As more and more people and organizations learn that cloud computing and Software-as-a-Service represent the future of software distribution, security has become a hot button topic for both IT teams and company executives contemplating the move to an on-demand environment. This is an issue that Concur has been working tirelessly on for years on and is proud to boast that it has developed one of the most robust SaaS security platforms on the market today.
The driving force behind Concur’s rock solid security is the Concur Trust Platform, developed by Bruce Grenfell, Senior Director of Security and Compliance. We sat down with Bruce to learn more about his job, the evolution of the Concur Trust Platform, security challenges and what he likes to do outside of the office.
Q: Explain a day-in-the-life for you at Concur.
A: My day is a mixed bag really. My overall job is to ensure that our company is doing everything it can to maintain and enhance the level of comfort our clients and prospects have become used to in dealing with us and to maintain our competitive advantage at the right cost. To deliver this, my team continually reviews our position against industry and client expectation and carries out a host of audits to test our systems and figure out what’s working well and what can be improved. I spend quite a bit of time syncing cross functionally throughout Concur to make sure our products remain secure.
Q: You’re a Concur veteran, what’s your story, how did you find your way to Concur?
A: That’s right. I started at Concur in September 2004 after spending many years working in the IT industry internationally and began looking for a young, energetic technology company that would enable me to combine my passions and experience working in the technology space while leveraging my skills and experience around security and service management disciplines. Concur was that place, and it’s been a great place to be for six years now.
Q: What is unique about your role/job? How has it evolved since 2004?
A: My role has grown tremendously since I started in 2004. What really drew me to Concur was the idea of outsourcing core competence. In this case, it was expense management and the company’s recent move to the then unproven SaaS delivery model. I knew that security and service management would play a key role at the company, so I jumped at the chance, and the challenge, to create and define a robust security strategy.
In the beginning, my first goal was to create and gain funding for overall deeper security strategy for Concur Expense and Concur Expense Pro SaaS based offerings. Since then the pace of innovation has been quick. We now have eight services, including Concur Travel & Expense that we maintain tight compliance around and ensure that they continue to make Concur easy to do business with. In addition to our own data security standards as well as SOX compliance I now have responsibility for security at the corporate level. This goes beyond our products and hosted operations to individual employee data security, so my role has grown over the years.
Q: What were the major hurdles you had to overcome to get security up to speed?
A: Concur very much has an active “can do” culture. If something is broken it gets fixed and the next issue is addressed—it’s part of our DNA and one reason why the company is successful. From a security perspective I needed to introduce a more process oriented mind set. We needed a set of measured processes and controls so that we could identify any failures, find out what caused the failure and fix it so that it does not re-occur. The real challenge was to ensure that the pace of innovation is not suppressed through too much red tape. The second challenge was to define how we communicated our strong security, which is why the Concur Trust Platform was created.
Q: Talk about the evolution of the Concur Trust Platform. Where did it start and where is it headed?
A: It started with the need to demonstrate to current and potential clients just how secure our software is. We did this by achieving industry recognized standards and attestations like SAS 70 type II and ISO 27000. We need to do this because clients trust us to look after large amounts of their financial and personal information so the Trust Platform was developed to frame our security architecture and provide a means to clearly communicate our security and compliance strategy to clients, prospects and partners.
As for where it is headed, the Trust Platform today is a great baseline. As the company continues to grow internationally we continue to maintain the trust platform while also exploring ways to make it a truly global platform. To deliver this we have developed the “governance framework” —that is a set of 22 operational controls that provide one set of processes which have mapped to industry and international regulation to provide a truly global trust platform.
Q: What are we most likely to find you doing outside of work? What are currently you reading, watching or listening to?
A: I love to travel, and have a house in Thailand that I intend to retire to eventually. Beyond travel I love to read about science and science fiction, work with computers and run. Fitness is very important—I played Rugby until I was 42 and couldn’t take the hits any longer. I still enjoy running and will run at least four days a week for a total of 16 miles.
