March 20, 2025
The infinite frontier
Breaches are not a matter of “if” but “when.” The true test of security is not whether incidents happen, but how swiftly and effectively an organization can detect, contain, and recover from them. Discover Planhat's philosophy on Security, centered around dynamic protocols rather than static protections.
Key takeaways
When I began my career in information security, the landscape was completely different.
Cloud was something in the sky, not something that – today – almost every organization relies on. Security was largely reactive. Having a firewall and antivirus software was seen as sufficient protection, and most organizations viewed security as an IT problem, rather than a critical business function. Much like the moat of a castle, our firewall created a perimeter for us – and everything inside that perimeter was presumed safe. When purchasing software, many companies naïvely assumed what they were buying was somehow “security-neutral” and that bringing it inside their secure perimeter was enough to protect themselves from external threats – rather than seeing it as the potential trojan horse it was.
But over time – as companies started to embrace Cloud technology and SaaS models – the mindset started to shift, bringing new challenges as the traditional “perimeter” ideal started to disintegrate. Gone were the days of clean moats drawn by firewalls: with our data living all over the internet, we could no longer wage war from the comfort of our own castles – we had to learn to scramble and skirmish in unknown territory against invisible enemies.
Worse still, many of those enemies are already inside the castle keep – fighting shoulder-to-shoulder alongside us. I remember my first encounter with a “leaky bucket” incident. I discovered an open storage bucket publicly accessible on the web that was hosting company data. Immediately my mind started to race: Who had infiltrated our servers? Why was it open to the public? Had anyone accessed the data? What could be done with it? And so on. Fortunately, that data never got used against us or our customers, but I was shocked to find it was the result of simple human error – and not some pre-meditated plan to bring our company to its knees.
Put simply, the storage bucket was incorrectly configured – not by a bad actor, but by our own dev team. And nobody (including myself) spotted it for almost a month. This was the first time I experienced the harsh reality of security: no matter what controls you have in place, or how advanced your security measures, simple (usually innocent) human error has the power to invalidate everything. Worse still, it usually takes little more than a single misplaced keystroke or click. For this reason, security is about (much) more than systems.
After 10 years in cyber and software security, I’m a firm believer in the power of a unified approach – to organizational culture, behavioural protocols and technical controls – in creating secure teams, and thereby secure products. Over this time, I've developed a philosophy that embodies this approach, centered around three tightly connected pillars: Secure, Protected, and Private. I don’t consider this so much a “security framework” (there’s more than enough “frameworks” gathering dust in the world), but rather a practical mindset I employ daily to address the complete lifecycle of risk management for our company, product, and our customers therein.
Secure
Resilient against active threats through continuous monitoring, rapid detection, and swift incident response, ensuring minimal disruption and sustained operational integrity.
Breaches are not a matter of “if” but “when.” The true test of security is not whether incidents happen, but how swiftly and effectively an organization can detect, contain, and recover from them.
The average time to detect a breach is 277 days – nearly nine months in which an attacker can be siphoning data, escalating access, or waiting for the perfect moment to strike. The longer a threat remains undetected, the greater the potential blast radius. Organizations that fail to recognize this risk operate under a dangerous illusion of security.
I have seen firsthand how rapid response can mean the difference between a close call and a catastrophic breach. In one incident, our security monitoring tools flagged an unusual access pattern on a user account. Immediately, we activated our Incident Response Plan (IRP) and within hours, we identified and contained the threat before it could escalate. Without this swift action, highly sensitive data would have been exposed, causing irreparable financial and reputational harm.
At Planhat, being Secure means being resilient. For this reason, we maintain 24/7 security monitoring, a dedicated security team, and comprehensive response strategies to minimize risk and ensure business continuity. Our Incident Response Plans (IRPs) and Business Continuity & Disaster Recovery (BCDR) protocols are rigorously tested and continuously improved.
Protected
Defended against loss, corruption, or unintended exposure through proactive safeguards such as encryption, backups, redundancy, and continuous risk management.
