Dan Mihai and Dennis Keglovits - Security & Data Governance: Is Your Data Actually Yours? Who has Access? - PODCAST TRANSCRIPTION

Editor's note: The following is the transcript of a live interview with Dan Mihai and Dennis Keglovits from Jobba. You can read the interview below or listen to the podcast.

Speaker 1: Welcome to Roofing Road Trips with Heidi. Explore the roofing industry through the eyes of a longterm professional within the trade. Listen for insights, interviews and exciting news in the roofing industry today.

Heidi J. Ellsworth: Hello, everyone, and welcome to another Roofing Road Trips from RoofersCoffeeShop. This is Heidi Ellsworth, and I'm here today with a topic that is top of mind. I can't tell you. So many people are talking about their data. What data? The data that's yours, the ones that you have in your computer, all your files, your CRM. And we really want to talk today with the experts from Jobba about how you can protect your data, make sure you have the correct access for security and manage your data governance and managing risk. So a lot to go through today, but it's such a critical topic. So first of all, I'd like to introduce our guest, Dan Mihai, Chief Technology Officer, and Dennis Keglovits, and who is the Chief Customer Officer. Dan, can you start with an introduction and tell us a little bit about yourself?

Dan Mihai: Yeah, thank you, Heidi. So hello, everybody. I'm Dan. I am with the Jobba Trade Technologies for five years now. And I've been in the SaaS cloud industry for about 25 years-ish, and I am very excited to be here on the show with Heidi, which I respect a lot. And she's done a lot of good for the roofing industry. And I'm very excited to participate in the stock.

Heidi J. Ellsworth: Dan, thank you so much. That's so nice. I'm so excited to have you here. You are an expert in this field, I know. And so I'm really excited to learn, not just for everyone listening, but for myself too. So this is going to be great. Dennis, welcome to the show, and please introduce yourself.

Dennis Keglovits: Absolutely. Thank you, Heidi. So my name's Dennis Keglovits. I am the Chief Customer Officer at Jobba. Recently started with this organization, so I have quite a bit of background within the public consulting and public accounting, doing a lot of project implementation, software implementation, project re-engineering, regulatory. Compliance was really the brunt of my background. Been in software for about 10 years working with different software companies, so very familiar with data governance, security, privacy, those types of topics. So pretty much what we're going to talk about today.

Heidi J. Ellsworth: Sounds great. Thank you. And I just got to spend some time with both of you gentlemen at the recent RT3 Roofing Technology Think Tank. And boy, did we have some great discussions, so this is right up what everybody's been talking about out there in the roofing industry. So let's start. Dan, let's start with you. And can you talk about how your SaaS platform, how you have been working on implementing the data access controls, what contractors should be looking at and working on with that?

Dan Mihai: Yes, Heidi. So a very important, fundamental principle in designing Jobba from the get-go when we started five years ago was the tenet that our customers own their data. So we have a philosophy in which we put the customer in charge. So not only you own your own data, but you can also control who gets access to what and who gets to do what to every data element that you store and you capture. There is a couple of ways in which we are actually implementing that. The number one is a very sophisticated, role-based security. And this is very similar to perhaps a home security system in which you start with locks everywhere, the front door, the back door, the windows. You have sensors at the windows, at the doors, proximity sensors. If the dog comes in on the back porch, the light goes on, stuff like that. So what we do is very, very similar in the sense that each user in Jobba can be assigned multiple roles, and each role defines a number of data access rules. Who gets access to what? In other words, it's on a need-to-know basis. So if you don't need to know, then you don't need to know.

Heidi J. Ellsworth: Yeah. Well, that makes sense. A lot of times, people don't want to know. They don't want to be in where they don't need to be.

Dan Mihai: Yeah. So most people shouldn't even know about what things are happening in the other parts of the roofing organization. So if you work in service, for instance, you may not want to know stuff about accounting. And if you're in the back office doing accounting work, you may not care that much about inspections and going up on a roof, taking pictures, stuff like that. You may or may not. But it's really up to the administrator of the roofing company to decide who gets access to what and to what extent. So we have rules for more than 1,000 data elements, so we go very granular, in which you can define who gets to see a data element, who gets to modify a data element, who gets to print the information that's embodied in a data element, who gets to delete that data element and who gets to act upon it.

So all these rules are cumulative. In other words, if a user has five roles, the most permissive set of rules are applied. However, there are situations in which you can have roles and permissions but then you want to explicitly deny access to certain elements of the data. So we do have that capability as well. We call it a denial rule. And even if you normally would have permission to, let's say, view and print invoices, if the system administrator assigns a role to you that has this deny access to invoices, you're not going to be able to even view invoices. So that's the key conceptual things.

