Decrypt with Evervault: Damir Mehic from heyData

Listen to this episode on:

• Spotify
• Apple Podcasts
• Amazon
• iHeartRadio
  

In this episode of Decrypt, Liz chats with Damir Mehic, Director of Engineering at heyData, a Berlin-based company that aims to make compliance easy for everyone. Damir has worked on SaaS applications, e-commerce websites, telecom solutions, and was an engineering leader for a legal technology automation company prior to joining heyData. In our conversation, Damir shares that one of the reasons he finds his work with heyData fulfilling is being able to help customers — primarily SMBs — solve their compliance problems, like becoming GDPR compliant.

A few highlights from their conversation include:

• 09:15: How the problem with difficult problems is that once they are solved they don’t look so difficult anymore
• 14:58: When software engineers learn and can identify which data needs to be private, they can solve data privacy issues from the start
• 22:47: The importance of staying curious
• 27:57: Learning platforms, books, and resources Damir recommends to developers and technologists

Listen to the full episode on YouTube or wherever you get podcasts. You can find Damir on LinkedIn.

Liz (00:28):

Hey Damir, it's great to have you on the show today.

Damir (00:31):

Thank you for having me here. It is really a pleasure to be part of this podcast and I'm really happy to be here.

Liz (00:40):

I am super curious to hear about your experiences as an engineer and at heyData. Can you tell me a little bit about your career in tech?

Damir (00:50):

Basically I started long time ago in 2008. I am coming from Serbia and my first job was there as a software engineer. My first languages were PHP and Java and I was working for a software company which built many interesting applications and SaaS applications and e-commerce websites mainly for telecommunications companies on the Balkan, but also we worked with many companies in Middle East and some European companies and all of those companies were very big telecom providers. It was quite a challenging job and after year or two I already got promoted in a team lead role and from there started managing the small teams and then teams get bigger and bigger. And after that job, after a few years, I moved to one startup in Belgrade again. And then bit after as a head of engineering, I changed my job to a Berlin based startup, but I was still working from Belgrade at that point. We were having around 30 to 35 engineers. Team was based in Serbia, but headquarters of company were here in Berlin. And that was the first job when I was having opportunity, actually, to scale multiple teams on multiple technologies.

(02:18):

There was machine learning part, there was Android, iOS part and also web development. We were building the application for insurance management. It was business to customer application and markets were Germany, Switzerland and Austria, and we were planning to expand to US. And after that job, I moved to Berlin. It was five and a half years ago. My first job here was in legal tech and then around year and a half ago I moved as a director of engineering to heyData where I'm now and where we are building compliance solution for our customers with the accent on GDPR at the moment. But our plan is really to cover other compliances like IT security, whistle-blowing and many other laws.

Liz (03:24):

That's great.

Damir (03:25):

A short overview.

Liz (03:29):

It's really interesting that you've lived in so many different places and worked on various different types of technology applications. What made you decide to go from the legal startup over to heyData?

Damir (03:45):

Main thing was that heyData is trying to resolve one really important problem for their clients, and this was so rooted in the fact that there is a help that we provide and I was, during interviewing process, have opportunity to see and hear some feedback of the customers actually, a part of talking to the owners when they try to convince me that I should join. And this was really fulfilling experience because there are people who really struggle to follow the compliance and they need help and they are super happy afterwards. And a part of working in tech, this was really nice experience that you are close with the customers, you can really see that what you do on the daily basis, improve their life and their daily work. And this was really nice and this is now really nice, but was something that I could experience during this interviewing process with the team here. And then I was like, "Okay, I see myself there. I see this as really motivating thing to do and this is the main reason why I decided to join."

Liz (05:04):

That makes a lot of sense. I feel like there is a lot of those tight feedback loops. It can feel very fulfilling to know, "Okay, something's not working," you go back and you do a fix and then it is and it's nice to be close to the customer, like you were saying.

Damir (05:21):

Yeah, exactly. And also the customers, who you see from our customer support team, that they are struggling to resolve some problems and we are able then to resolve these problems for them with really software and technology and this is really super fulfilling, actually.

Liz (05:43):

Absolutely. So your focus on compliance, and I'm curious, how does security and privacy fit in with compliance from a technical perspective?