Many organizations mistake security for a checklist – a series of preventive controls meant to “keep the bad guys out”. Firewalls, encryption, access management – yes, these are essential, but alone, they are not enough. Protection is not just about having controls; it’s about proactively managing and improving them before an incident forces you to.
I’ve witnessed this mindset fail spectacularly. While consulting for a company early in my career, I experienced the repercussions of prioritizing compliance over security firsthand. While they had the right technical controls in place on paper, in reality those controls were neglected, outdated, and ineffective. They assumed that regulatory compliance meant they were safe – and went about their business as usual with blind faith. When a breach (inevitably) occurred, they were shocked to find that the very controls they relied on had failed them because they were never actively tested, updated, or improved.
At Planhat, protection is proactive. While we implement enterprise-grade encryption, regular backups, distributed data storage and data integrity safeguards, protection is only as good as the culture that surrounds it. By empowering our team with a clear awareness of their security responsibilities, obligations and courses of action, we ensure a broad vigilance to both internal vulnerabilities and external threats.
Private
Controlled and accessible only to authorized users, ensuring data confidentiality, regulatory compliance, and user autonomy over how their information is stored, shared, and protected.
Security without privacy is meaningless. Privacy is not so much a feature, but a right. As I see it, organizations do not own customer data – we are merely its stewards.
At Planhat, privacy is control. We fundamentally believe that your data belongs to you and – as such – our platform is designed to ensure you always have full control over who can access your data and how it is used. Through strict access policies, role-based permissions, and industry-leading encryption, we minimize exposure and eliminate unnecessary exposure.
Nonetheless, privacy is not just about technology, but trust. That’s why we adhere to global privacy regulations, including GDPR, CCPA, and industry-standard compliance frameworks. Importantly, we don’t just strive to meet the legal minimum – we operate under the principle that privacy should be an expectation of any platform or provider, not an exception.
Closing
The fight is no longer about simply fortifying a perimeter – it’s about adaptability, vigilance, and a shared responsibility to defend data at all costs. For this reason, Security isn’t a product or a policy but a unified philosophy. As a result, at Planhat security isn't the effort of a single department, it's an obligation shared by our entire organization, and championed by protocols rather than products so that it permeates everything we create.
To learn more about our security protocols, click here – or reach out to our team direct here.
Don't miss these
Delivering customer outcomes with a value framework
The art of scaling Customer Success
How to become the best CSM of the year
Don't miss these
Delivering customer outcomes with a value framework
The art of scaling Customer Success
How to become the best CSM of the year
Don't miss these
Delivering customer outcomes with a value framework
The art of scaling Customer Success
How to become the best CSM of the year
March 20, 2025
The infinite frontier
The infinite frontier
The infinite frontier
When I began my career in information security, the landscape was completely different.
Cloud was something in the sky, not something that – today – almost every organization relies on. Security was largely reactive. Having a firewall and antivirus software was seen as sufficient protection, and most organizations viewed security as an IT problem, rather than a critical business function. Much like the moat of a castle, our firewall created a perimeter for us – and everything inside that perimeter was presumed safe. When purchasing software, many companies naïvely assumed what they were buying was somehow “security-neutral” and that bringing it inside their secure perimeter was enough to protect themselves from external threats – rather than seeing it as the potential trojan horse it was.
But over time – as companies started to embrace Cloud technology and SaaS models – the mindset started to shift, bringing new challenges as the traditional “perimeter” ideal started to disintegrate. Gone were the days of clean moats drawn by firewalls: with our data living all over the internet, we could no longer wage war from the comfort of our own castles – we had to learn to scramble and skirmish in unknown territory against invisible enemies.
Worse still, many of those enemies are already inside the castle keep – fighting shoulder-to-shoulder alongside us. I remember my first encounter with a “leaky bucket” incident. I discovered an open storage bucket publicly accessible on the web that was hosting company data. Immediately my mind started to race: Who had infiltrated our servers? Why was it open to the public? Had anyone accessed the data? What could be done with it? And so on. Fortunately, that data never got used against us or our customers, but I was shocked to find it was the result of simple human error – and not some pre-meditated plan to bring our company to its knees.