And it's very much having access to a facility with lots of rooms and lots of doors. You might have a set of keys. Let's say you have 50 doors and you have five keys. Now, obviously, you can use those five keys to get into five rooms, and maybe some rooms have shared keys. Two keys, you might be able to access the two rooms. But then in addition to that, we also have this no entry rule that basically says even if you have the key, we're not going to let you go into that room because it's special.

Heidi J. Ellsworth: Yeah, that makes total sense because I think one of the things that every owner has to think about is, first of all, obviously, not everybody needs to have that access, and you don't want them to know everything that's going on when there's not that priority. But a lot of times when we're talking about data and owning it and risk and everything, we're always thinking it's external, that we're going to get hacked or it's going to be a virus. But it can be just as much, if not more, internally. So if you don't set those governance and those rules, you could have real problems.

Dan Mihai: And this is a fundamental conceptual thing that defines data governance. Basically, it's about managing risk. And risk, like you said, and thank you for mentioning that, is external and also internal. This is a known fact in government applications. Obviously, you have to have a certain clearance level to be able to see certain levels, classified information. Pretty much the same concept here. Yeah.

Dennis Keglovits: And Heidi, one thing I wanted to add, sometimes it's not just about security. It's about privacy. If you think about your house, the bathrooms aren't typically... I'm not worried about somebody stealing something. You typically have locks on doors for privacy purposes. And security and architecture works that same way. Some of it's for security purposes. Other is for privacy purposes.

Heidi J. Ellsworth: Well, and just think about all your HR documents. There's a lot of regulation around that too, what people can see, what should be shared, all that personal information of employees. Yeah, there's a lot there. And your bank accounts, your finances, there's so much that needs to be private and protected at the same time.

Dan Mihai: Even in the case of Jobba, we have hourly rates for employees that you may not want to have exposed to pretty much everybody.

Heidi J. Ellsworth: Exactly. Nobody wants that exposed. And one of the things in roofing that we always talk about is it seems like everything when it comes to regulations or new building codes or anything, it always starts in California or Florida and works its way to the middle. Well, it seems like in technology, that's kind of the same way, Dennis, because with California they are requiring, let me say this right, the SaaS platform identifying and controlling personally identifiable information. So first question on that I'm going to say is, what is that? And second of all, how is that working starting in California, and what should people be looking towards?

Dennis Keglovits: That rule actually started in Europe with what's called the GDPR, so Europeans came up with the concept of privacy and what you do with my data. I have no problem that I give it to you. I let you use it, but if you're going to use it for external or if you're going to sell it to third parties, then I might have a problem. And California jumped on that rule. That rule had been out for probably a year or two. And then in January of 2020, California came up with the CCPA, which is, again, the California Consumer Privacy Act. And there are specific regulations, rules and limits that said if you're a business of X millions of dollars, and I think it's $25 million in business, and you have a customer in the California market, then you're required to give them the ability to opt out.

And what does that mean? Again, I can give you my data. You can use it for purposes of your business. But if you're in any way going to share, sell or give that data to someone else, I want the ability to say no. And really, that's what it is. So those organizations in California above $25 million that have clients in California that are sharing that information, you have to give me the ability. And that's really what it comes down to. Do you want the ability to share information as you indicated that's the personally identifiable information, things like my name, my address, social security and anything, actually, that allows you or someone else to identify me through buying characteristics or just that personal information? So it's more than just name and address. So for those contractors that are based in Cal or have clients, what this means, again, if you meet all the criteria, you have to put some level of language in your contracts that allow me the ability to say no, that you can't sell it, give it or do anything with that information other than use it for purposes of the business that we're doing.

Heidi J. Ellsworth: Wow. And in the marketing field, we've known that for a while. We have all kinds of rules that go around with emails and sharing email lists and all of those types of things. So it's just going to only become more regulated.

Dennis Keglovits: Really, when you think about it, it really can be crazy. I don't even think the people that use the data realize how much information they have and how much they use it and where they use it. And so giving people that ability of just taking the time to give you that ability to opt out and maintaining that list because it's not like it's a week or a month long. That's forever. And we talk about in our own organization, for example, in new releases. So is that marketing information or not? We need to kind of break it out because while I understand you don't want me sending out marketing information, you do want release notes, and you do want information like that. So when you say opt out, does that mean that too? So how you classify information is critical.