Damir (05:59):

In general, both are really important, security and privacy, and we are trying to make this really automated process for our customers and this is where you have to understand both. And then compliance, from my perspective there, comes as something that you need to follow, but on the other side it's really customer oriented because every one of our clients this way or another, save or process the customer data. And then from security perspective, it's really important that the customer data is saved from some potential external intruders. But from data privacy perspective, this is also important, but also you have to make sure how you distribute the customer data across your technology stack across your company overall, what you do with your personal laptops, what you do in your working environment, there are differences if you are working from home or differences if you are working from the office, which equipment you are using.

(07:17):

And from technology perspective, it is a really challenging field, because compliance itself and law itself has so many details that it's really, really, and you probably know from experience in Evervault and problems that you are trying to resolve, it is really hard to catch everything. And this is where technology comes into play and then where you are able to analyze and scan infrastructure of your clients and try to actually help them there, let's say, on the battlefield, so they can notice all the small things and then fix them in real time. And I think this is where technology really plays to their strengths because it would be really hard and long process for people to manually go to every tool, every service, almost every line of code or log and check like, "Oh, what's going on here?" So I think that summarize the topic.

Liz (08:28):

Yeah, you brought up some great points because it is really nice now that there are so many tools for code scanning and like you said, just finding those things that not everybody is going to be able to catch. Because it's just an impossible task to do that, especially if we look at architectures now where you've got things running in all different places, you've got this service here and that service service there and it's just really a difficult thing to try and make sure that you've got that coverage there. I'm curious whether it's security related or just something else, something engineering related, what's the hardest problem that you've ever had to solve?

Damir (09:15):

That's a really good question. The problem with hard problems, when they are solved, actually they don’t look hard anymore. Recently we were having some really interesting situations due to some setup on our system. We were trying to deploy our system which is distributed one with zero downtime deployment and even though everything should work out of the box because we are using AWS ECS and there is a rolling update of the services, it should really be something that is, let's say, included in the package and we shouldn't care about it. But this wasn't working as expected and it give us really a headache for a couple of days where we went left and right and read into the documentation of different tooling in this that we are using and it involves nginx, it involves Docker documentation and then at the end AWS ECS, documentation, just to discover that setup itself because we weren't really following the AWS recommendations fully for many other reasons because overall architecture in this way would be better.

(10:44):

The nginx couldn't resolve IP address, actually, of the service when it comes up and digging deeper into the problem, it was also connected to Docker compose that we were using to make things much slimmer and much better experience for our developers to be able to deploy constantly, multiple times per day. And not to expand too much into the details, because you need separate podcasts, the solution at the end was really going deep into investigating the logs, testing this and analyzing what's happening and tweaking the nginx configuration in that way that actually it resolves the IP address of the service on every request and then cache this resolution only for short period of time, so that way that when we spin up new services, it immediately, basically, discover new instance of the service or we restart old services or just deploy a new version with a rolling update. Fortunately everything started working much, much better and downtime was out of the scope and everything worked as it should.

(12:17):

So was hard problem to resolve, at the end was really satisfying seeing this working as we expected at the beginning and as we intended to build it and it improved obviously, much more development experience and whole company collaboration and deployment process.

Liz (12:44):

I think that getting to the heart of what the problem is, as you were mentioning, when you're in the middle of it, it's so challenging but then when you go back and you look at it, like you said, you're like, "Oh well that didn't seem so bad." It's like you have selective memory loss or something from when you were in the weeds on it to then when you look back at the finished product. I also want to ask you a little bit more about the compliance and data protection side of things. Now that you work in this space and you're very familiar with it as an engineer, what's something that you wish more engineers knew about it?

Damir (13:28):

I have to be honest and say that before joining, heyData, my knowledge about the data protection, especially, was relatively low. In previous company, as we were working in the legal field, we really have a lot of processes implemented there, which are part of GDPR law basically. But really, this deep understanding of the problems and topics in GDPR was completely missing for me. And I'm more connected this to the requirements of our customers or requirements of users of our software than to the GDPR itself or data protection as a topic. In this field, general education is really important. This is why we put the accent also on our platform to the GDPR training and IT security training, because if developers have general knowledge, then from the beginning they can implement things which are relatively easy to implement in order to prevent some data exposure, they can hide the data of the customers in the logs, they can do pseudo anonymization on time and really make this as a part of development process and a part of the software from the beginning.

