Our team interviewed Ryan Kennedy, Security Architect at Wide Open Tech, who is anything but cryptic when helping clients understand data security. Here’s a little bit more about what he does to mitigate data risks and keep our clients’ data safe. Connect with us if you wanna learn even more.
1) What is a Security Architect?
“Security Architects are responsible for designing, implementing and maintaining cohesive security frameworks for an organization. These frameworks should help the organization achieve its business goals as safely as possible.
For a software company, that means things like conducting regular audits of code repositories, defining software and patch level baselines, configuring server whitelists and access rules, ensuring customer data are being encrypted at rest and in transit, and staying up to date on the latest threats and vulnerabilities affecting the organization.
Security Architects also serve as a resource for fellow developers and customers, answering or researching any security related questions or concerns they may have and working with them to develop effective strategies and solutions.”
2) How did you get started in data security?
“I started my career in the data center at SAS Institute, Inc., working my way into senior systems administrator and developer roles. Physical and information security are vital concerns in data center environments. As a result, I was trained on and exposed to a huge number of concepts and best practices.
That training and exposure effectively doubled when I joined the Restricted Data Services group at Duke University’s Social Science Research Institute. At Duke, I moved away from the hardware side of security and began focusing on the software side, particularly through web applications.
At Wide Open, I’ve been combining those experiences into developing a more thorough set of security guidelines and standards that we can follow internally and share with our customers.”
3) As Security Architect, what are your goals?
“Many! Customers are entrusting us with their crown jewels: application code, business data and user information. While those jewels are in our care, I want our customers to know that we’re taking every step to secure them. We want to make it obvious that we take their data seriously, and that we’re handling those data in considered, intentional and low-risk ways. In a word: trust.
To achieve that, we have to start internally. We need to make sure that we’re following best practice when we handle data, that our systems and software stay up to date, that our code is vetted against standards like those published by OWASP, that we’re using password management software and encouraging customers to do the same, and most importantly that we’re always learning and adapting.”
4) What’s your favorite part about being a Security Architect?
“It’s probably no secret that I’m a huge crypto nerd. Seriously, I could talk about this stuff until my face turns blue! One thing I’ve noticed when talking to people is that they typically start our conversations thinking cryptography and information security are difficult, often nebulous concepts that only the most technically minded can understand.
That’s totally not the case, and what really brings me joy is breaking those concepts down into less technical terms until that “aha!” moment when it all starts to make sense. It’s so exciting for everyone involved when that happens, and more often than not I find it increases engagement with security in very important ways.”
5) Why should businesses be concerned with data security?
“Our lives are increasingly digital: there’s portions of our identity, activities, business and communications that are always on and always available. Information, once exposed to the internet, is very difficult to contain and effectively impossible to remove.
According to a study by the Identity Theft Resource Center, 2016 saw a 40% increase in the number of data breaches at U.S. companies and government organizations compared with 2015, and those numbers are only continuing to grow.
Users are beginning to rethink not only who they trust with their data, but what kind of data they’re providing and even what kinds of devices they’re using. Brand alone often isn’t enough to establish trust: users want well documented policies, evidence of responsible data handling and prompt, clear information when an event does occur.
To that end, businesses have begun investing heavily in their own security initiatives, both to protect their users and themselves from the risk and cumulative damage of breaches and other incidents. As the threat landscape continues to evolve, it’s overwhelmingly apparent that a strong security focus is the only way for businesses to remain successful into the future.”