Heidi J. Ellsworth: Yeah. And that's going to mean going back to a lot of old information too and figuring that out. This is a lot to get your arms around. So let's talk about, how is your SaaS platform monitoring the data usage across the license feature set? So again, I'm assuming that has to do with helping the contractors have the right governance and the right feature sets. Is that correct?

Dennis Keglovits: Yeah. Every platform, you have some sort of reporting capabilities. You can either have a reporting engine built in. We use Power BI. And so Jobba records everything that's updated, added and removed within the platform. And that includes work orders, inspections, proposals, all of that information. We then create what we call data lakes, and all of that information is put into these data lakes on a customer-by-customer basis. Historically, we gave you a Power BI license. We're actually coming out with a new release just this very month that will allow you to have that embedded right into the platform, so you no longer have to have a separate ID and go into Power BI. Right now, it's right there in Jobba. You have the ability to view that data and there's everything from sales activity, maintenance, warranty, across the board information, which is highly valuable.

A system without being able to get reporting is useless. It's great to put the information and store it, but if I can't get any information out to make decisions, what am I doing here? And so this is a huge differentiator for us to have this type of reporting. This isn't just data on a piece of paper. These are charts, graphs, all kinds of formats of information that gives you the ability to sort it and filter it in any way that you want to see it. So an executive versus a service manager versus accounts receivable see a ton of different information that allow them to make really good decisions for their business.

Dan Mihai: I just wanted to chime in on this one, Dennis, because I think it's worth being emphasized. Our customers can define their own reports. Not only they have access to a set of standard reports that we provide, but if they want to take something that we provide, change it slightly or just do one from scratch, they can do so, and it's all part of the Jobba of platform.

Dennis Keglovits: Yeah. It's so critical. We use it ourselves to make decisions about customers. So from a customer success, I can make decisions whether you're a satisfied customer or not just by the amount and level of usage, what types of data you're using, how you're using it, what kind of transactions you're creating. Again, I review personally a number of graphs and charts literally every week as I'm about to call a customer to understand what questions I need to ask them.

Heidi J. Ellsworth: Right. That kind of data and understanding what you have, I go down bunny holes all the time looking at the data. How many users? Where were they? What are they doing? And understanding the analytics behind it, I think, is critical. And we have to have those because you can have data, but if you can't access it, to your point, Dennis, I think that's so true. But as we're talking about now we have all these charts and we have all this information and everything is coming out, we still want to be really sure that we are on the front end of prevention and detection of unauthorized access. We don't want people getting into our charts or getting to see things in they're not supposed to. So, Dan, what are some of the architectural elements of Jobba that you have used for that prevention and detection?

Dan Mihai: So this is a great question, Heidi. I just wanted to say that I've been involved in the medical industry for the longest time before I joined Jobba. And in the medical industry, there is a lot of emphasis on data security and specifically as it relates to medical devices because you don't want somebody to log into your pacemaker and shock your heart and kill you. It's happened, seriously. And so even starting from day one, Jobba has been architected with security and prevention in mind. And this is not about roles and permissions because this is about outside malicious actors, bad guys trying to get in and steal your deadline and do bad stuff. In our platform, we have double encryption protocols. So we do use the standard 256-bit SSL. Everybody uses secure circuits, layers and blah, blah, blah. When you go to a website, if you don't see the HTTPS, you shouldn't put the information in. But on top of that, we have a proprietary layer. Let's say for the sake of argument you will be able to break as a cell, then you have another level that you need to break, which is our proprietary that nobody knows. And it's very secure, so encryption on top of encryption.

Heidi J. Ellsworth: That's what we all need, and that's what we all are working at, to be honest. It's like the double locks on the doors. And I've had this happen when working in documents, working in different programs and all of a sudden my data is just gone, or it's messed up. So what are you doing about ensuring data integrity so it doesn't fail?

Dan Mihai: Yes. So there is a broader topic about data integrity, and maybe I'll talk about this a little bit later. So in essence, we have checks and balances. So we have what we call a triple validation layer. When data is entered by the user, we apply a set of validation rules. When data is sent from the web browser to the server, we have a second set of validation rules. And then when the data is stored in the database, we have a third set of validation rules. So it's a triple validation process. The intrusion piece, this is basically where you want to keep the bad guys out. So the way you do that is, obviously, we have a backup policy in which we store many levels of backups. Even during the day, we have three or four backups during the day. And, of course, if something bad were to happen, we can go back in time to any point in time. We can restore from these very extensive backups. And I think we're a little bit unique in the sense that we can go back to a state of functioning. You probably remember those blackouts on the East Coast when somebody hacked into the... And I don't remember exactly what-

Heidi J. Ellsworth: Fuel station. The gas lines, right?