Put simply, the storage bucket was incorrectly configured – not by a bad actor, but by our own dev team. And nobody (including myself) spotted it for almost a month. This was the first time I experienced the harsh reality of security: no matter what controls you have in place, or how advanced your security measures, simple (usually innocent) human error has the power to invalidate everything. Worse still, it usually takes little more than a single misplaced keystroke or click. For this reason, security is about (much) more than systems.
After 10 years in cyber and software security, I’m a firm believer in the power of a unified approach – to organizational culture, behavioural protocols and technical controls – in creating secure teams, and thereby secure products. Over this time, I've developed a philosophy that embodies this approach, centered around three tightly connected pillars: Secure, Protected, and Private. I don’t consider this so much a “security framework” (there’s more than enough “frameworks” gathering dust in the world), but rather a practical mindset I employ daily to address the complete lifecycle of risk management for our company, product, and our customers therein.
Secure
Resilient against active threats through continuous monitoring, rapid detection, and swift incident response, ensuring minimal disruption and sustained operational integrity.
Breaches are not a matter of “if” but “when.” The true test of security is not whether incidents happen, but how swiftly and effectively an organization can detect, contain, and recover from them.
The average time to detect a breach is 277 days – nearly nine months in which an attacker can be siphoning data, escalating access, or waiting for the perfect moment to strike. The longer a threat remains undetected, the greater the potential blast radius. Organizations that fail to recognize this risk operate under a dangerous illusion of security.
I have seen firsthand how rapid response can mean the difference between a close call and a catastrophic breach. In one incident, our security monitoring tools flagged an unusual access pattern on a user account. Immediately, we activated our Incident Response Plan (IRP) and within hours, we identified and contained the threat before it could escalate. Without this swift action, highly sensitive data would have been exposed, causing irreparable financial and reputational harm.
At Planhat, being Secure means being resilient. For this reason, we maintain 24/7 security monitoring, a dedicated security team, and comprehensive response strategies to minimize risk and ensure business continuity. Our Incident Response Plans (IRPs) and Business Continuity & Disaster Recovery (BCDR) protocols are rigorously tested and continuously improved.
Protected
Defended against loss, corruption, or unintended exposure through proactive safeguards such as encryption, backups, redundancy, and continuous risk management.
Many organizations mistake security for a checklist – a series of preventive controls meant to “keep the bad guys out”. Firewalls, encryption, access management – yes, these are essential, but alone, they are not enough. Protection is not just about having controls; it’s about proactively managing and improving them before an incident forces you to.
I’ve witnessed this mindset fail spectacularly. While consulting for a company early in my career, I experienced the repercussions of prioritizing compliance over security firsthand. While they had the right technical controls in place on paper, in reality those controls were neglected, outdated, and ineffective. They assumed that regulatory compliance meant they were safe – and went about their business as usual with blind faith. When a breach (inevitably) occurred, they were shocked to find that the very controls they relied on had failed them because they were never actively tested, updated, or improved.
At Planhat, protection is proactive. While we implement enterprise-grade encryption, regular backups, distributed data storage and data integrity safeguards, protection is only as good as the culture that surrounds it. By empowering our team with a clear awareness of their security responsibilities, obligations and courses of action, we ensure a broad vigilance to both internal vulnerabilities and external threats.
Private
Controlled and accessible only to authorized users, ensuring data confidentiality, regulatory compliance, and user autonomy over how their information is stored, shared, and protected.
Security without privacy is meaningless. Privacy is not so much a feature, but a right. As I see it, organizations do not own customer data – we are merely its stewards.
At Planhat, privacy is control. We fundamentally believe that your data belongs to you and – as such – our platform is designed to ensure you always have full control over who can access your data and how it is used. Through strict access policies, role-based permissions, and industry-leading encryption, we minimize exposure and eliminate unnecessary exposure.
