David Stoicescu: More SaaS, More Information Security Problems

The greater the number of SaaS applications you have, the more information security problems your business is exposed to. In this episode of SaaSMe Unfiltered, we sat down with David Stoicescu, Chief Information Security Officer at Deepwatch, to discuss why InfoSec is a critical business function, how to lead a high-performing team, and why full visibility is key to avoiding security mishaps. 

Episode Summary

Modern businesses have come to depend on SaaS. As such, SaaS portfolios are often large – and growing. Today, the average organization has 323 SaaS applications, with eight new applications added every 30 days. As a general rule, the larger the organization, the larger the SaaS portfolio.

Unlike on-premise software, SaaS is often purchased by business units and individuals. Oftentimes, this leads to a lack of visibility into all SaaS – which opens up the organization to a whole lot of risk. 

“If you don’t have a grasp on what these applications are, you really don’t know,” said David Stoicescu, Chief Information Security Officer at Deepwatch. “There’s a lot of unknowns. And what you don’t want to have is a day when the FBI calls you and says, ‘Hey, we found your employee or your customer information out on the web.’ And your next question is going to be, ‘Well, how did that happen?’ And then you start digging and digging, you realize, ‘Oh, wow. It was some application that we had no idea about.’”

InfoSec teams must have a seat at the SaaS management table. But they’re not going it alone. Rather, mitigating the risk of unvetted SaaS – is a team effort. 

“Security needs a seat at the table. However, I would also like to point out and give credit to the IT organization and all of the employees and people throughout the organization that enable the security organization to do its job. 

Guest Spotlight

Name: David Stoicescu
What he does: Chief Information Security Officer at Deepwatch
Connect with David online: LinkedIn

Episode Highlights

SaaS Management is a Team Sport

“Probably the most important lesson I’ve learned is being able to work with others instead of trying to go at it alone. So really making it a team effort, bringing others along to the ride, leveraging automation as much as possible. And don’t be afraid of trying something and potentially failing. Try to fail quickly if you can help it, right? But have a safety net in place.”

IT and Information Security Teams Must be Partners

“There’s this new methodology, DevSecOps. Really, what that means is you’re baking security into the development lifecycle of your code and your infrastructure. It’s ingrained into your developers, into your leaders, and it’s something that they’re thinking about along the way. It’s not something that gets done later. Security is done as a matter of course. Now, the same thing applies to information technology. I think that more IT and security teams need to be working a lot closer together, if not in the same team or organization, so that the IT folks are almost working on behalf of security and baking security into all of the automations and processes and procedures that they engineer on a daily basis for their employees.”

The Journey Starts with the People

“I think it’s a two-way street, being able to help [employees] just as much as they help you. It’s got to be a mutual relationship. So when I have people that are passionate come work for me, and I see them grow and I continue to push them, whether it’s through training or mentorship, or maybe it’s that next certification that they want and giving them those opportunities, that’s what really excites me. It keeps them very engaged and excited. And what does that mean? We deliver a really awesome product and experience for our employees.”

A SaaS Management Program Should be Established Early On

“[SaaS sprawl] happens in all types of organizations, but it really gets out of hand in the enterprise space because you’ve got thousands and thousands of employees. The company that I was at before, I think we were no more than 30 employees at the time. And I was already starting to think in the back of my mind, ‘How do we make sure that we don’t run into that problem several years from now?’ Because it’s not that difficult to manage the mischief at a small scale when you know all the employees by name. That’s how I approached the problem. And I wanted to develop that relationship early and I wanted to build that muscle early within the organization and make sure that we had the various organizational leaders aware of the applications and the spend, and that if there was something unauthorized, whether it be marketing or sales, that they had visibility into that and they can do something about it.”

Visibility is Imperative to Mitigating Risk

“[Employees are] just trying to get their job done, acquiring applications, and then putting organizational data, unprotected data within that application. And what that does is it puts that customer information or corporate information in a system that the security team doesn’t know about and hasn’t been vetted and hasn’t actually gone through a third party vendor risk assessment process. And if you are SOC 2 or PCI or ISO 27001 or 701 compliant, those are all things that you need to do. You have to have a grasp on your information security, you have to know who all of your third parties are, and you have to understand where your customer information and employee information is going. That’s what really makes it difficult. If you don’t have a grasp on what these applications are, you really don’t know. There’s a lot of unknowns. And what you don’t want to have is a day when the FBI calls you and says, ‘Hey, we found your employee or your customer information out on the web.’ And your next question is going to be like,  ‘Well, how did that happen?’ And then you start digging and digging, you realize, ‘Oh, wow. It was some application that we had no idea about.’”

Information Security Issues Lead to Reputational Damage

“When I look at it from my perspective, it’s easy to say, ‘Well, hey, I didn’t know.’ Right? But when somebody reads about it in an article, it just comes across like, ‘Hey, you just don’t run a competent program. Clearly, you don’t know what you’re doing.’ Right? That’s the first thing that people think about. So perception makes and breaks people and companies and reputation.”

Top Quotes

4:29 – “Security needs a seat at the table.”

6:07 – “Don’t be afraid of trying something and potentially failing.”

8:43 – “IT and security teams need to be working a lot closer together.”

12:01 – “The journey starts with the people.” 

17:40 – “If you don’t have a grasp on what these applications are, you really don’t know.” 

18:37 – “Perception makes and breaks people and companies and reputation.”

Check out other episodes here, Apple Podcasts, Spotify, or wherever you listen to podcasts.