By Mark Emmons
Our “5 Minutes With” profile series highlights business thought leaders, the trends they see, and the work they’re doing – and their hot takes on pizza integrations.
A mentor once told Doug Martin something about technology security that he’s never forgotten. How you’re evaluated when protecting a business is similar to scoring in a gymnastics competition.
“In most sports, everyone starts with zero, and it’s about putting points on the board,” said Martin, Vice President and Chief Information Security Officer at Boomi. “But in gymnastics, you start with a perfect score, and they deduct points when you make mistakes. It’s like that in security. Our job is to make sure nothing happens and we’re not losing points. That’s when you win.”
In other words, quiet is good.
Martin has more than 20 years of experience in the digital security field across a diverse group of industry sectors. Figuratively, he’s on the battlements, guarding the castle. He’s one of the technology professionals in the high-stakes role of securing company assets and keeping customer information safe.
“Businesses invest in security because everything depends on it,” Martin said. “What’s great about Boomi is that I’m an internal CISO and involved in the product. I’m overseeing the protection of Boomi and our customers’ data within our platform.”
Martin took some time to discuss the importance of security in integration, how threats are changing, and why the idea of being a protector matters to him. Here are some lightly edited portions of our conversation.
How did you gravitate toward a security role?
Doug Martin: Much of my background is in threat intelligence and incident response. I was getting into technology when the bad guys started arriving in the early 2000s, and stealing credit card numbers became a business. I ran my first security organization around 2005 and did that for seven years. I’ve done incident response service where something would arise, and we would parachute in and help. I’ve been involved in dozens and dozens of incidents that involved containing and removing attackers from environments.
Not to be overly dramatic, but it sounds a bit like the plot of a Netflix series.
Doug Martin: Just look at everything in the media over the past few years. But it’s hard to understand unless you’ve ever lived through a devastating incident. You just try to paint a picture of what that’s like without sounding like Chicken Little. But really sophisticated and capable nation-states and organized crime organizations out there don’t care about who they hurt. I like being on the side that’s preventing that.
Do companies typically consider security when thinking about integration?
Doug Martin: It’s not the first thing. They’re looking for functionality, availability, and just making sure it works. If they’re using something homegrown or a product from 10 years ago, they’re not equipped to defend many of these more modern attacks. Ransomware has only been around for about four or five years. The old data center model of security was you build a moat around the castle. It’s wide, deep, and has crocodiles in it. You only let down one drawbridge and watch who’s going in and out. It was a pretty decent way to do things. But there are more ways to get into a castle today with all the ways we move and share data. You need a product like Boomi built with security in mind from the very beginning, so getting into the castle is hard no matter what direction you’re coming from.
Why should businesses use a dedicated integration provider?
Doug Martin: When integrations are homegrown, they’re written by people who definitely aren’t security-minded. They’re functionality-minded. They’re probably trying to connect these old, antiquated systems with a lot of technical debt. So, the integrations have been built from the ground up without security in mind. When you partner with an experienced provider, you’re working with someone focused on securing integrations.
What advice would you give for evaluating integration vendors?
Doug Martin: Do they have real, independent audits with teeth to them? It’s important to make sure they’re actually being looked at externally by several different governing bodies. For instance, Boomi is number one in our sector for a security scorecard based on an independent body that looks at our environment for vulnerabilities. That’s why I’m very comfortable having CISO-to-CISO conversations about how we will protect your data and how we can help show you how to do more to protect that data because security is always a shared responsibility. Right now, Boomi is SOC 1 and SOC 2 compliant. We have HIPAA, PCI, FedRAMP, ISO 27001, ISO 27701, ISO 27017, and ISO 27018. And that’s across all of our products and environments.
Can you put that in more understandable terms?
Doug Martin: Think about when you’re buying or selling a house and have inspection reports. Those are independent evaluations of the house. Now, inspectors can be all over the board. Some come in with a flashlight, walk around, and say everything’s great. And then you got other guys who climb ladders into the attic, send cameras down your drains, do foundation tests, and examine the heating and air conditioning. It’s an entirely different level of inspection. What I mentioned are the best evaluators who are reviewing and certifying our platform. Audits like the FedRAMP assessment are no joke.
Any other important considerations?
Doug Martin: Make sure vendors have hosting models that fit your business needs and risk tolerance. For instance, Boomi has models in our public cloud and our private cloud, and you can even host the runtime in your cloud.
Why do our customers trust Boomi?
Doug Martin: Connecting systems and eliminating technical debt securely is what we do. We spend millions and millions of dollars on securing our code and our environments. So, you get that economy of scale. If you’re a midsize company with a two-person security team, and you’re trying to connect your systems, there’s no way you’ll duplicate our level of security and investment on your own.
You come across as having a calm demeanor. Do you need that in technology security?
Doug Martin: I’m not a calm person. I’m a Sicilian! But when you’ve worked a lot of hours in incident response, you learn to make sure you’re calm and collected. Imagine if the fire department showed up at your house at 3 a.m., and they were running around like they didn’t know what they were doing. It’d be a very unsettling experience. We have to be the calm firemen who know what we’re doing, pull the hoses out, and hook everything up. How we represent ourselves to our internal customers is really important.
Before you go, what’s your favorite pizza integration?
Doug Martin: I like Italian sausage. Remember, I’m Sicilian.
Up Close With Doug Martin
Home: Fort Worth, Texas
Family: Three daughters and two grandchildren
Career: He has broad experience as a security consultant as well as CISO and senior executive positions at companies, including stints as Global Incident Response Practice Leader at Insight, Senior Director of Information Security at Intuit, and CISO at GameStop and Ancestry.com
Personal Philosophy: “Always looking to learn something new.”
Cool Thing About Doug: He takes full advantage of the great outdoors as a golfer, mountain biker, scuba diver, and anything else involving sun, sand, and water. “If there’s not two palm trees and a hammock, it’s not a vacation,” he added.