Nonetheless, privacy is not just about technology, but trust. That’s why we adhere to global privacy regulations, including GDPR, CCPA, and industry-standard compliance frameworks. Importantly, we don’t just strive to meet the legal minimum – we operate under the principle that privacy should be an expectation of any platform or provider, not an exception.
Closing
The fight is no longer about simply fortifying a perimeter – it’s about adaptability, vigilance, and a shared responsibility to defend data at all costs. For this reason, Security isn’t a product or a policy but a unified philosophy. As a result, at Planhat security isn't the effort of a single department, it's an obligation shared by our entire organization, and championed by protocols rather than products so that it permeates everything we create.
To learn more about our security protocols, click here – or reach out to our team direct here.
When I began my career in information security, the landscape was completely different.
Cloud was something in the sky, not something that – today – almost every organization relies on. Security was largely reactive. Having a firewall and antivirus software was seen as sufficient protection, and most organizations viewed security as an IT problem, rather than a critical business function. Much like the moat of a castle, our firewall created a perimeter for us – and everything inside that perimeter was presumed safe. When purchasing software, many companies naïvely assumed what they were buying was somehow “security-neutral” and that bringing it inside their secure perimeter was enough to protect themselves from external threats – rather than seeing it as the potential trojan horse it was.
But over time – as companies started to embrace Cloud technology and SaaS models – the mindset started to shift, bringing new challenges as the traditional “perimeter” ideal started to disintegrate. Gone were the days of clean moats drawn by firewalls: with our data living all over the internet, we could no longer wage war from the comfort of our own castles – we had to learn to scramble and skirmish in unknown territory against invisible enemies.
Worse still, many of those enemies are already inside the castle keep – fighting shoulder-to-shoulder alongside us. I remember my first encounter with a “leaky bucket” incident. I discovered an open storage bucket publicly accessible on the web that was hosting company data. Immediately my mind started to race: Who had infiltrated our servers? Why was it open to the public? Had anyone accessed the data? What could be done with it? And so on. Fortunately, that data never got used against us or our customers, but I was shocked to find it was the result of simple human error – and not some pre-meditated plan to bring our company to its knees.
Put simply, the storage bucket was incorrectly configured – not by a bad actor, but by our own dev team. And nobody (including myself) spotted it for almost a month. This was the first time I experienced the harsh reality of security: no matter what controls you have in place, or how advanced your security measures, simple (usually innocent) human error has the power to invalidate everything. Worse still, it usually takes little more than a single misplaced keystroke or click. For this reason, security is about (much) more than systems.
After 10 years in cyber and software security, I’m a firm believer in the power of a unified approach – to organizational culture, behavioural protocols and technical controls – in creating secure teams, and thereby secure products. Over this time, I've developed a philosophy that embodies this approach, centered around three tightly connected pillars: Secure, Protected, and Private. I don’t consider this so much a “security framework” (there’s more than enough “frameworks” gathering dust in the world), but rather a practical mindset I employ daily to address the complete lifecycle of risk management for our company, product, and our customers therein.
Secure
Resilient against active threats through continuous monitoring, rapid detection, and swift incident response, ensuring minimal disruption and sustained operational integrity.
Breaches are not a matter of “if” but “when.” The true test of security is not whether incidents happen, but how swiftly and effectively an organization can detect, contain, and recover from them.
The average time to detect a breach is 277 days – nearly nine months in which an attacker can be siphoning data, escalating access, or waiting for the perfect moment to strike. The longer a threat remains undetected, the greater the potential blast radius. Organizations that fail to recognize this risk operate under a dangerous illusion of security.
I have seen firsthand how rapid response can mean the difference between a close call and a catastrophic breach. In one incident, our security monitoring tools flagged an unusual access pattern on a user account. Immediately, we activated our Incident Response Plan (IRP) and within hours, we identified and contained the threat before it could escalate. Without this swift action, highly sensitive data would have been exposed, causing irreparable financial and reputational harm.
