Company culture: Security of data

Illustration of: Today at Payt

My name is Sander Kamstra, director and one of the founders of Payt. In growing from an attic idea to a serious organisation, I regularly encounter moments that I think have an impact on our company culture. With this series of blogs, I will try to describe every month a situation that shows who we are as a company. I will give you a glimpse into life at Payt.

The case: Processes are more important than results

In my first job as an ICT employee, I had a good idea in which data security was an important part of the proposition. So I took my idea to a senior colleague who was responsible for the security of servers and databases. His answer was simple and no less true today:

“If you want to protect a database of data you should store as little data as possible, allow only uninteresting data and not allow users.”

There are now quite a few ways to make access pretty secure when it comes to allowing users. Fortunately, because without users, our software is of little use. At Payt, we talk weekly about new features that provide a lot of user convenience, but require a concession to data protection. Our data is (unfortunately) also interesting enough to be of great value, so we are ISO27001 certified. This means that we comply with the international standard for Information Security Management Systems (ISMS). I would like to describe an example of where this can lead within the company.

We were only with 20 employees when we got the certificate. We had done a lot of preparation and had written a well thought-out security policy. Within a year, someone at Payt thought that this policy document should not only be known to the decision makers, but also to all other employees. And the best way to do that was to have it signed by everyone. Before this, we thought that a general text about confidentiality in the employment contract was sufficient. Not long afterwards, an extensive list of all hardware, software and processes for each new employee was drawn up (in an intake list). For a year now, one person has been responsible for ensuring that all access is transparent. The intake list has been replaced by an extensive authorisation matrix. To make the process of secure access a little easier, we have an access_request channel in Slack. Sounds good right?

I had requested access in the access_request channel for a new colleague. I wanted to impress her with our speed of action and get her off to a flying start. After a week, there was still no access. Enquiries taught me that a developer had decided not to grant this access because the new colleague had not yet signed the security policy. And shortly afterwards, I received a reprimand for not having filled in the authorisation matrix either.

It is much more difficult to work in a result-oriented way than it is to work in a process-oriented way. You can simply follow a written process. And if you follow it well, at least you will never be at fault.

Sander Kamstra
Written by Sander Kamstra LinkedIn profile
Sander Kamstra is director and one of the founders of Payt. He is an entrepreneur in heart and soul. He likes to work with people who are just as driven as he is to achieve success by setting the right priorities and making smart choices.

Share this article

Related articles

Payt 10 years logo
We have assembled a great team where everyone is empowered to excel in their strengths. In my opinion, this is the driving force behind Payt's success - Maarten Theodorie, Implementation Specialist
Five years ago, I started as an implementation specialist at Payt. From my first day at work, I have never gone to work with reluctance.
Payt 10 years logo
On the journey from A to B, we found a successful route C with the help of our first customers. We have not strayed from this upward path. We have turned 'nothing' into 'something' - Rob Rustenburg, Managing Board
Soon, it became clear that success would depend largely on our own efforts and choices made far beyond the comfort zone. You often see pictures of it, but in reality, it is, in my opinion, truly the place 'where the magic happens.'
Payt 10 years logo
Another great aspect is that at Payt, we don't have managers serving as intermediaries between the client and the developer - Mathijs Kingma, Developer
Nine years ago, I joined Payt when the team consisted of only 9 people. Most colleagues call me Benji (Benjamin) because I was the youngest member of the team for a long time. I am no longer the youngest now, but the name has stuck with me :)