Celonis' Omesh Agam, Chief Information Security Officer, joined the company nearly a year ago and is scaling a cybersecurity unit designed to be integrated with product development and able to secure a multi-cloud architecture that features data streaming. The team, which is responsible for protecting the company and the data generated by thousands of customers and billions of event logs, faces some unique challenges.
We caught up with Agam to discuss security trends, unique challenges with streaming data and building out a team. Here's a look at the takeaways.
Scale, cloud architecture and streaming data. Agam said Celonis has some unique challenges as it blends security with its cloud architecture, spanning the major hyperscale cloud providers (Microsoft Azure, Amazon Web Services and Google Cloud Platform) and streaming data consumption. Streaming data—dozens of terabytes per second from large customers— provides unique scaling challenges. "From a security engineering perspective, we have to be best in class across multiple cloud platforms and be agnostic at scale," said Agam.
An example: On the hyperscale cloud platforms, some security features can be deployed with a few clicks, but since Celonis' Execution Management System (EMS) runs on multiple clouds, deployments must be done in a way that covers all the providers. "We are creating an abstraction and core engineering layer that enables us to push solutions once that apply to many in a cloud agnostic manner," said Agam.
Layers of security. Agam said Celonis is approaching security on multiple levels. First, there's the security of the cloud itself. Then, there's the security of the products that run inside the cloud. The EMS is a cloud native system with an architecture that encompasses microservices, and enables engineering teams to contribute enhancements using continuous delivery. On the product side, Celonis is building security into the product design process. "You have to ensure security deep into the software supply chain. You can break once and apply everywhere," said Agam. "The bad guys have to be right once, and we have to be right all the time. Resiliency is also important."
What keeps Agam up at night? Agam said the goal is balancing between "pulling on a thread" to solve hard problems and basic security hygiene. "You don't want to be looking over a novel attack and forgetting to patch servers," said Agam. "Are we spending the right time on the right things while also supporting continued growth of the business." To enable the business, security should be deployed in a way that doesn't slow down development or harm the user experience."
Building a team. Agam said Celonis is hiring in multiple security areas, but the core groups that are scaling include:
Security operations. This group includes threat watchers and hunters, analysts and threat intelligence.
Security engineering. This unit includes traditional software engineers that know security. Security engineering also falls into the offensive security category.
Trust. This group runs the governance and compliance programs and makes sure Celonis adheres to various security standards.
"We're structured in squads and execute a roadmap like an engineering team would," said Agam. "The teams work together and meet every day in a scrum-like model."
He added that hiring will be heaviest in security operations as Celonis ramps a global operation 24/7/365. Technical hires in the security engineering organization are also high priority. Trust unit hiring will pick up as the company grows.
As for hiring, Agam is looking for people with "high intellectual curiosity and a high aptitude to be able to figure things out."
Using Celonis on Celonis security processes. Agam said his group's internal goal is to "drink our own champagne" and leverage process mining and execution management for security. "I'm curious about testing our security vulnerability process of how we manage and patch," said Agam. "A proof of concept is already highlighting improvements to the vulnerability triage process."
Over time, Agam said he wants to develop a security process playbook that covers things like supply chain risk and the time to update core software libraries. "When you have an opportunity to evaluate your processes and events at a massive scale, the bigger goal becomes time savings and hours in a day," said Agam.