At Planhat, being Secure means being resilient. For this reason, we maintain 24/7 security monitoring, a dedicated security team, and comprehensive response strategies to minimize risk and ensure business continuity. Our Incident Response Plans (IRPs) and Business Continuity & Disaster Recovery (BCDR) protocols are rigorously tested and continuously improved.
Protected
Defended against loss, corruption, or unintended exposure through proactive safeguards such as encryption, backups, redundancy, and continuous risk management.
Many organizations mistake security for a checklist – a series of preventive controls meant to “keep the bad guys out”. Firewalls, encryption, access management – yes, these are essential, but alone, they are not enough. Protection is not just about having controls; it’s about proactively managing and improving them before an incident forces you to.
I’ve witnessed this mindset fail spectacularly. While consulting for a company early in my career, I experienced the repercussions of prioritizing compliance over security firsthand. While they had the right technical controls in place on paper, in reality those controls were neglected, outdated, and ineffective. They assumed that regulatory compliance meant they were safe – and went about their business as usual with blind faith. When a breach (inevitably) occurred, they were shocked to find that the very controls they relied on had failed them because they were never actively tested, updated, or improved.
At Planhat, protection is proactive. While we implement enterprise-grade encryption, regular backups, distributed data storage and data integrity safeguards, protection is only as good as the culture that surrounds it. By empowering our team with a clear awareness of their security responsibilities, obligations and courses of action, we ensure a broad vigilance to both internal vulnerabilities and external threats.
Private
Controlled and accessible only to authorized users, ensuring data confidentiality, regulatory compliance, and user autonomy over how their information is stored, shared, and protected.
Security without privacy is meaningless. Privacy is not so much a feature, but a right. As I see it, organizations do not own customer data – we are merely its stewards.
At Planhat, privacy is control. We fundamentally believe that your data belongs to you and – as such – our platform is designed to ensure you always have full control over who can access your data and how it is used. Through strict access policies, role-based permissions, and industry-leading encryption, we minimize exposure and eliminate unnecessary exposure.
Nonetheless, privacy is not just about technology, but trust. That’s why we adhere to global privacy regulations, including GDPR, CCPA, and industry-standard compliance frameworks. Importantly, we don’t just strive to meet the legal minimum – we operate under the principle that privacy should be an expectation of any platform or provider, not an exception.
Closing
The fight is no longer about simply fortifying a perimeter – it’s about adaptability, vigilance, and a shared responsibility to defend data at all costs. For this reason, Security isn’t a product or a policy but a unified philosophy. As a result, at Planhat security isn't the effort of a single department, it's an obligation shared by our entire organization, and championed by protocols rather than products so that it permeates everything we create.
To learn more about our security protocols, click here – or reach out to our team direct here.
When I began my career in information security, the landscape was completely different.
Cloud was something in the sky, not something that – today – almost every organization relies on. Security was largely reactive. Having a firewall and antivirus software was seen as sufficient protection, and most organizations viewed security as an IT problem, rather than a critical business function. Much like the moat of a castle, our firewall created a perimeter for us – and everything inside that perimeter was presumed safe. When purchasing software, many companies naïvely assumed what they were buying was somehow “security-neutral” and that bringing it inside their secure perimeter was enough to protect themselves from external threats – rather than seeing it as the potential trojan horse it was.
But over time – as companies started to embrace Cloud technology and SaaS models – the mindset started to shift, bringing new challenges as the traditional “perimeter” ideal started to disintegrate. Gone were the days of clean moats drawn by firewalls: with our data living all over the internet, we could no longer wage war from the comfort of our own castles – we had to learn to scramble and skirmish in unknown territory against invisible enemies.
Worse still, many of those enemies are already inside the castle keep – fighting shoulder-to-shoulder alongside us. I remember my first encounter with a “leaky bucket” incident. I discovered an open storage bucket publicly accessible on the web that was hosting company data. Immediately my mind started to race: Who had infiltrated our servers? Why was it open to the public? Had anyone accessed the data? What could be done with it? And so on. Fortunately, that data never got used against us or our customers, but I was shocked to find it was the result of simple human error – and not some pre-meditated plan to bring our company to its knees.
