Martin Rues discusses creating a digital security system within a regulatory environment and B2B business model from the ground up.
When Martin Rues became the Chief Information Security Officer for Outreach Corporation, a rapidly growing sales engagement platform, he saw it as a chance to do security and privacy right at a critical time. Rues had been in the industry for nearly two decades, including a ten-year stint as the Director of Microsoft’s Online Services Security & Compliance (OSSC) team.
“I joined Outreach in 2015, and it was my first opportunity to build a security program from the ground up, to take from all those lessons learned from the past and try not to make the same mistakes,” Rues said on The Grailcast.
Soon after Rues took the position, the GDPR was enacted, so he created Outreach’s security structure with regulators in mind.
“I started to talk to our team about what it’s like to run a business that’s regulated,” Rues said. “To navigate that is a challenge, and you’ve got to figure out how to comply with the law but still enable a business.”
Bringing Security into the B2B Model
For Rues, the solution was integrating security into the product. Outreach pursued a third-party certification for compliance with GDPR. Although that wasn’t legally necessary, it demonstrated the company’s commitment to clients.
“I thought that it was important for our customers to know how we were thinking about it and that we actually put real controls and processes in place to meet those requirements,” Rues said. The burden of providing security is two-fold for Outreach, which operates on a B2B model. The company needs to ensure that it protects clients’ data and that it enables those clients to offer the same protections to their customers. Most security regulation enforcement has been against B2C businesses, but B2B businesses still need to be compliant.
“I think we have to treat it the same as any company,” Rues said. To understand the legal requirements, Rues seeks clarity on the purpose of the laws. “What’s the intent behind the regulation?” he said. “Let’s start there and figure out how to incorporate that into our business.”
Security as a Differentiator
Companies that successfully integrate security into their products early on have the opportunity to use security features as differentiators to gain market advantage. Rues points to Apple as a company that is doing this successfully.
“Leave it to Apple to make privacy sexy,” he said.
For Outreach specifically, there is a market opportunity in allowing clients to control privacy protections for their customers.
“They should be able to pull all the levers and turn all the switches to obfuscate and retain and deal with their data the way they see fit, and that complies with policies and regulations,” he said. “They’re going to be looking to comply, and anytime we can make that compliance easier is an opportunity.”
Rues’ Resources for Privacy Protection
When Rue joined Outreach, he started a Slack channel to help his team keep up to date on security news. He immediately added these two resources:
Although there are other websites that Rue checks occasionally, he finds the most value in speaking with other security professionals.
“I try to keep in touch with them as much as possible, ask what they’re experiencing and what their thoughts are on how to best address it,” he said. “Then I take that back and compare it to our strategy, and I figure out what works best for our business because it’s going to be different for everyone.”