Dan Mihai: They were down for were for two, three days, right?

Heidi J. Ellsworth: Right. Yeah. Everybody was-

Dan Mihai: It took them a long time to get back right in the saddle, so to speak. With Jobba, we can get back in a functioning state even in the case of a total server loss in an hour and a half.

Heidi J. Ellsworth: Wow, that's excellent.

Dan Mihai: So I believe that's best in class. And we do this through many, many ways. But data integrity, we check things. We lock things. We have an artificial intelligence engine that looks at server patterns, suspect patterns versus expected patterns. And if anything is off, we do a quick investigation, and then we can recover from even a total data loss.

Heidi J. Ellsworth: That's so important. How many times have we just been stymied with, "We can't work. We can't do anything because things have gone down"? So to be able to recover that quickly, I think, is so critical for business. And speaking of business, when you're really looking at ensuring business continuing and being productive, what are some of the elements of your organization, Dennis, I would love to ask you, on how you are helping to ensure the business keeps moving?

Dennis Keglovits: This is a funny-answer question. This is one we get a lot from customers. They want to know where their data is, how it's stored, how we manage it. Most of them don't have the technical resources. They don't have sufficient budget around, other than a computer sitting over there for backups and stuff. We manage a distributed network of servers and databases, and it's hosted by Google in the cloud. And the minute people hear that like, "Oh, okay. Well, it's in the cloud. Yeah, sure. Okay, good." And they don't even realize what that means. Your data's not literally floating around up in air. There is a physical location somewhere with that data stored. And so Google does offer failovers and redundancies and has 100% protection on hardware and network failures. And they do a lot of the stuff behind the scenes. And as Dan indicated, we certainly keep backups and do things on our end as well. So again, it is stored in the cloud. We have it in a location, backups and recovery, and procedures are in place. And while we've never had any sort of disaster or situation where we were forced to do it, as Dan indicated, we could be up and running inside an hour and a half. So that's the good news.

Heidi J. Ellsworth: Dennis, same to you. What kind of policies and procedures are in place to identify and communicate those potential data security breaches? How do you stay in front of it?

Dennis Keglovits: Yeah, so we have a very comprehensive information security policy. It outlines procedures on how to prevent, how to identify, how to investigate. We have different teams. So our Chief Information Security Officer is certainly the primary person. He's responsible. Any sort of indication from any team member, executive or client immediately goes through him. And then his responsibility is to do X procedures outlined in our policies. He brings in the different resources depending upon what the situation was that was identified, and we immediately attack it from that perspective. And we have updates to that policy on a constant basis. Every employee goes through a process of reviewing, signing off and training and understanding what those are because we need each and every person to be keeping their eyes open and making sure if you see any sort of red flags. Certainly, we're not waiting till the system goes down. We're looking for red flags and things that are occurring throughout the day, throughout the week with different clients and immediately looking into those situations. So again, we have pretty comprehensive policies that everyone is made aware of and expected to do their part throughout the process.

Heidi J. Ellsworth: That's the important part, that strong communication and everybody understanding. This is very simple, but when you go to the airport, see something, say something. Don't just think, oh, this is fine. Everybody has to jump in that. But I had to go back to what we were talking about earlier on the passwords and the rotating passwords and changing and stuff. Okay, I'm a little bit older. I'm a little bit Gen X. And man, that's annoying sometimes when I have to change my passwords. So, Dan, with everything you've done, you even said earlier, you are just really hypersensitive to security, thank goodness, after being in the medical field and now bringing this to roofing, what we need. But how do you balance the security against the convenience or the ease of use? How have you made that balance so you don't drive all of us too crazy?

Dan Mihai: There is such a thing as going too far. So the way I would describe this is there is a continuum that goes through from 100% security but not being able to accomplish anything on one end of the spectrum and then being completely open and doing great things but being completely exposed at the other end of the spectrum. So where do you draw the balance? Now obviously, we're trying to cheat, and I'm saying this because, obviously, what we want is we want to have our cake and eat too. So we want the ease of uses without having to pay the price for it. So how do you do that? And we do this in Jobba in three important ways.

The number one piece is automating security as much as we can. In other words, still having it, but doing it behind the scenes, hiding it so you don't see it, pretty much like the Secret Service would be doing surveillance.

Heidi J. Ellsworth: They're protecting. You don't even know they're there.

Dan Mihai: Correct. So assuming you are, I don't know, part of the first family and you have a security detail assigned to you and they watch over you. And that's what we also do. So we try to automate and make all these processes happen behind the scenes.

