Stepping down as CISO
When I joined Castor two years ago, my partner had to push me into accepting their offer. I was enthusiastic about the company itself, but hesitant about there being sufficient technical challenges to keep me engaged and growing in my area of expertise.
At the time, Castor’s office was also located on the outskirts of Amsterdam, a 14 kilometer trip that would take me 40 minutes to complete on average. I’ve always enjoyed being able travel to work by bike, but even for me, this was pushing the limits of what felt comfortable.
I remember it was a cold, wet February when I joined, with heavy showers during my first week. Despite having a very good rain suit, I felt very much like a drowned cat by the end of those trips.
Eventually winter turned into spring though. Showers slowly made room for more and more sun and gentler breezes. And Castor kept on growing too.
We moved out of that office and into our very own, newly renovated building which was closer to home for me. My commute dropped to just 20 minutes, featuring a run through the full length of the Vondelpark (we even got to enjoy our new office for a couple of months before COVID forced us all into remote working).
Our infrastructure grew too. We launched a dedicated server offering (“Castor Private Cloud”) on Microsoft Azure, opened up a region in Australia (also on Azure) and in October of 2019 I took over the role of Chief Information Security Officer (CISO) from our CEO, Derk Arts. Most recently, we supported the World Health Organization (WHO) with their SOLIDARITY trial around COVID-19.
All of which leads us to today. With this growth and an expanding, more demanding and commercial client base, those technical challenges I referred to earlier have finally arrived. Especially following our Series A, it gradually became clear to me that being a CISO is starting to become a full-time job.
Which is why I’m excited to now be able to say that I’ll be stepping down from this role as soon as we’ve found a suitable replacement.
The decision to look for a new CISO is one I initiated myself. I see this as a step forward rather than a step back.
For Castor, this means we can bring in somebody with more knowledge, more experience than I already have. We have a very robust ISMS (ISO/IEC 27001) and QMS (ISO/IEC 9001) and always passed our audits with few remarks, but in some areas it hasn’t kept up with Castor’s rapid growth. It requires more care and attention than I can give it right now without going full-time CISO myself. And that’s a direction that I realized I didn’t want to go down.
For myself, I am and always will be an engineer at heart. You won’t find me studying up on information security topics during the weekend, but chances are, you will find me playing around with new technologies. Letting go of the role of CISO means I can dedicate my full attention to my own team again, the Platform team as it’s currently called at Castor.
This doesn’t mean I’m not going to be involved with information security at all anymore. The Platform team is receiving more and more exposure to compliance standards and regulations due to the sensitive nature of healthcare information.
As we expand, and hopefully move closer towards a Full Service Ownership model with our development teams, I foresee our team being uniquely positioned to support others in meeting these regulations. Within the tech industry we’re starting to recognize the advantages and needs of observability and “testing in production”, but healthcare as a field is very risk-averse. Even though regulations don’t always state it in black and white, a lot of thinking I’ve seen has been about keeping developers and operators away from production, minimizing access as much as possible to prevent patient data from being exposed.
If we can design and deploy tools which keep developers in close contact with production, if we can let developers explore all of the failure states our systems are in while maintaining sufficient audit controls and keeping Protected Health Information (PHI) segregated away, we’ll be much better equipped to “amaze through user-friendly and rewarding experiences” while “acting responsibly and protecting our data” (two of our five core values as a company).
I remain happy at Castor and can honestly say the company culture, with a strong emphasis on employee health and wellbeing, is the best I’ve witnessed in my career so far.
There have been plenty of frustrations and disagreements about certain product decisions or organizational strategies (what can I say? I’m opinionated and outspoken), but these are normal in any company, especially a fast-growing, dynamic one like Castor.