As a SaaS company, the security and protection of our customers’ data is paramount. So, as we continue to grow our team, this is an area of critical importance: ensuring we have the right people on board to secure and maintain the protection and integrity of the data our customers entrust to our software.
Enter Sabino Marquez! Having recently joined Cognota as our Chief Information Security Officer and Director, PrivacyOps, Sabino took some time to share his philosophy on InfoSec and the value that data security brings to organizations of all sizes and industries.
Tell us a bit about yourself and your career to date.
I started off in the mid-90s doing systems administration work. In parallel with that, since at least the mid-80s I had been what was known back then as a “hacker”. Before the internet, it was a different place and you could do things and learn things that you just can’t in the same way today. My interests had always been in breaking complex systems and figuring out how I did it. Why did this break and how can we make it better?
By the early 2000s, IT certifications had become necessary to work in IT. In the late 90s, I had gone to a school that sold a certain type of certification and was appalled by the quality of the education and the learning material. So, I started my own school with the idea that yes, you’ll get a certification but really what we’re going to do is figure out what kind of nerd you are and then build a learning program that serves the type of nerd brain you have. We even partnered with a psychologist and a learning specialist to create psychometrics that allowed us to identify in adult learners the type of technology they’re more inclined to succeed in. It was a pretty cool system.
I ran that school for about four years and then I decided that the time was right to get a full-time job in security in the early 2000s. The things I had enjoyed doing for fun, breaking systems etc., had now become a full fledged career path. Now, it was called “ethical hacking,” “red-teaming,” and “penetration testing,” – new names for the same activities I was familiar with.
So I took a position at this company where my job was essentially to rob banks. I was a bank robber in all manner of ways that one can rob banks. From hacking into their clearing house systems or trying to break their ATMs and walking into branches to drop USB sticks, and then reporting my findings.
How about your journey within the SaaS market?
After about six years of helping secure banks and credit unions, I moved to Vancouver and started working for SaaS companies that were all creating new market segments.
Prior to this, I worked with a company called Vision Critical (now called Alida) and they were pioneers in market research software. After that, I worked with Allocadia, who were pioneers in marketing performance management software. Now, I’m working with Cognota – pioneers in end-to-end LearnOps software.
So, that’s kind of my thing. I help companies that are doing new things be trusted by the stakeholders that we’re communicating with – because SaaS companies are different from other companies. Back in the old days when you bought software on disk, a team of devs would design, build, and ship the software to manufacturing. At the end, you’d have a certain definition of “done.”
But modern software and SaaS products are alive, meaning that the developers will build and deliver software and then continue to build and deliver software. Features don’t stop and bug fixes don’t stop. So the question is no longer just: is the software secure? Now, the question has evolved to: is the way we run our business secure? Are we making secure decisions? Are we thinking about value, safety, trust, and assurance?
What is the most important thing your role brings to the table at any stage in a company’s journey?
The data that our customers put into our systems is immensely valuable to them. It’s not just data – it’s the data that they use to run their worlds. While I’m not defending banking data at Cognota, I might as well be because, to our customers, it has the same value and importance as banking data. So, everywhere I go I like to build bank security programs even if there is no need at all to build a bank security program because our customers need their data to be safe and I want to draw a direct line between actual safety and what auditors like to call “compliant.” The thing is, every company that’s ever been robbed has been compliant. If the goal is to not get robbed, then you have to go beyond compliance into safety.
When it comes to the customer’s perspective, there needs to be the highest level of trust that the system you’re interacting with is safe. So the goal is to overwhelm the customer with a sense of trust by showing them what we do.
I’ve been working in SaaS for a long time and my job has two sides. The first side is serving our customers’ trust needs. That means making sure that, not only is our own product safe, but all the SaaS products we use internally are also behaving securely. The second side is what I do for Cognota. When selling into verticals, accounts, and supply chains that have rigorous compliance requirements, we need to have every capability to check every compliance box for whatever the regulation is. So, in that way, security for a SaaS company like Cognota is very much a revenue practice. It’s a critical decision point in the buying and renewal process for SaaS products.
Security is also about the value of a company. About a decade ago, Yahoo was put up for sale and there was five billion dollars on the table. During the negotiations, Yahoo was hacked and billions of records were stolen. That incident knocked 20% off the deal, which told the market that security can be up to 20% of an M&A deal. Doing security wrong can cost the shareholder 20% of the value of the company but if you do security right, you can maintain and enhance the company’s value when it comes time to undergo a valuation review.
What are your thoughts on working in tech within the learning and development industry?
One of the first perspectives that I gained on our software is its importance forensically. When you’re governing learning programs at scale, evidence of the program’s functioning is critical. When you think about learning operations data, it may not be regulated data but it could become material data.
So, at scale, our customers care about not only the security of their data but the integrity of their data vis-a-vis a forensic process that their data may be called into supporting. That’s an area of resilience that I think our customers very much appreciate. They might not even think about it until it’s time, but they need to know whether the data is forensically sound.
For example, a lot of the content that is governed over the life cycle of a learning program hits a lot of compliance requirements for the customer. So, not only do we have to defend the data forensically to support any type of risk event our customer may go through, we have to protect its integrity. In general, it’s thinking about how data safety plays into the world of the user and how they would be impacted in case of some type of loss event.
What will be your main contributions to Cognota in your role here?
My plans are to implement a management program called value assurance. It’s a management system that flattens the security program so that everybody in the company is on the security team and are all called upon to defend the company and the customer’s value.
When we do that, suddenly we start to think about data in a different kind of way because it’s not just: what value does a customer get from the data? It’s: what value would they lose if it’s not available? Even though the work I do is technical, I align the work to value, revenue, and the customer.