The other piece is, obviously, you need to be sensitive to, for instance, passwords. So what we do is we have what we call persistent user sessions. In other words, if you log into Jobba on the same device, the device will remember that you've logged in. And we don't give up security for that. We use what we call a single-use rotating token. It's pretty much like a secret key or a secret password that changes every time you connect to the server. And that is also stored on your local phone or your local tablet. So it's convenience for you. It's inconvenience for the malicious actors trying to get in. We drive them nuts because it changes.

Heidi J. Ellsworth: I love it. I love it. Go ahead, Dennis.

Dennis Keglovits: Heidi, one of the important things to remember is, again, the owners, the roofers themselves got to take responsibility. We can put all the fancy tools and rules and regulations in place, but if they're going to circumvent it by handing out passwords, allowing people to use their stuff, all the great security in the world is not going to prevent a disaster or prevent a security breach. So it behooves them to follow the rules. I see a lot of times people passing things out. You see the sticky on the computer with your password, and you got to follow the rules in order to make this whole thing work.

Heidi J. Ellsworth: Yeah, that's the hard part. The following the rules part. Yeah.

Dan Mihai: Just want to mention one last thing to talk about ease of view. So you also need to weigh the convenience and ease of views against data integrity. So when I speak about data integrity, I speak about consistency of data. So for instance, we are extremely focused on making sure that the data that the roofing organization is collecting is what we call actionable. So assuming you are collecting someone's phone number, if you were to allow them to put anything they want in there, if you want to call someone and you just have a five-digit phone number, what do you do with it? Completely useless, right? And to go a little bit beyond that, if you capture someone's address, you can capture the street address, but if you forget the zip code or the town, the city, then it's completely useless. So we have these rules that basically make sure that enough of consistency is captured before we allow you to save.

Now, some of this can be inconvenient. So what we do in the Jobba UI, we do three things. Number one, we pre-fill information to the extent that's possible. So we type in for your information. You can still change it, but we're trying to anticipate what you want to put in. And the other thing we do is we give you maybe too many ways of accomplishing the same thing within the Jobba UI. So you have all these options. You can do it from here, from there, from anywhere, so you're not stuck into a certain way of doing things. And the third thing we do is we provide what we call navigation context. Let's say you're looking at an invoice. From that invoice, you switch to a list of payments. We automatically pre-filter your payments for that invoice. And if you're looking at the customer and then you go to invoices, we automatically pre-filter the list of invoices, only the invoices for that customer. You can still switch customers and see all the invoices. But we're trying to anticipate what you were trying to accomplish, and we're trying to make it easy for you. So yeah.

Heidi J. Ellsworth: That's great. And I think there's so much thought that goes into that. And overall, it is what Dennis said and what you're saying. You all can make it easy, but the users also have to be taking the time to do it right, and to really think through how their processes and their governance and everything. Gentlemen, wow, what a great topic. With Dennis working as a Chief Customer Officer and you working, Dan, as the Chief Technology Officer, you two are bringing two things, the human aspect and the technology aspect, together. And it's working.

Dan Mihai: Well, thank you. Thank you. Appreciate it.

Dennis Keglovits: We appreciate it. Yes. It's a combined effort, for sure, Dan building the system and all the rules inside and my team working with the customers to train them, to onboard them and make sure they fully understand the full capabilities and how everything works there behind the scenes.

Heidi J. Ellsworth: Sounds great. Wow. Thank you. Thank you, both, for everything you're doing. Thank Jobba for what you guys are doing for the industry. You've been doing so much ,and I'm just really excited to keep tracking this with all of your great innovations and helping to make roofing companies more profitable, more efficient and, obviously, safer. So thank you so much.

Dan Mihai: Thank you.

Dennis Keglovits: Thank you, Heidi.

Dan Mihai: Appreciate it.

Heidi J. Ellsworth: Thank you. And for everyone listening, of course, you can get all this great Jobba information on RoofersCoffeeShop in their directory. Plus, they have some amazing e-books, videos and articles that will help you with your security of your data and making sure you own it because it's yours. So don't forget that. And I also want to thank all of you for listening to this podcast. Be sure that you check out all of our podcasts under the re-listen watch initiative under Roofing Road Trips. And on your favorite podcast channel, be sure to subscribe and hit those notifications so you don't miss a single episode. And we'll be seeing you next time on Roofing Road Trips.

Speaker 1: Make sure to subscribe to our channel and leave a review. Thanks for listening. This has been Roofing Road Trips with Heidi from the rooferscoffeeshop.com.