Put simply, the storage bucket was incorrectly configured – not by a bad actor, but by our own dev team. And nobody (including myself) spotted it for almost a month. This was the first time I experienced the harsh reality of security: no matter what controls you have in place, or how advanced your security measures, simple (usually innocent) human error has the power to invalidate everything. Worse still, it usually takes little more than a single misplaced keystroke or click. For this reason, security is about (much) more than systems.
After 10 years in cyber and software security, I’m a firm believer in the power of a unified approach – to organizational culture, behavioural protocols and technical controls – in creating secure teams, and thereby secure products. Over this time, I've developed a philosophy that embodies this approach, centered around three tightly connected pillars: Secure, Protected, and Private. I don’t consider this so much a “security framework” (there’s more than enough “frameworks” gathering dust in the world), but rather a practical mindset I employ daily to address the complete lifecycle of risk management for our company, product, and our customers therein.
Secure
Resilient against active threats through continuous monitoring, rapid detection, and swift incident response, ensuring minimal disruption and sustained operational integrity.
Breaches are not a matter of “if” but “when.” The true test of security is not whether incidents happen, but how swiftly and effectively an organization can detect, contain, and recover from them.
The average time to detect a breach is 277 days – nearly nine months in which an attacker can be siphoning data, escalating access, or waiting for the perfect moment to strike. The longer a threat remains undetected, the greater the potential blast radius. Organizations that fail to recognize this risk operate under a dangerous illusion of security.
I have seen firsthand how rapid response can mean the difference between a close call and a catastrophic breach. In one incident, our security monitoring tools flagged an unusual access pattern on a user account. Immediately, we activated our Incident Response Plan (IRP) and within hours, we identified and contained the threat before it could escalate. Without this swift action, highly sensitive data would have been exposed, causing irreparable financial and reputational harm.
At Planhat, being Secure means being resilient. For this reason, we maintain 24/7 security monitoring, a dedicated security team, and comprehensive response strategies to minimize risk and ensure business continuity. Our Incident Response Plans (IRPs) and Business Continuity & Disaster Recovery (BCDR) protocols are rigorously tested and continuously improved.
Protected
Defended against loss, corruption, or unintended exposure through proactive safeguards such as encryption, backups, redundancy, and continuous risk management.
Many organizations mistake security for a checklist – a series of preventive controls meant to “keep the bad guys out”. Firewalls, encryption, access management – yes, these are essential, but alone, they are not enough. Protection is not just about having controls; it’s about proactively managing and improving them before an incident forces you to.
I’ve witnessed this mindset fail spectacularly. While consulting for a company early in my career, I experienced the repercussions of prioritizing compliance over security firsthand. While they had the right technical controls in place on paper, in reality those controls were neglected, outdated, and ineffective. They assumed that regulatory compliance meant they were safe – and went about their business as usual with blind faith. When a breach (inevitably) occurred, they were shocked to find that the very controls they relied on had failed them because they were never actively tested, updated, or improved.
At Planhat, protection is proactive. While we implement enterprise-grade encryption, regular backups, distributed data storage and data integrity safeguards, protection is only as good as the culture that surrounds it. By empowering our team with a clear awareness of their security responsibilities, obligations and courses of action, we ensure a broad vigilance to both internal vulnerabilities and external threats.
Private
Controlled and accessible only to authorized users, ensuring data confidentiality, regulatory compliance, and user autonomy over how their information is stored, shared, and protected.
Security without privacy is meaningless. Privacy is not so much a feature, but a right. As I see it, organizations do not own customer data – we are merely its stewards.
At Planhat, privacy is control. We fundamentally believe that your data belongs to you and – as such – our platform is designed to ensure you always have full control over who can access your data and how it is used. Through strict access policies, role-based permissions, and industry-leading encryption, we minimize exposure and eliminate unnecessary exposure.
