diagrams with projects that are highly relevant, and going back to my first comment—if I’m trying to protect our customer data, well then I’m talking about privacy because it’s people’s data.
For people who don’t know, in HubSpot’s case, our data is people data, it’s data about our customers’ customers. Literally we are protecting people’s data, thus privacy. Any place where you’re trying to protect people’s data is my role, and the role of our DPO.
Where it gets a little wonky for me (and I don’t focus on), is some of the stuff DataGrail helps us with. For example, our business practices around how to handle customer data being acquired from our prospects. How do we make sure we accurately complete data subject access and deletion requests? Are we allowed to message people or not? Those are not security issues. That’s a privacy issue in a different sense of privacy. These are overlapping areas in the Venn diagrams with our privacy teams.
How are the modern CISOs like you buying software? Can you walk us through the framework of how you assess value and eventually reach conclusions?
First thing I’ll say is that we buy a lot of software, especially compared to the engineering side of the house where we build. In security we’re constantly going back to the risks we want to tackle. Are there great solutions out there to solve for them? We regularly expand our portfolio, whether that’s software on HubSpot, laptops that we’re using for our security stack, or enterprise software.
There is a part of buying software that is easy, and there is a part that is hard. The easy part is going back to the problem we’re trying to solve. Let’s look at the companies solving that program, see how they work, how they solve the problem, how much they cost, and then choose one.
This part is no different than any other vendor evaluation.
The part that is a little tricky—I’m guessing this drives our finance department a little bit mad—is it’s hard to quantify, how much should I be spending on all the software, and when is it important. The great news is that when you have regulatory compliance there is no choice. I expect the new SEC regulations around cybersecurity to drive increased interest from boards. If they see risk, and that risk can be solved with your solution, the board is likely to say, yes, please go spend the money.
Do you have a model for judging the success of your privacy program?
Yes, we’re modeling it after the lessons learned from our security program. We started three years ago with the CIS controls driving our security program. Last year, we decided we’re going to do the same thing for privacy with the EU Code of Conduct. We’re taking a multi-year journey, we’re going to start going through the whole process, and our goal is by the end of this year is to be submitting to the authorities to try to get certified. For privacy, we’re going to use the EU Code of Conduct as our measure.
We often think about risk versus reward when it comes to privacy. What are the risks that are top of mind for you and that you’re trying to avoid when it comes to your own program?
Ultimately all of our goals should be to protect data about our customers (and their customers) and respect the privacy of their information.
There are a couple of key challenges here that are different from traditional cybersecurity.
The first is in the privacy realm, you have pretty strong enforcement mechanisms through things like the Data Protection Authorities under GDPR or the other various national and state level regulations. In the US alone there are nearly 20 states considering some form of privacy legislation this year. And you have seen some pretty active actions taken in the EU to enforce data privacy protections.
This feels different from the security world where there are security regulations, but most of those seem to come into enforcement after a major breach.
With this in mind, it is very important to make sure you are staying up to date with all of the emerging regulations and interpretations to make sure you are following the latest guidance. I think every company’s fear is of an EU DPA calling up and saying they’re not doing the right things when they thought they were. We pay very, very close attention to all of the different enforcement actions and court cases that are going on in Europe to understand what is being considered to be compliant, and not compliant.
The other real challenge we face with data privacy is following the data. As an organization, we can do everything right in protecting data in our custody. But every company is then working with an ecosystem of partners, contractors, and vendors who you may be sharing data with. And as soon as you share that data with them, they can now be your weak point in protecting that data.
We have all these moving pieces, and it’s really difficult to ensure you are upholding everyone’s privacy rights across all the individuals we interact with. So what keeps us up at night is not just the regulatory risk but that we’re hyper focused on making sure we protect privacy across all of those areas.
Budgets, generally, are tightening up a little bit. How are you prioritizing spending, given the new economy that we think we might be working through in 2023? Has it changed at all?
Privacy is one of those places where you are in a great space. There’s elastic markets and inelastic markets. Security and privacy are like largely inelastic markets. When you have regulations you have to comply with, there’s almost no choice.
This market is one of the last places that people cut spending, because you can’t. At the risk of being wrong, it’s just too high. It’s company-ending risk if you get it wrong.
One of the pain points we hear often from our potential customers or new customers, is how they can get their boards so enthusiastic and focused on prioritizing data privacy. How did you go about that?
The high level answer is when you are a company who is storing customer data, customer trust is one of our fundamental assets. If we lose that trust, it’s game over. Our board and our C-suite implicitly understand that.
There was an event that happened several years ago—we had a large outage of the HubSpot systems— it had nothing to do with security or privacy. But, it was one of the first times that our executive team felt the existence of HubSpot to be threatened. It was an existential threat. It got us thinking about other existential threats, and very quickly, security is the next one. You can’t have a big data breach that violates our customer trust. Lose customer trust and it’s game over.