Conversations: Jon Kerby on Data Privacy and the Importance of Security Certifications
11 Apr 2023 | Jessica F. Lillian | 6 minutes
The Conversations series features candid conversations with RainFocus executives and other thought leaders. You’ll find discussion of breaking news, invaluable industry tips, and commentary on the biggest topics of current interest to events and marketing leaders.
In this post, we sat down with Jon Kerby, senior director of information security at RainFocus, to talk about how he maintains top-notch security and client data privacy on the RainFocus platform and beyond. With ever-evolving potential threats and changes to technologies, the stakes are high and the job can be increasingly complex. He also shares his top tips for making sure your organization is taking a comprehensive approach to security.
One of the hottest topics right now is cookie deprecation. How does it relate to data privacy?
The end of cookies was spurred about five or six years ago, but consumers have long had suspicions and questions. They are aware that when they give their data to a company, the company owns it, and they don’t know exactly where it might go. Often there were no repercussions for bad behavior.
Nevertheless, cookies have been very important for marketing, and from the user side, cookies were also very helpful — you wouldn’t have to re-input data or enter settings again, and so on. We use OneTrust, which is a great platform to manage cookies and helps us follow GDPR and state-level laws that are quickly appearing in the privacy landscape.
So what comes next after the end of cookies?
The big initial indicator that things were truly changing was Google — their announcement on cookies set the precedent that yes, this transition would be happening. But it’s not an overnight change.
Eventually, companies will emerge with new technologies. I think that’s a great step. A cookie-less future will help people feel more secure. They can participate in things they want without worrying about where their data is going.
In the tech world, any time there is an issue or a need, there’s always someone thinking of a way to solve it — and find a way to monetize it. So with new technologies, there will be ways to do more than what cookies did in the past.
For events specifically, there will be a huge opportunity for that data to become even more important. How do you see that playing out?
It’s another way for RainFocus to really stand out. Many companies were used to getting data from their cookies, so they might be concerned about missing crucial data points in the future. But one system that already exists with a wealth of data is the event platform. If you can easily link that data with the rest of your technologies, it’s even more valuable.
During the event lifecycle, organizations get some data when attendees register, but the bigger influx is from what sessions they sign up for, what they actually attend at the event, which exhibitors they meet with, and so on. They are “voting with their feet,” providing data on their preferences.
Security — for data privacy and beyond — is something RainFocus has always taken very seriously. What is your team’s approach to monitoring and protecting?
With security threats constantly evolving, it’s tough for any company to be completely on top of every possible zero-day or unseen vulnerability. The best thing to keep doing is evolve the security program more every year.
For example, roughly 15 billion spam emails make their way across the internet every day. That means some will get through any filtering. For us, providing continual training for all RainFocus employees is essential. We also share best practices, and with our remote team, it’s important to include ways to stay secure while working from home.
Another area that RainFocus’ security team is focused on is potential supply-chain vulnerabilities. We make sure everyone keeps software up to date to reduce bad actors’ opportunities to penetrate our systems. We also conduct regular audits of permissions and users’ access to ensure data is protected.
How do you decide which third-party certifications to pursue?
RainFocus takes the responsibility given from clients to safeguard their data as one of our chief responsibilities. We are confident we have the most secure event platform. We are constantly performing internal and external audits to ensure we are protected against emerging threats and vulnerabilities.
We’re ISO/IEC 27001 certified, and this certification is handled by an external auditor annually. We decided to pursue that certification in particular because our client base is international. Standards like SOC 2 are not as well recognized outside the U.S., whereas ISO is something that is globally accepted.
Another important certification is PCI DSS, which covers credit card payment security. This is an additional external audit performed annually. Given that we host events, people often input credit card and other payment info, which we must ensure stays safe and secure. Related info might include addresses and, for our international clients, visa and passport numbers.
Unfortunately there are bad actors all over the world, whether it’s particular countries or just rogue groups looking for data to build fake accounts. Many situations we read about involve major consequences from just one account hacked, so security is critical.
What are the specific benefits of these certifications? Would you recommend them to other companies?
To earn certifications, we bring in an independent auditor. They check access rights, encryptions, processes, internal finance systems, and everything else to make sure data is safe. So the benefit of the certification is that someone is giving an official stamp — if the auditor had missed something and then a security incident occurred, they’re on the hook for that, and their reputation could be damaged. So they take the audit very seriously.
Not many companies have these certifications yet. But people are starting to realize that when it comes to security, sometimes you can’t just take someone’s word for it. That’s why third-party certifications exist.
Finally, any other best-practice recommendations to maintain security in the modern age?
Role-based access control is very important and often overlooked. For example, companies might make everyone an administrator by default on the marketing automation platform “just in case” they need those capabilities. Instead, you should carefully consider what access everyone needs and what access they don’t need. Weekly or monthly reviews to see who still needs various levels of access are important.
Most people have good intentions when setting roles, but bad actors know what’s going on and can take advantage. If, for example, one of those admins on the marketing automation platform clicks a phishing link, now the bad actors have gained admin rights. Worse, if the person uses the same password in multiple places, which is also common, the bad actors can get in anywhere. They can even reset passwords and delete account emails before the person even realizes what has happened.
Security technologists often feel like their role is to “fortify the castle.” But another major part of your job is internal marketing — you need “sell” to everyone in the company that bad actors are out there. Security is everyone’s responsibility.