Wisdom From The Women Leading The Cybersecurity Industry, With Andrea Pfundmeier of Secomba GmbH | Boxcryptor
An Interview With Jason Remillard
Share Experiences — A lot of leaders have learned a lot during their careers and tend to tell other people, what to do and how to do it. During the last 10 years, I figured out, that I feel offended, any time people start sentences with “you must do things in that way…” or “you have to do this…”. I myself try to teach or inspire by telling my own stories and experiences and let everybody take their own learnings and actions from it.
The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Andrea Pfundmeier.
Andrea Pfundmeier (born 1987) founded Secomba GmbH, based in Augsburg, in the south of Germany, together with Robert Freudenreich in 2011. The company develops the cloud-optimized encryption solution Boxcryptor, which is used by customers worldwide. The law and economics graduate and mother of two was awarded the German Founder’s Prize 2013 for her commitment, among others, and was listed on the Forbes 30under30 list in 2017.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I was born 34 years ago near Augsburg, Germany. After finishing school, I studied law and economics at the University of Augsburg. Entrepreneurship was never an issue in my family. Both my parents worked in large enterprises and always thought that I would follow them. When I told them that I want to start my own company, it was a big surprise for them and honestly, in the beginning, they were not happy at all. They would have preferred seeing me in a large enterprise with a safe job.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
To be honest, there is nothing that directly comes to my mind.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Towards the end of my studies, I met my co-founder Robert, and we decided to start a company after we both finished university. Our first startup idea did not work out very well, but in order to securely share files, we developed an encryption service for Dropbox. This tool — which was originally developed as an internal tool for the two of us — received a lot of positive feedback: The idea of Boxcryptor was born.
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
It is not a mistake, but right after we started our company, we wanted to hire an intern. We published the job description for an internship and were sure, that we would get many applications because of course we were convinced that our startup was the best in town. After a couple of weeks, we only had one (!) application and the disappointment was really big. Fun fact: we hired this one and only student who wanted to work for us. It was our first employee and he stayed with us through all the past 10 years. Looking back, it was not a mistake at all but it was pure luck that we found each other.
Are you working on any exciting new projects now? How do you think that will help people?
We are currently working on an encryption solution for Microsoft Teams and we are sure, that this will help all users to make sure that they can collaborate in an easy AND secure way. The pandemic shows us how important remote work and collaboration are, but security should remain the top priority.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
The Future: I am excited about the impact on the future of cybersecurity. Protecting our data today helps us to look confidently into the future and to stay excited about upcoming trends and innovations. Knowing that my data is secure helps me to be open to innovation and e.g., give new tools a try.
The New Technology: Moreover, the field of cybersecurity will of course also be impacted by quantum computing and that will be something that will impact the whole industry. As I love change and new technologies, this is something that excites me.
The Impact: Last but not least: I know that cybersecurity helps people and companies all over the world to use new technologies without giving up privacy and data security. This means it is a product that is actually important and so much needed and therefore something good in the world.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
There are not three things, but mainly one big topic that concerns me most at the moment: politics. There are currently a lot of efforts from various governments who want to weaken, for example, end-to-end encryption. One example is the European Union which now allows e-mail, messaging, and chat providers to automatically search all personal electronic mail and messages of each citizen for presumed child pornography or child grooming (so-called chat control or e-privacy derogation)
I think it’s important that we must not base the standards of our society on the behavior of criminals. Crimes cannot be prevented by making every citizen a potential suspect.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
I am convinced that that data protection and privacy will continue to become more and more important. Data is the most valuable possession that most companies have these days. To protect the data of the company, its employees, and of course, its clients should be one of the highest priorities. Unfortunately, this privacy and security issue is often seen as an unpopular one, with only the minimum legal regulations being met. However, putting data protection as the top priority, also shows that companies care and are well-prepared for the future.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
The story is not about a cybersecurity breach but a story of why encryption is important: One of our clients is Associated Press which is an independent global news organization with over 250 locations worldwide. They use Boxcryptor because they need to protect their journalists’ privacy, including communication between sources and the content they create. Ensuring privacy for their journalists and contacts is most important. Furthermore, using tools that symbolize that they are privacy conscious promotes a trust with sources that may speak to their journalists. The combination of press freedom and cybersecurity is what impressed me most in this use case.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Boxcryptor: Of course, we use our own product to encrypt all company data in the cloud. We add the Boxcryptor encryption to our Microsoft Teams, Dropbox, and OneDrive services to make sure our data does not fall into wrong hands — and of course to comply with regulations as e.g., the GDPR.