Nonetheless, privacy is not just about technology, but trust. That’s why we adhere to global privacy regulations, including GDPR, CCPA, and industry-standard compliance frameworks. Importantly, we don’t just strive to meet the legal minimum – we operate under the principle that privacy should be an expectation of any platform or provider, not an exception.
Closing
The fight is no longer about simply fortifying a perimeter – it’s about adaptability, vigilance, and a shared responsibility to defend data at all costs. For this reason, Security isn’t a product or a policy but a unified philosophy. As a result, at Planhat security isn't the effort of a single department, it's an obligation shared by our entire organization, and championed by protocols rather than products so that it permeates everything we create.
To learn more about our security protocols, click here – or reach out to our team direct here.
When I began my career in information security, the landscape was completely different.
Cloud was something in the sky, not something that – today – almost every organization relies on. Security was largely reactive. Having a firewall and antivirus software was seen as sufficient protection, and most organizations viewed security as an IT problem, rather than a critical business function. Much like the moat of a castle, our firewall created a perimeter for us – and everything inside that perimeter was presumed safe. When purchasing software, many companies naïvely assumed what they were buying was somehow “security-neutral” and that bringing it inside their secure perimeter was enough to protect themselves from external threats – rather than seeing it as the potential trojan horse it was.
But over time – as companies started to embrace Cloud technology and SaaS models – the mindset started to shift, bringing new challenges as the traditional “perimeter” ideal started to disintegrate. Gone were the days of clean moats drawn by firewalls: with our data living all over the internet, we could no longer wage war from the comfort of our own castles – we had to learn to scramble and skirmish in unknown territory against invisible enemies.
Worse still, many of those enemies are already inside the castle keep – fighting shoulder-to-shoulder alongside us. I remember my first encounter with a “leaky bucket” incident. I discovered an open storage bucket publicly accessible on the web that was hosting company data. Immediately my mind started to race: Who had infiltrated our servers? Why was it open to the public? Had anyone accessed the data? What could be done with it? And so on. Fortunately, that data never got used against us or our customers, but I was shocked to find it was the result of simple human error – and not some pre-meditated plan to bring our company to its knees.
Put simply, the storage bucket was incorrectly configured – not by a bad actor, but by our own dev team. And nobody (including myself) spotted it for almost a month. This was the first time I experienced the harsh reality of security: no matter what controls you have in place, or how advanced your security measures, simple (usually innocent) human error has the power to invalidate everything. Worse still, it usually takes little more than a single misplaced keystroke or click. For this reason, security is about (much) more than systems.
After 10 years in cyber and software security, I’m a firm believer in the power of a unified approach – to organizational culture, behavioural protocols and technical controls – in creating secure teams, and thereby secure products. Over this time, I've developed a philosophy that embodies this approach, centered around three tightly connected pillars: Secure, Protected, and Private. I don’t consider this so much a “security framework” (there’s more than enough “frameworks” gathering dust in the world), but rather a practical mindset I employ daily to address the complete lifecycle of risk management for our company, product, and our customers therein.
Secure
Resilient against active threats through continuous monitoring, rapid detection, and swift incident response, ensuring minimal disruption and sustained operational integrity.
Breaches are not a matter of “if” but “when.” The true test of security is not whether incidents happen, but how swiftly and effectively an organization can detect, contain, and recover from them.
The average time to detect a breach is 277 days – nearly nine months in which an attacker can be siphoning data, escalating access, or waiting for the perfect moment to strike. The longer a threat remains undetected, the greater the potential blast radius. Organizations that fail to recognize this risk operate under a dangerous illusion of security.
I have seen firsthand how rapid response can mean the difference between a close call and a catastrophic breach. In one incident, our security monitoring tools flagged an unusual access pattern on a user account. Immediately, we activated our Incident Response Plan (IRP) and within hours, we identified and contained the threat before it could escalate. Without this swift action, highly sensitive data would have been exposed, causing irreparable financial and reputational harm.
At Planhat, being Secure means being resilient. For this reason, we maintain 24/7 security monitoring, a dedicated security team, and comprehensive response strategies to minimize risk and ensure business continuity. Our Incident Response Plans (IRPs) and Business Continuity & Disaster Recovery (BCDR) protocols are rigorously tested and continuously improved.