(14:58):

So to precisely answer your question, would be that software engineers learn what are private data are actually, and what is considered as a private data and whatnot so they can immediately recognize this when they see it basically and can already implement the process or the scripts which prevent unintentional sharing of this data. Because I think in many cases the people are just not aware that they are actually sharing some personal data, either with the third party suppliers, or within the company, or within the partners who are the other company. They simply don't understand that this is not allowed actually and this where I think many more developers should educate themself, is understanding what data are considered private and what not.

Liz (16:04):

That's such a great point. I think the other thing that was coming out for me when you were talking about that is, one of the recommendations we make to people is, "Don't store data if you don't need it." And I was writing something about this and someone else asked, "But what if they might need it later?" And I think there's a lot of questions that come up like that. It's something that's not easy to think about. You can easily say you need to encrypt your data or anonymize your data. Don't store it if you don't need it. But I think that sitting down and taking into stock, to your point, what is private or personal data, what needs to be stored versus what doesn't need to be stored? It's not an easy task, really, at the end of the day.

Damir (16:53):

Exactly, yeah. And the one relatively common thing between developers is when we are setting up different environments or you want to set up development environment and you have production environment and now you need some kind of data to test this, to work with and to build the software, and this is relatively easy to do at the beginning and then just having something when you need to dump this data or to copy the data, and this process is done with a script which actually anonymize the data, and you still have amount of data that you need and then you can use these data but you actually don't move customer's data around on your infrastructure, on your personal laptop or whatever. It really depends on the setup that company use, but it could be relatively easy prevented, but many people are completely not aware of it.

Liz (17:57):

Absolutely. I feel like I'm asking this question from everyone just because it's such a hot topic at the moment, but obviously AI is really taking off. A lot of companies are very keen to start pivoting to it or implementing it in some way for their own businesses. I'm curious about what predictions you have when it comes to AI and when it comes to the data protection side of AI.

Damir (18:26):

It's really interesting point in time where we are no, in terms of A, and I think similar to some previous revolutions like industry revolution from humankind history, AI, now, we are at the beginning of AI revolution and I think everything will change and many, many professions will change completely. Not only now with the ChatGPT and how we interact actually with the AI but with many other tools which are coming either on top of these big language models or other tools for video processing, image processing, creation of different kind of content, et cetera.

(19:19):

How this affects compliance, I think we will benefit from it as companies and we have to, as you say, onboard the train because otherwise we'll be left behind. AI is really interesting because, as we mentioned already in this conversation, there are so many these details which is hard to cover and then the compliance of the company depends on the specific situation for that company. And I think applying AI tools to that will be really interesting and we will have different insights or different kind of reporting and advices for our customers using AI on top of all the data that we can have about what our customers are doing, what tools they are using, about how these tools are used usually, et cetera. What I think how it could look like in the future, I think the compliance platforms will have, as a mandatory feature, some kind of AI compliance assistant, which will be really smart in terms of advising what should be done next and how you can improve your compliance based on the data that you provide as a company.

(20:54):

On top of that, it's possible bit further in the future maybe, but that we have some kind of self compliant or self-healing system where you have AI, not only recognizing what is the problem, but actually fixing this immediately. And we are not far away from actually having the AI able to see the code, to understand the code, to connect this with the infrastructure, to understand that this could cause problem on the security vulnerability or on the data privacy compliance and at the same time fix the problem and push code back and resolve the issue actually. So this is something as a prediction that I can say it's some really smart platform which will make company out of the box compliant and probably keep it compliant over the time.

Liz (22:03):

Is that what you all are working on at heyData right now? No, I'm kidding. That sounds super cool though. Something that would go in and actually identify and then fix the problem or even suggest to fix. That might be the first iteration of it would be like, "Did you mean to do this here? Here's how to fix it," or something like that. But that's very cool. I'm wondering, you've had this expansive engineering career, you've been in roles from IC to now managing and leading. What's a piece of advice that you might give somebody earlier on in their career or that you might've given yourself early on in your career?

Damir (22:47):

It's a bit hard now to say this because I think that the way how the development of individuals who want to do the software engineering and pursue this career is drastically changing in last couple of months maybe even, or maybe last year, with the emerge of some really sophisticated AI and then it's really hard to predict in 10 years what would be the interesting so you can now start learning. But some of the general advices that I recognize that I wanted to do or I could do early in my career, would be that a person has to be curious and it's much more important than being smart and how this applies on the daily work, would be that actually you have side projects, you really think about them and then work on multiple different things, maybe multiple different small projects in different programming languages and different fields of programming.

