Q&A with Workday’s Chief Trust Officer: Why Multi-Factor Authentication is a Must-Have

As Workday’s chief trust officer, Josh DeFigueiredo has a tremendous responsibility to build, maintain, and grow the relationship of trust between Workday and its customers.

DeFigueiredo often talks about how Workday’s cloud is uniquely built to meet modern security challenges. Yet Workday continues to explore ways to help our customers keep their data safe, such as our recently announced partnership with Duo Security around multi-factor authentication (MFA).

In a recent interview, we asked DeFigueiredo to share what life is like as a chief trust officer, what he perceives as the biggest security threats, and why MFA is so critical in today’s world.

What are the occupational hazards of a chief trust officer?

As is the case in life, trust is something earned, not given. Earning the trust of our customers carries significant responsibility.

“At the end of the day, we’re not just protecting data, we’re protecting people.”

Josh DeFigueiredo, Chief Trust Officer, Workday
Josh DeFigueiredo

As the chief trust officer, I have the honor of meeting with our customers face to face, which makes protecting our customers’ data very personal to me. It’s not just a motto, sales slogan, or catchphrase; protecting our customers’ data is at the core of everything we do. It’s not a stretch to say that it’s all I think about because at the end of the day, we’re not just protecting data, we’re protecting people.

What is the biggest security threat facing companies and their people today?

Social engineering, such as phishing campaigns, is at the top of the list. Attackers looking to compromise user accounts are far more likely to come through the front door than the back. Each of us receive dozens if not hundreds of emails each day, and it’s becoming harder and harder to identify a valid email from a malicious one. In the world of information security, people are generally the weakest link. Companies have to do everything they can to protect users from falling victim to a targeted attack.

Why is multi-factor authentication so important?

MFA is one of the most effective means of combating account takeover attempts that result from social engineering campaigns. Each of us at some point in our life has opened a malicious email or clicked on a malicious link. If an attacker compromises your username and password, the second factor of authentication (something you have or something you know) protects your account from being taken over by the attacker. In today’s environment, MFA should be used anywhere it’s possible to deploy. It should be in place by default for everyone, and no longer viewed as only for administrative accounts.

What holds companies back from using MFA?

The answer varies from company to company. In some cases, there are technical challenges for companies using legacy technologies. In other cases, companies have accrued technical debt—earlier programming or architectural shortcuts that now hinder agility—that prohibits MFA from becoming a priority. And in other cases, it’s simply a lack of awareness or a fear of disrupting users with unwanted change. There are a multitude of reasons why MFA isn’t adopted but none of them, in my opinion, warrant not implementing it.

What are the benefits to Workday customers from our partnership with Duo?

Workday’s partnership with Duo represents our continued commitment to providing seamless solutions to real-world problems our customers face every day. With the Duo partnership, Workday customers enjoy MFA as an out-of-the-box capability for not just native Workday authentication, but with Security Assertion Markup Language as well.

“A culture of security awareness starts at the very top of the enterprise.”

What would be at the top of your “Best Enterprise Security Practices” cheat sheet?

MFA is at the very top of my cheat sheet. Next in line would be a combination of security awareness training, IP whitelisting (trusted IP addresses), always-on virtual private networks, and step-up authentication.

Beyond MFA, are there any other critical steps companies should be taking to protect their data?

While there are a number of technology-driven preventative and detective measures an organization can put in place to protect data beyond MFA, I firmly believe that building a culture of security awareness is just as important. A culture of security awareness starts at the very top of the enterprise. If nurtured and cultivated, it will permeate throughout the organization so that every single person within the company understands that they play a key role in protecting sensitive data. This is not only one of the most critical aspects of protecting data, it is also one of the most difficult as it requires a sustained focus on formal and informal programs that have ongoing executive support.