Protected
Defended against loss, corruption, or unintended exposure through proactive safeguards such as encryption, backups, redundancy, and continuous risk management.
Many organizations mistake security for a checklist – a series of preventive controls meant to “keep the bad guys out”. Firewalls, encryption, access management – yes, these are essential, but alone, they are not enough. Protection is not just about having controls; it’s about proactively managing and improving them before an incident forces you to.
I’ve witnessed this mindset fail spectacularly. While consulting for a company early in my career, I experienced the repercussions of prioritizing compliance over security firsthand. While they had the right technical controls in place on paper, in reality those controls were neglected, outdated, and ineffective. They assumed that regulatory compliance meant they were safe – and went about their business as usual with blind faith. When a breach (inevitably) occurred, they were shocked to find that the very controls they relied on had failed them because they were never actively tested, updated, or improved.
At Planhat, protection is proactive. While we implement enterprise-grade encryption, regular backups, distributed data storage and data integrity safeguards, protection is only as good as the culture that surrounds it. By empowering our team with a clear awareness of their security responsibilities, obligations and courses of action, we ensure a broad vigilance to both internal vulnerabilities and external threats.
Private
Controlled and accessible only to authorized users, ensuring data confidentiality, regulatory compliance, and user autonomy over how their information is stored, shared, and protected.
Security without privacy is meaningless. Privacy is not so much a feature, but a right. As I see it, organizations do not own customer data – we are merely its stewards.
At Planhat, privacy is control. We fundamentally believe that your data belongs to you and – as such – our platform is designed to ensure you always have full control over who can access your data and how it is used. Through strict access policies, role-based permissions, and industry-leading encryption, we minimize exposure and eliminate unnecessary exposure.
Nonetheless, privacy is not just about technology, but trust. That’s why we adhere to global privacy regulations, including GDPR, CCPA, and industry-standard compliance frameworks. Importantly, we don’t just strive to meet the legal minimum – we operate under the principle that privacy should be an expectation of any platform or provider, not an exception.
Closing
The fight is no longer about simply fortifying a perimeter – it’s about adaptability, vigilance, and a shared responsibility to defend data at all costs. For this reason, Security isn’t a product or a policy but a unified philosophy. As a result, at Planhat security isn't the effort of a single department, it's an obligation shared by our entire organization, and championed by protocols rather than products so that it permeates everything we create.
To learn more about our security protocols, click here – or reach out to our team direct here.
Kristian Kivimägi
CISO, Planhat
Kristian is Planhat's Chief Information Security Officer (CISO), bringing over a decade of experience as a cybersecurity leader. Prior to joining Planhat, he served various security roles at Pipedrive, most recently as Head of Cyber Security. He holds an MSc in in Cyber Security and has guest-lectured at the Tallinn University of Technology since 2019.
Don't miss these
Delivering customer outcomes with a value framework
The art of scaling Customer Success
How to become the best CSM of the year
Don't miss these
Delivering customer outcomes with a value framework
The art of scaling Customer Success
How to become the best CSM of the year
Don't miss these
Delivering customer outcomes with a value framework
The art of scaling Customer Success
How to become the best CSM of the year
Don't miss these
Delivering customer outcomes with a value framework
The art of scaling Customer Success
How to become the best CSM of the year
Thought-leading customer-centric content, direct to your inbox every month.
By submitting this form I agree that Planhat may collect, process and retain my data pursuant to its Privacy Policy.
Customers
© 2025 Planhat AB
Thought-leading customer-centric content, direct to your inbox every month.
By submitting this form I agree that Planhat may collect, process and retain my data pursuant to its Privacy Policy.
Customers
© 2025 Planhat AB
Thought-leading customer-centric content, direct to your inbox every month.
By submitting this form I agree that Planhat may collect, process and retain my data pursuant to its Privacy Policy.
Customers
© 2025 Planhat AB
