Figma's commitment to being people-first extends beyond its collaborative design tools and into the heart of its company culture. At the center of this culture are "Figmates" – Figma's term for its employees. This people-centric approach shapes every technology decision, especially when it comes to security. 

Dave Vega, Figma's Director of IT, brings 25 years of experience and a unique philosophy to his role. "What I love about Figma is that we are a people-centric company with a people-centric culture," says Vega. "This allows me to work on finding innovative tools that help people do their jobs in a way that isn't 'big brother,' but something our employees will truly enjoy."

Leading the Platform Security team, Brad Girardeau shares this vision. His team oversees corporate and infrastructure security with a deep commitment to protecting sensitive data while respecting individual privacy.

"Technology is such a big part of our lives. I enjoy creating a world where people can do things with technology and be safe."

— Brad Girardeau, Security Manager, Platform Security

Challenge

As Figma grew, its traditional approach to mobile security needed evolution. While the company had robust security for corporate laptops, mobile devices presented a unique challenge. Figmates aren't required to use phones for work full stop, but for those that choose to work using a mobile phone, they have the option to use a corporate device or use a stipend for a personal device for work. Initially, the built-in isolation features of mobile operating systems seemed sufficient, but as the company expanded, particularly into the EU automotive industry, new requirements emerged.

The security team faced a complex balancing act: they needed better visibility and control over their BYOD environment while maintaining their commitment to employee privacy and choice. Adding to this challenge was a requirement for TISAX certification, which mandated MDM implementation.

"We hear stories about adversaries using zero days to compromise mobile phones or someone's phone gets lost or stolen with access to corporate data," Girardeau explains. "So, a lot of CISOs are asking, 'How do we remove sensitive data from those devices?'"

"We wanted a privacy-protective mode different from traditional, full-control modes of MDM. That distinction is meaningful and important to our employees."

— Brad Girardeau, Security Manager, Platform Security

Solution

The answer came in combining MDM deployment with iVerify's unique security capabilities. For Girardeau, the ability to scan for indicators of compromise, not just known threats, was crucial. iVerify's expertise in uncovering spyware and zero-day attacks made it stand out from traditional solutions.

"iVerify Mobile EDR offers MDM capabilities, but it's not just managing the device by locking and unlocking the phone. It also detects and remediates malware, spyware, and smishing."

— Dave Vega, Director of IT

The solution gave Figma's security team precise control over access management. They could now trace every device connecting to Figma's systems and reliably cut off access if a phone was lost, stolen, or compromised – all without touching personal data.

Implementation

Knowing that asking employees to install security software on personal phones could be sensitive, Figma took a thoughtful approach to implementation. A cross-functional team including legal, security, compliance, IT, communications, and people teams carefully planned the rollout.

They created a comprehensive internal mobile security hub with detailed resources explaining the why and how of the new system. Importantly, they made it clear that employees could opt out and use only company-managed laptops for accessing Figma data.

"iVerify is different from the MDM and security tools of the past... There's a very clean delineation that we could communicate to all Figmates. You can keep your photos and your home videos. We don't see it, and we don't have access."

— Dave Vega, Director of IT

The careful planning paid off. The implementation was completed in less than two weeks, with fewer than a dozen support messages for over 1,300 devices. Vega attributes this success to both the cross-functional collaboration and iVerify's clean, user-friendly design.

Results

The smooth deployment demonstrated that security and privacy aren't mutually exclusive. For IT, the detailed investigation capabilities transformed their ability to handle unusual activity. The security team gained the ability to effectively manage unmanaged devices' access to SaaS applications, while maintaining employee trust.

iVerify remains engaged with Figma’s security team to develop new capabilities, including enhanced enforcement in Okta which is now available.

"As a result of how we rolled this out, we now have huge credibility with the company."

— Dave Vega, Director of IT

Girardeau's final thought captures the essence of the project's success: "I'm proud that we now have a solution that protects privacy and that even I feel comfortable running on my phone."