5 Do’s — And 1 Big Don’t — of Better SaaS Security Compliance
By AppOmni
CISOs and security leaders have wrestled with SaaS security program and policy adoption for decades. This perennial topic resurfaced in a recent episode of the CISO Series’ Defense In Depth podcast, where AppOmni’s Chief Product Officer Harold Byun shared how CISOs can better engage with their organizations’ SaaS app owners.
Check out the top five requirements for a robust SaaS security program from this practical conversation — and one critical, and all too common, mistake to avoid.
1. Start With Learning What Your Business Peers Are Trying to Accomplish
The impulse to begin with drafting review procedures based on a type of SaaS app or risk profile typically ignores the vital context of why a business leader is interested in a new SaaS platform. While review procedures are vital, kicking things off with paperwork and procedures isn’t your best move.
Instead, initiate conversations where you’re engaged in far more listening than talking. You’ll understand why your colleagues are looking for a new SaaS app or changes to existing work processes by asking questions like:
What’s your goal?
Why is this app or project important to you?
What gap is it filling for you?
What might stop you from reaching your goal?
From here, dive into questions for profiling the threats and risks and focus on the next steps for solving their problems. Armed with this context, you’re in a far better position to help the business evolve and succeed.
2. Opt for Guard Rails Over Roadblocks
When your colleagues know what’s in bounds and out of bounds, they can innovate and solve many of their own problems without wondering (or fearing) if they’re maintaining compliance with security’s standards — a win for their teams and yours. You don’t want to be in the process of approving everything before it happens. After all, not even the most extensive review processes eliminate all risk.
Your policies should clearly illustrate the guard rails for what changes are acceptable without necessitating security or IT review. For example, does marketing operations need to add new sales leads to the CRM? They’re good to go; no IT or security team review required. Does marketing ops also want to turn off MFA because sales finds it cumbersome? That will clearly require a conversation with security.
Ensure your guard rails don’t deem a behavior outside the parameters as an automatic “no.” Find a way to get to yes, even if that yes looks a bit different than what’s been proposed by the business. Marketing ops, in all likelihood, didn’t ask to disable MFA out of a desire to weaken the organization’s SaaS security posture. They think MFA is slowing down business. Here’s where you can tactfully reframe the request to focus on the core issue: “How can we make authentication easier for field sales?”
Guard rails enable your organization to grow their SaaS apps securely.
3. Translate Risks and Processes Into Language That Resonates
Fully grasping the SaaS security implications of your business colleagues’ work and future plans is fundamental when building guard rails — and relationships. (Incidentally, building relationships must begin well before you need something from someone.) Reaching that point often means overcoming language barriers between your team and theirs. Security has to speak in terms your business peers will appreciate.
That means breaking down the SaaS security app risks or any other concerns into the context of their business goals and needs. For example:
“You’re potentially leaving X number of PII records publicly exposed, so this proposed solution of yours is completely unacceptable.”
Doesn’t have the same ring to it as …
“This approach gives hackers and our top competitors a very low bar of entry to steal our customers’ information, including their addresses and credit card numbers. Let’s see how else we can accomplish what you’re looking for without so much risk for our customer.”
If your audience responds better to direct messages, consider the communication style of a CISO who frequently worked with deployed military personnel. After sketching concerns about the technology on a scratch piece of paper, the CISO told the clients, “Look, you don’t get to go bang-bang until these issues are addressed.” It worked.
When you proactively approach and speak the language of your centers of excellence, application groups, and SaaS app owners, a true partnership is forged. And the outcomes are significantly better.
4. Devise Gaming Scenarios To Bring SaaS Security Concepts to Life
Make the risks you’ve presented into the right language more effective by using a gaming scenario. This method helps app owners and users contemplate how security incidents directly affect the business from their vantage points.
One example, admittedly a bit extreme, comes from a security team in the airline industry. They asked their operations colleagues, “What happens if malware affects air traffic control and we have a planes-down situation globally? What are you doing in that situation? And what is the impact on your business?” That got the business’s attention.
Gaming scenarios clearly show the necessity of mitigating these risks without the CISO having to say a single world. As the business soon realizes the vast number of contingencies they’d need to execute should a SaaS breach occur, they’ll opt for preventive measures in a heartbeat. This change in perspective breeds a change in behavior.
5. Create a SaaS Security Leaderboard
When leaders can easily visualize how well (or poorly) they’re achieving SaaS security compliance compared to their peers, motivation kicks in.
Leaderboards that track overall SaaS risk ratings represent some of the best tools for making SaaS security adherence stick without forceful measures. Consider them for specific campaigns as well, such as comparing how different teams fared in anti-phishing exercises. Add a call-out to your intranet or start a thread on a relevant Slack channel to highlight standout teams and individuals.
Striking the balance between competition and semi-public embarrassment can take a little tweaking. But the benefits a comparative dashboard shared with the right people is incredibly powerful.
BONUS: Keep Procurement Review Requirements Sensible for All Teams Involved
SaaS security reviews that include vendor questionnaires, SOC2 audits, and penetration tests are perfectly reasonable and normal parts of the procurement process. They weed out inappropriate solutions while putting SaaS app roll-outs on the right path to a secure go-live. But adding numerous approval stage gates (or “blockers” as the business might call them) can come across as gatekeeping. When business leaders see blockers, they worry security, IT, and finance/procurement are curbing innovation and process improvement.
Besides souring cross-functional relationships, onerous approval stage gates rarely accomplish their intended purpose. True SaaS security extends far beyond procurement stages. Risk escalates considerably after go-live when the organization, often unintentionally, changes SaaS configurations and permissions. According to Garnter, 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end-users.
Once a SaaS solution is active, most organizations have zero visibility into its everyday use and settings. Wondering “what could we have added to our procurement process to avoid this?” misses the point. Only strong relationships with the business and advanced SaaS security tooling can address these ongoing risks.
You might have noticed a recurring theme: Every recommendation takes a “carrot approach” instead of relying on the stick for SaaS security adoption and compliance. At AppOmni, we consistently and unapologetically advocate for the carrot over the stick. And we’ve built our comprehensive SSPM solution with that approach top of mind.
AppOmni continuously monitors SaaS apps and SaaS-to-SaaS connections to help you achieve SaaS security over the long haul, not just at the point of implementation. Our solution detects configuration and permission drift, along with potential threats, across identities throughout your entire SaaS estate, helping SOC teams mitigate risk and save considerable time in incident response.
See how AppOmni’s advanced SaaS security tooling can help your team achieve security adherence. Schedule a demo today.
