Meet Mark Vinkovits, Head of Data Protection at XUND
Since data security and privacy are pivotal to our operations at XUND, we talked to our Head of Data Protection, Mark Vinkovits to dive deeper into the topic.
Mark explained the importance of data protection to us and spoke about his role as well as some exciting projects he is currently working on.
What does a typical day as Head of Data Protection at XUND look like?
Mark: My mornings typically start with catching up on emails or external documents that have come in. Until 11 a.m., I am usually busy reviewing various random things that need to be looked at. After that, I have a bit of time to focus on internal data protection projects that are part of our quarterly goals. For example, reviewing internal policies and customer-facing materials or doing research for the introduction of some kind of security control or technology. In the afternoon, I usually set up my discussions with either the development team, when they’re designing something that needs my input or with the sales team to review a process or discuss customer requirements.
How did you end up at XUND?
Mark: Before I started at XUND, I worked at a large multinational company, and I felt that it wasn’t really what I wanted to do at the moment. I actually wanted to work in a company where I could have a direct impact on the direction the company takes and the way the security and privacy processes are set up.
When I was searching for job ads on LinkedIn, I saw that XUND was looking for an Information Security Manager, mostly focused on the ISO 27001 certification that was in progress at the time. That wasn’t exactly what I was looking for since I had a security or privacy leadership position in a smaller tech company in mind. But based on the profile of the company, I thought the role might not be strictly limited to that, so I applied anyway. In the interview process, it turned out that XUND needed someone who would take general ownership of the security and privacy issues in the company. Eventually, the role was resculpted a bit, and that’s how I ended up as Head of Data Protection at XUND.
Can you explain data protection in simple terms?
Mark: I don’t necessarily use the term the way many other people use it. Very often, data protection is understood to be synonymous with privacy, but in my opinion, it’s a combination of security and privacy. I would say the biggest motivation for any company concerned with security is to protect personal data. And I think all the technical aspects that are required to protect personal data are what security is dealing with. That’s why in my head, those two things are very closely related. Privacy is about making sure that the personal data we collect and use as part of the product is legitimate in the way we use it. And then the technical measures to protect that data are the security part of it.
"[...] privacy needs to be a top priority when it comes to healthtech. We at XUND want to be prominent in this area by putting great emphasis on ensuring privacy and data protection."
Why is data protection so important in digital healthcare? And how does it impact our business?
Mark: I believe the area where people are most concerned about their privacy is when they’re selecting a service in the medical field. When it comes to just any software, they usually just look at the different features. But when it comes to medical software, I think people have reached that level of awareness where they worry about what’s going to happen to their health data. They may wonder whether the government will have access to the data, or their insurer, who could then change their policy based on their health information. Because of that, privacy needs to be a top priority when it comes to healthtech. We at XUND want to be prominent in this area by putting great emphasis on ensuring privacy and data protection.
What have been the biggest challenges you’ve faced so far?
Mark: A challenge for me is that at the companies I have worked for so far, there has always been a role that dealt with the internal IT part – like making sure employees have their laptops, making sure the network is configured, and so on. At XUND, we don’t have a dedicated IT team. We have the developers, of course, but they work on the product infrastructure. So a lot of the basic security threats that we have to mitigate – such as, for example, somebody losing their laptop – is something that now lands on me. If I want to have employees' laptops to be properly secured and encrypted, I first have to establish the basic IT functions, which I can then build the security functions on top of.
At the company level, the challenge – which is typical for most start-ups – is that we are under pressure to deliver functionality. Since we’re still early in our lifecycle, there is a requirement for us to deliver at a certain speed. And it’s difficult to integrate security at that speed because establishing traditional security controls and processes always slows things down. So that’s the game we have to play: How much speed are we willing to sacrifice to ensure that our systems become more and more secure as we grow?
Tell me more about an exciting project you’ve worked on that has had the greatest impact on XUND so far.
Mark: I would say, right now, the project which is going to be most visible is all the – what I’m calling security-related sales and marketing material – but basically the public-facing descriptions of how our security works. Currently, in every sales conversation, the salesperson has to convince the potential customer that we take great care of the data we work with. And instead of that, we’re working on a 2-pager listing the basic facts you need to know about how our security works and explaining what we do to protect patient privacy. So by trying to move away from individually discussing this with every customer, we’re bringing the conversation to the next step to make the job of the sales team easier.
You also closely work together with the QM team – can you tell me more about that?
Mark: When it comes to the medical data within our product, there is a company governance perspective, which is basically about the policies and processes we have. And that’s where I work together with quality management (QM). The QM team is responsible for the regulatory parts and the medical requirements, and I hold the security requirements in terms of what’s expected from a medical device. Also, we have two specific certifications that are audited regularly. Our medical certifications are the responsibility of the QM team, but there’s also the ISO 27001 certification. This is a security certification that was initially started by the QM team before I joined, but it’s moved more and more toward me.
On the operational side, the QM system lays a lot of the groundwork for the security certification system. For example, when it comes to employee training, the QM system describes a framework for how we train new hires and how we ensure continuous training of employees. But then it’s me plugging into that system and defining the security training and onboarding. So QM gives me the framework, and I can build into that.
What exciting projects are ahead of you at XUND?
Mark: We are planning two main projects that are exciting. The first one is a training platform for our developers to ensure that every developer receives regular training on secure development. We want to make sure that our developers know all the latest attack methods. That way, they can proactively review the code they’re writing regarding how secure it is. So that’s one project where we’re in the final stages of selecting a platform right now before our developers can start using it and see the impact of the training. That’s quite exciting.
The other project is about an external penetration test against our system. Once all the basic structures in the product are in place, we will have a penetration test done by external security experts and hope they don’t find any major problems in the system. But that’s always an exciting point when you hand your product over to someone with dedicated resources to try to break it and see what they find.
This or that?
- Tea/coffee: – "I like drinking decaf coffee during the day, but I enjoy a good green tea every now and then."
- Dog/cat: – "I’m just super allergic to cats."
- Salty/sweet
- iOS/Android: – "In terms of privacy, I would choose neither of the two companies behind them."
- Early bird/night owl: – "Since I have kids, I started being an early bird."
What do you like most about working at XUND?
Mark: I very much found what I was looking for, as XUND is still in the early stages of a company. What I like about my job is that I can collaborate with different functions and develop new efficient processes. I also have the feeling that everyone wants to do a great job. The people at XUND don’t come to work thinking it’s their 9-to-5 job that's not worth putting extra effort into. When we sit down to have a meeting or a workshop, everyone contributes and does their very best to efficiently come up with a great solution to the problem we’re facing.
If you could go back to the first day you walked through the XUND office doors, what advice would you give yourself back then?
Mark: I wouldn’t do anything differently if I could go back. It’s not the first time I’ve joined a company, so I’ve already made the big mistakes previously. When I started at XUND, I had a good understanding of what not to do or how not to do things. Also, I read the advice of other people in security leadership roles, which was basically what I followed.
One piece of advice that I think is useful when joining a new company is to talk to your new colleagues and listen to their concerns to see how you can help them. When it comes to security, you need to be very collaborative with people – they need to understand that you’re not here to make everyone’s life difficult but that you’re their partner who gives them expert advice on their security concerns.