July 30, 2019
5 Security Landmines to Avoid in SaaS
By Stephen Gentry, Chief Security Officer at Workfront
The cost of the average data breach to a U.S. company is nearly $8 million.
That’s a substantial sum. It also represents a breach of trust for customers and partners, a loss of market credibility, and compromised individual privacy.
How did we get here? Prior to the 1940s, essentially all work was manual or analog. Then came the rise of mainframes, which started the digitization of technical work. That capability was then miniaturized in the 1980s to fit on every desktop, transferring digital power from the elites to the masses. In the 1990s the Web connected the digital world, and a global marketplace emerged. Social platforms in the 2000s invited us to open up our personal lives and share them with this connected world. Now mobile enables us to carry all of these innovations with us so we can access them at any time, wherever we may roam.
It’s a new world, full of benefits. And yet in digitizing our analog world, we have multiplied our concerns around security, particularly as they relate to data location, access, and privacy. With each digital advancement, new security concerns presented themselves, quickly followed by new measures to counter the threats. Cloud computing applications, which have seen record investment in recent years, only exacerbate security and privacy concerns. Companies are now wrestling with the shadow IT phenomenon, which tends to spread rapidly and can cripple security. In fact, McAfee reports that shadow IT cloud usage is at least 10x the size of known cloud usage.
Is it any wonder then that cyber security detection and prevention is a top 5 use case in all digital transformation investments? With more and more of the world going to the cloud, here are some security landmines you should avoid.
Landmine 1: Inexperienced Leadership and Team
Where does the security team sit in the organization, and who leads them? These are simple, yet revealing questions to ask a prospective vendor. The most effective security teams are executive led, with direct executive sponsorship and access. Like the concept of T-shaped engineers, security is also an industry of specialists. It’s about people and culture, as much as it is about technology.
Since data protection is never ending and always evolving, you should look for an expert team that shows evidence of evolving with market demands. Hopefully you will find teams that are more like the 1992 “Dream Team” rather than the Bad News Bears.
Landmine 2: Lack of Transparency
Patrick Lencioni, author of The Five Dysfunctions of a Team, said “Clients don’t expect perfection from the service providers they hire, but they do expect honesty and transparency.” The modern enterprise will provide evidence of transparency in a couple of key areas. One is audit logging. Having the ability to provide documentation of recorded system events is a benchmark of transparency in enterprise software. Providing a customer security portal, now mandated in many countries for privacy purposes, allows organizations to convey transparency to individual customers and visitors.
Landmine 3: Fragile Disaster Recovery and Business Continuity Plans
We live in a volatile world. Whether natural or man-made, catastrophe strikes and every enterprise needs robust disaster recovery and business continuity plans. Because it’s not a matter of “if,” it’s a matter of “when.” Dig into the prospective vendor’s redundancy mechanisms and have them provide evidence of proven failover. If they can inspire confidence in you, then you will be able to convey confidence to your peers and customers.
Landmine 4: Lack of Global Awareness
There are many enacted, and in-the-works, data privacy and security laws, standards, and guidelines around the world. While written and enacted locally, these laws and guidelines (such as GDPR, PIPEDA, HIPAA, etc.) have global impact for every software company, no matter its physical location. Therefore, a security team must have a global perspective when it comes to data privacy and information security. Find out what the prospective vendor’s audit plan is for tracking and addressing global privacy and security legislation.
Landmine 5: Lackluster Subprocessor Management
Every organization engages sub-processors of data. How are they protecting your data? It’s an important question because the latest privacy regulations elevate the contract between a processor and a sub-processor to the same level as set out in the contract between the processor and the primary data controller. This means that contracts between processors and sub-processors must at least contain the same data protection obligations as contracts between processors and controllers.
The Sky Is Not Falling
Ginni Rometty, CEO of IBM, recently said that data is “the basis of competitive advantage, and it is transforming every profession and industry...then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.” I believe that is true.
Even so, while the threat exists, I also do not believe our customers are best served by running around like Henny Penny (Chicken Little) and declaring that the sky is falling. The sky is not falling. There are proactive measures that you can take to safeguard your customer’s data and privacy. These security landmines to avoid in working with SaaS vendors are a good beginning.