Last Pass: A password manager is extremely important to set good passwords. We use LastPass for many years.
Threema: It’s an encrypted chat service I use to communicate with my family and e.g. send pictures of my children to their grandparents.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
In general, it is difficult to find out if one’s data is compromised. It is not like a stolen car, where the owner instantly realizes that the car is gone. On the contrary: if my data is stolen or spied out, I normally do not realize it at all. It might take years to realize that something went wrong. Therefore, it is so important to take action e.g., to encrypt data before an incident happens.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The first thing to do is to clearly communicate what went wrong and what kind of data is affected. This is especially important for affected customers that they can also immediately take action on their side (e.g., change passwords). For protection in the future, I recommend to first define which data in a company is especially vulnerable. This is definitely all personal data, but could also be e.g., financial data. The next step is to define processes and tools to ideally protect this data right from the beginning where the data is stored. End-to-end encryption is something that should definitely be used. Also, staff training on IT security should be part of every IT security strategy.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
The sentence that I hear most often is “We don’t need encryption, we do not have any top-secret information in our company”. This is a very dangerous attitude because on the one hand at least the information about the own staff (name, birthdate, eventually illness days, or private notes from performance reviews) can be highly sensitive and need protection. On the other hand, not the data owner alone decides what kind of data is of interest or not. It is the potential attacker who in the end puts a value on the data. And once a company realizes that data is lost or stolen, it will instantly realize the real value of the data.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
When I started 10 years ago in the cybersecurity space and as an entrepreneur, I was kind of a unicorn in two ways: I was one of the very few women who had started a company and one of the even fewer women who started a company in the IT security space. I would love to say that this changed during the last 10 years, but unfortunately, there is still a lot of room for improvement. One of the most important things from my point of view is the importance of role models. Women who are in the IT Security space should openly and publicly talk about it. About their jobs, about how they can influence and build the future. This is so important, especially for young girls to see a career in the IT security area as an option for their lives.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
One myth is that there are “no women” especially when it comes to events and big stages. Unfortunately, big events are still dominated by men and when people ask why there are no women, the answers are “There are no women” or “We could not find any woman who wants to speak on stage”. The first answer is simply not true because there are many brilliant women out there who know everything about IT security. And to change the second answer, we –again– need to put role models on stages in order to give other women the confidence to follow them.
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- You’re unique, make an advantage from it
At the beginning of our startup, I was always the only woman on stage or in investors meetings. In the beginning, this felt weird. But very soon I discovered that I can use this as an advantage. Most people don’t remember the 20th man that is presenting a product, but they might remember the only women they saw that day. Moreover, I took every chance I had to present our product and our company on a stage or in a magazine, even though I know, that a lot of times we were chosen because I was a woman. But I did not care. As long as my company and our product got publicity, it was a success.
2. Share Experiences
A lot of leaders have learned a lot during their careers and tend to tell other people, what to do and how to do it. During the last 10 years, I figured out, that I feel offended, any time people start sentences with “you must do things in that way…” or “you have to do this…”. I myself try to teach or inspire by telling my own stories and experiences and let everybody take their own learnings and actions from it.
3. Ask Questions
As a leader, I do not have the answer to everything. I have a lot of employees who are — in their profession — a lot smarter than me. When they come to me and ask questions, I return the questions. Most times, they already know the answer or even come up with great new ideas. Thinking that a leader is the one who knows the answer to everything is in many cases not true.
4. Ask for Help
I learned that a lot of people really want to help others. They want to help them; they have great experiences and can share inspiring stories. What is — in many times missing — is someone asking them for help. At the beginning of my startup career, I also did not dare to ask other people for help or advice. I did not want to create the impression, that I am not smart enough or that I am weak and need help. This attitude changed a lot during the last years. Asking directly for help is something, that brings you forward — much faster than anything else. Share your way — and your struggles
5. This brings me directly to my last leadership lesson: Share your vision and share the way you want to go with as many other people as you can. In this way, you will receive so much support and help and once you put your map out there, people will support you in finding your way. And do not only share your way, but also your struggles and problems. And as long others do not know your struggles, they cannot help you.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)
This year in September, there will be federal elections here in Germany. The outcome is yet unknown, but it is for sure that there will be a new Chancellor. I would like to have lunch with this new Chancellor to explain why data privacy especially here in Germany is so important. Germany is worldwide known for having high privacy standards. A lot of our clients are actively looking for a German solution due to this fact. And I want to make sure, that the new decision makers here in Germany value privacy and data protection as much as we here at Boxcryptor do.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!