(24:09):

And it doesn't have to be something extensive, doesn't have to take a lot of time, but on the other hand has to be consistent and this consistency and discipline then really, over the time, can compound and refine someone's skills, but in the root of everything, it's being curious. But having this on mind, because people tend sometime, and I was at least like this, I deep dive into my work and especially at the beginning of career, you extend your hours and you try to resolve the problems that are presented to you at your job. And it is also nice and you can learn a lot through this, but it's still, after some time, really scoped field and you have to explore on purpose. And this would be the main advice that I would have for anyone who is let's say, entering the computer science or this industry as a software engineering or IT industry, simply be curious and have some deliberate practice apart from regular job.

Liz (25:29):

That's really good advice and I tend to believe that when you're working on something that you care about or you find interesting that it's a bigger motivator for learning because you're more invested in it. And some people are very fortunate, I think, to work on things that they are genuinely interested in at their day jobs, but that's not always the case. Or sometimes you're a student and you're learning what you're supposed to learn in your classes, but to your point, having those side projects to work on is really motivating in its own way.

Damir (26:06):

Exactly. You can have many different perspectives as well.

Liz (26:13):

I was just going to ask if you have any side projects that you've worked on in the past or currently that really stood out to you or made an impact?

Damir (26:23):

At the moment, not really. At the moment I am more focused on let's say reading books and exploring ideas through that. Also doing some courses regularly and learning some new skills. I still like to do development, so I try to, at home, deep dive into some programming language and organize projects for myself a bit. But everything is experiments and usually related to some course. I always keep several subscriptions alive in terms of courses, either video courses or textual courses. Working environment already set up there on few couple of platforms. But I don't have now. Before I always had something which is a bit like my small baby project, but these days, last couple of years, I don't have that much time anymore and then I can do something which can be up to one hour per day, let's say.

Liz (27:44):

Do you have any recommendations when it comes to the books or the courses like you mentioned?

Damir (27:57):

The platform that I'm mainly using for the courses is Educative. I found it really nice. In the last two years they are really improved and you have different paths. They adding not only software engineering content but also system architecture content and the engineering management content as well. So it's not only about writing the code and preparing for code interview. I think a couple of years ago they were only about it and how you can nail some coding challenge, but now it's much more elaborative platform and could be used also for a bit experienced people.

(28:47):

In terms of books, I can recommend only something which is, at the moment, maybe some self-improvement books. This is really interesting. I am, for some time, on these topics and exploring many books, but there is something called Limitless from Jim Kwik. It's a really interesting book. I recommend this to everyone and also it continues on the question how someone should learn new skills. It's really good that people actually invest first in refining the learning process. And this book can help there and then emerge into learning and attacking the problems. Also, can help people improve their reading habits and speed of reading. And a book that I can always recommend would be Clean Code, but it's cliche, but I really like it because in some point in time, in history, it's changed perspective, how I approach the coding challenges, how I approach the architecture of the software and it was really eye-opening thing for me. So if anyone is out there who still haven't read it, I highly recommend that they should.

Liz (30:26):

When I became a software engineer, that was the first book that my mentor recommended to me. So it made me smile when you mentioned it because it's definitely good. No matter where you are in your career, I think it's a good read, but especially for those just starting out, it's a good one.

Damir (30:40):

Yeah, it is a classical usually. But it's a really nice book.

Liz (30:47):

Well, it's been so great chatting with you. Thank you so much for sharing your perspectives on different areas. Is there anything else that you want to add before we wrap up?

Damir (31:00):

Nothing special from my side. I would like to advise everyone who are listening to the podcast and maybe they are in the software engineering field, that they should educate themself in the data privacy because it's really important. With the AI it'll become even more important. And they can do this on any platform. They can visit the heyData website. We have also the content there and it's really easy to read our magazine there and to get the grasp about some basic topics aboutdata privacy. And then people from there can explore on their own and find why it's important and why they should care. And I think it'll become even more important in the future as it's really important that we stay aware about our data, where they are, who is using this data, in which purpose and simply to protect our privacy and maybe life in the future in terms of AI, which is emerging.

Liz (32:14):

Absolutely. I definitely encourage people to check out those resources and thank you again, Damir.

Damir (32:21):

Thank you very much.