Interview with PlanGrid’s Security Leader, Srikanth Veeraraghavan
Construction is complex in and of itself. The potential for a breach to your IT systems or the data centers that contain your company’s most sensitive information creates a whole new level of complication to projects. Construction companies already work hard to build something great– whether that’s a team to serve its customers’ growing needs or the physical facilities themselves. It’s critical they only entrust their data to companies that can provide the highest level of security possible to protect the business they’ve built.
At PlanGrid, data security is an utmost priority. Since our customers–whether general contractors, subs or owners–trust us with some of their most sensitive project information, we want them to feel assured their data is as safe as it can possibly be. As a part of our initiative to provide more transparency and assurance, we’re proud to have now achieved SOC 2 Type 2 certification, one of the highest levels of security accreditation for software companies in the United States. For security-conscious construction companies, SOC 2 compliance should be a minimal requirement of your vendors when considering a software investment.
To understand the significance of SOC 2 Type 2 certification and other security milestones PlanGrid recently achieved, including OAuth 2.0 to enhance SSO, we sat down with PlanGrid Security Leader Srikanth Veeraraghavan. He shares how he built a winning security team at the construction software company and why SOC 2 Type 2 was an essential standard for PlanGrid to achieve.
What’s your background and why did you join PlanGrid?
I graduated from Johns Hopkins University with a Masters in Information Security. I have spent many years working in the security field, most recently at Zendesk where I took an active part in helping build and lead multiple aspects of security, including network security, incident response, infrastructure security, fraud and abuse, IT security, bug bounty and compliance. Prior to Zendesk, I was at McAfee Labs where I researched new methods to detect security flaws, improve the detection mechanism and resource utilization of McAfee IPS solution. I also worked at other early stage security startups.
I came on board to lead PlanGrid’s security initiative last year after seeing a huge potential in the construction industry, which is technologically behind in general. Security is critical for PlanGrid as there is a lot of data that could be of interest to attackers, especially architectural drawings and specifications.
What type of security concerns keeps you up at night?
In my opinion, data breaches through third-party vendors are the biggest security risk. It is a very process-oriented problem to solve for most small and medium-sized companies. Failure to follow the processes could mean a data breach that could be worth millions of dollars for an organization.
What is SOC 2 Type 2 certification?
The Service Organization Control (SOC) 2 Type 2 examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s control objectives and activities, and tested those controls to ensure they are operationally effective. The Type 2 report is issued to organizations that have audited controls in place and the effectiveness of the controls are audited over a specified period of time. In PlanGrid’s case, it was six months.
Before achieving SOC 2 Type 2, what are some of the major security measures PlanGrid was taking?
PlanGrid is focused on building a security program that takes a risk-based approach in which we seek to fully understand any risks that may impact our company and products. To start this process, we interviewed all key stakeholders across the organization and reviewed PlanGrid’s security posture and landscape. We then started putting technologies, solutions and controls in place to mitigate and manage these risks. A lot of these mitigations aligned with what we had to do from a SOC 2 perspective, so that helped us achieve the certification quicker.
Why was it important for PlanGrid to achieve this security standard?
It’s important for PlanGrid to build a security program that is industry-recognized to reinforce to our customers just how much we care about the security and privacy of their data. “Industry-recognized standard” means customers can trust PlanGrid’s SOC 2 report while performing their due diligence, which is essential for a construction company to consider when procuring a cloud SaaS or PaaS vendor.
What has the process been like for PlanGrid to achieve this certification?
Achieving SOC 2 was truly an organization-wide effort for PlanGrid.
Multiple teams were involved in putting the processes and controls in place. While the initiative altered certain workflows in more than one way, we were fortunate to have excellent support from the teams and executives to help us move smoothly through the process. The security team spearheaded the effort, which meant we had to build out our team. This involved hiring key personnel with the right background to be able to coordinate with all the various stakeholders. Furthermore, we had to ensure the right controls were put in place, practiced and followed as part of our SOC 2 Type 1 certification to ensure the SOC 2 Type 2 audit was a success.
Why would this type of certification be important for a construction company using PlanGrid?
Type 2 Certification consists of a thorough examination by a third-party firm of an organization’s internal control policies and practices over a specified period of time. This independent review ensures that the organization meets the stringent requirements set forth by the AICPA and CICA. A high-level certification is imperative for an application like PlanGrid when it is to be trusted with highly sensitive and confidential information such as blueprints, essential construction documents, contracts and financial information.
How does the security certification impact PlanGrid users?
By working with a SOC 2 certified vendor like PlanGrid, users are assured their data is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework.
PlanGrid creates construction software for web, iOS, Android and Windows devices that allows construction professionals both in the field and office to store, view and communicate with plans and documents. PlanGrid replaces paper in construction, brings the benefits of version control to construction teams and is a collaborative platform for sharing construction information like field markups, progress photos, submittals and RFIs. Since PlanGrid is a SOC 2 certified organization, with audited controls and processes in place, users can be confident the technology performs and operates as described. Applications developed by organizations that are not SOC 2 certified do not provide the same level of assurance.
In addition to security, customer privacy has also remained a chief concern for PlanGrid. What steps has the company made to ensure user privacy?
The E.U.-U.S. and Swiss-U.S. Privacy Shield frameworks are European Commission-approved mechanisms that enable the transfer of personal data from Europe to the U.S., and Switzerland to the U.S., in compliance with European and Swiss data laws providing greater protections for individuals. We value our customers’ trust and share the same concerns over the privacy of their data. We want to take this opportunity to also announce that PlanGrid has certified its compliance with the E.U.-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce, and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield principles for the transfer of European and Swiss personal data to the U.S.
With these announcements, PlanGrid customers will have a choice of entering into our standard Data Processing Agreement (“DPA”) that includes the European Commission-approved Standard Contractual Clauses (“Model Clauses”). If you are a PlanGrid customer and wish to enter into our DPA, please email us at email@example.com.
What’s next in terms of security for PlanGrid?
Now that PlanGrid has an industry-standard security program, we’ll be focusing resources on our international efforts in line with our company’s global expansion. We are working towards our ISO 27001 certification which further solidifies PlanGrid’s commitment towards security and privacy of its customers.