Q&A with Aumni’s Isaac Painter on Creating a Healthy Security Culture

In this Q&A, Aumni’s head of security, Isaac Painter, discusses the importance of establishing a healthy security culture at the core of a business’ identity. He firmly believes that successfully implementing a company’s security policy originates in human psychology. Achieving security objectives depends on gaining each team member’s confidence, awareness, and adoption of the company’s security strategy. 

Please tell us about your professional background and describe your current role at Aumni.

I’ve taken an unconventional path to arrive as VP of Information Security at Aumni today. In college, I started out working towards a degree in accounting. Along the way, throughout my undergrad years, I had a job at a credit card security company. At first, it was a typical call center job, but I slowly became more involved in information security, checking for vulnerabilities on networks, websites, and similar tasks. Eventually, I moved to a team where I would train others on the importance of security protocols and teach them how to implement them. 

I went on to get my Master’s in Accounting at the University of Arizona, an institution that also has a renowned Information Systems and Security program. I took coursework in both accounting and security there. With this experience, I leveraged my unique qualifications to audit accounting information systems from a security perspective, ensuring the integrity of figures and data. 

Then, my career shifted, and I pursued a role where security was the sole focus. For about six years, I worked at Adobe across a wide variety of projects in the security field, ranging from application security to IT security, to security investigation and response, to security training, and more. 

When Aumni presented the opportunity to be a security leader and drive the security program, I was interested. I asked the leadership where security sits as a priority in the organization. As soon as they informed me that it was considered a pillar in the technology practice, one that is essential for keeping data confidential, I knew it would be a fit for me. 

In my experience, many software companies treat security as an engineering problem. Engineering is one piece of security. Security is a vital concern wherever there is technology, which is inevitably everywhere. I have built a team, and our role is embedded in the company’s foundation, to serve not only our Aumni customers but our Aumni employees as internal customers. 

Aumni's customers entrust Aumni to keep their confidential data secure. How do you implement a security program appropriate for a startup company and manage risk like a global enterprise?

When securing information systems and data, the priority should always be creating a healthy security culture. The widespread adoption of security practices in a company depends on creating favorable psychological conditions. If my colleagues care about Aumni and genuinely understand how to contribute to information security, they feel empowered to help. A healthy information security culture respects the business and the employees; it’s a culture that invites every team member to take an active role in protecting company assets and data.  

My objective in overseeing security systems is to foster positivity around security every day. I constantly tell my team to mitigate the risk that doesn't get in the business’s way. If the risk is low enough and compliance allows, we typically remove security processes that create friction for the company. For example, the product team set up a demo account with dummy data, such that the sales team could show product capabilities to prospective customers. Initially, an MFA window would pop up, disrupting the demo flow, which made no sense since the data was fake. So, we disabled the MFA for the demo account because the risk-to-benefit ratio just wasn't worth it. This type of common sense approach creates goodwill towards the security team, contributing to the health of the security culture.

Other ways that we foster positivity include recognizing a “Security Ambassador of the Week” and providing security tips to employees that protect Aumni’s data and help protect their personal data. I encourage my team to be creative and positive anywhere we go because, whenever possible, security and the business should complement one another. If they are in constant conflict, resentment has room to grow. Because buy-in for tool implementation and company-wide cooperation to secure our systems is mission-critical, we approach information security collaboratively. 

What do you do to stay vigilant and learn about new security threats, including ones that didn't exist yesterday?

The signatures and algorithms of threats change, but a good security strategy doesn't. We can't control the vulnerability of the services we use, but we can apply patches promptly. Many exposures result from poor patch management and a lack of security buy-in from the business. This challenge is best addressed early on and prioritized within a company’s security strategy.

Our product, where we control security, uses the latest tools to shift security left. That means that we identify security flaws in code before they ever go live. Historically, vulnerabilities are found in code after they go live by security researchers or bug bounty programs. The more modern tools help us identify vulnerabilities as our engineers write the code. Surprisingly, not many companies use the latest security technology, even though it's readily available. Large corporations, in particular, have a hard time implementing information security technology because older processes have become embedded across numerous platforms. 

Aumni recently announced its SOC 2 Type II security certification. Why is this notable for a company of Aumni’s size?

Aumni’s SOC 2 Type II certification is a source of pride because it's not common for a startup to achieve this milestone so early in the company’s history. Companies of our size and stage aren't thinking about SOC 2 until much later, but we had to accelerate into it, given our business domain. This milestone demonstrates what is possible with a healthy security culture. It is possible to attain this level of security only when the whole company participates. For example, if Human Resources is willing to keep accurate employment records, the Security team can adequately manage the precise moment to grant and revoke access. 

What do you find most challenging and rewarding about heading up Security at Aumni?

Heading up information security at Aumni has been my most rewarding career experience. The leadership team and my colleagues take data security seriously, and we keep a channel open for questions at all times.  It was a leap of faith for me to undertake this challenge, but after only a few days at Aumni, I knew I had made the right choice. I am proud of what we’ve built and very excited about Aumni’s future. 

How does Aumni's company culture align with your values and interests? Which value resonates most with you and why?

I pride myself on being a person of integrity, and I expect those I work with to act with integrity, so that is the value that resonates most with me. You need to be reliable in a professional setting, where you're getting paid to practice your craft. If you aren't reliable, there isn't trust. If there isn't trust, everything slows down. My colleagues at Aumni all have such a high degree of integrity. I take a lot of pride in working with really cool, genuine people who are good human beings and follow through with their commitments.

What is something surprising about you that your colleagues may not know? 

I really like to DYI. I remodeled my home and several bathrooms. I did nearly everything myself such as the baseboards, flooring, kitchen cabinets, plumbing, showers, tiling, and painting. I recently built a breathing wall along my basement staircase. I did it to keep my kids from using the slope as a slide and hurting themselves. Now it’s a nice piece of craftsmanship in the home. 

A long time ago we lived in a basement apartment and it got pretty annoying to always be walking up the stairs to take our dog out. With our landlord's permission, I built a spiral staircase out of the window well and we trained our dog to climb up when he needed to get out. 

Is there a message you’d like to share with our current and future customers?

You won't regret choosing Aumni for your data analytics needs. I feel very confident in our security culture and our ability to keep your data confidential. Our entire company is on board and works together to stay “Aumni secure.”