David Stoicescu: How Deepwatch Takes a Risk Based Approach to Managing Software

The proliferation of SaaS within organizations has made it more challenging for Information Security teams to keep track of where their data is going. In this episode, CISO David Stoicescu shares how he takes a risk based approach to managing software at Deepwatch.

Episode Summary

Do you know where your data is going? If there’s one thing that David Stoicescu believes, it’s that SaaS security begins with visibility. 

“We have to have visibility into all of our applications from an asset inventory, data flow, and governance perspective. We’re really going to start to focus on whether we are following the policies and the processes that we’ve put in place… ensuring that we’re doing the right thing for the business.”

One area that often evades detection are those shadow IT applications. When you don’t have a tool to find them, you don’t know where your data is going.

But the truth is, according to David, “We’re all responsible.”

By taking a risk based approach, building trust, and maintaining a team sport mentality, you can ensure security is woven into the fabric of your organization.

Guest Spotlight

Name: David Stoicescu
What he does: Chief Information Security Officer at Deepwatch
Connect with David online: LinkedIn 

Episode Highlights

You Must Take a Risk Based Approach to Evaluating App Security

“At the end of the day, you can’t apply the same level of focus to every single application and widget that exists out there. So you’ve got to take a risk- based approach. So from that lens, I’m looking at our core applications that we use to deliver our service, and I place the most emphasis on those. I make sure that we’re completely dialed in because they’re the biggest targets. It’s where most of our critical data is. Now if we had our project management application go bust, they have some sort of breach or ransomware thing. Is it the worst thing in the world? Yeah, it’s bad. There’s going to be a lot of damage control. There’s going to be a lot of, ‘Hey, was our data included in that?’ It is a very big deal. Is it going to be as big a deal as a core application such as our cloud hosting company? No. So the level of effort and emphasis we put on the application directly correlates to the level of risk that the data within that application represents to us and to our customers. That’s how we look at it.”

Security Risks Are Hiding in Your Shadow IT Spend

“Without some sort of mechanism to identify shadow IT spend, there is no way you will know where all of your data lives. It’s just not possible. So that being said, if you go through the procurement process, which is the correct way to acquire any piece of technology, there’s a process of steps that are followed and we get the security organization engaged as a part of that process. And we ask questions, ‘What is this for? What is the business purpose? What customer data will you be putting in there?’ And then we do an assessment of that organization and we do an assessment of the product itself. So that’s how we get it into our system and we catalog it and we give it a thumbs up or we give it a thumbs down, or sometimes we’ll give it a conditional thumbs up. Conditional thumbs up are actually a lot harder because if you give it a condition, that means that my team has to follow through on that condition throughout the relationship with that vendor, which is difficult to do if you don’t have some sort of automation in place.”

Visibility Is a Must-Have for Compliance and Governance

“We have to have visibility into all of our applications and from an asset inventory perspective, but also from a data flow perspective, from a governance perspective. We’re really going to start to focus on whether we are following the policies and the processes that we’ve put in place, whether that’s from a spend control perspective or from an automation perspective, or from the perspective of ensuring that we’re doing the right thing for the business.”

Being a Team Player Increases Success as a InfoSec Leader

“I think that as an executive at any organization, I think even more so at smaller organizations, you can’t just put on your blinders and just say, ‘Hey, listen, this is my role. This is what I’m doing, and these are the problems that I’m going to solve.’ In my role, I focus and I spend time on issues that might be in the finance organization, in the people organization, in the COO or the CTO organization, the CMO organization or the CRO organization. As a matter of fact, at Deepwatch, I’ve touched on supporting every single executive leader. And I think that a lot of that has come from just the experience that I’ve had and the things that I’ve done. So it’s my job and it’s my duty as somebody who is responsible for the direction of the organization and setting that pace and setting that tone to look at all of it. And I think that SaaS spend touches on IT governance, security, risk, finance, and operations. So it’s really just woven into every single part of the business, and it absolutely is a team sport.”

Build Trust across the Organization

“What’s really exciting for me is to come to [other executives] with a different set of skills and capabilities and say, ‘Hey, listen, have you thought about it like this? What if we turned it sideways and upside down, and what if we did this and what if we did that?’ And I think that’s what creates that relationship. And then now you’ve got the IT and security organization building trust with the people organization, with your CFO or with sales or with marketing. That’s the team player component. That’s also how you build trust.”

Ignoring SaaS Is a Major Stumbling Block for InfoSec

“The thing that I see most often is folks just not paying attention to SaaS at all. And I think this is a bigger problem in organizations that have been around for the past 20 years or so. They’ve been in business for a while. Maybe they had an on-prem environment and they had co-locations and data centers, and they’re on their journey to maybe hybrid cloud or moving completely to the cloud. Maybe they’re exploring SaaS applications. So that muscle just isn’t there, it just doesn’t exist. I’ve seen just a broad spectrum anywhere from not knowing what to do whatsoever and having no visibility into what’s going on to a very small number of organizations that actually have some semblance of, ‘what applications do we have and where’s our data?’”

We’re All Responsible for the Data in Our SaaS Applications

“Part of the problem is in the question, and something that you said was, ‘Who owns it?’ I think that’s a mistake. I think that’s not the way that you should be looking at it. I think that the way we should be looking at applications and services is really from a data perspective. Forget the application, just look at the data, but then let’s replace the word own to responsible. Who is responsible? And guess what? We’re all responsible and we have various levels of responsibility for those applications or that data that lives within those applications. 

Top Quotes

2:19 – “You’ve got to take a risk based approach.”

9:51 –  “[Security is] really just woven into every single part of the business, and it absolutely is a team sport.”

4:24 – “Without some sort of mechanism to identify shadow IT spend, there is no way you will know where all of your data lives.”

12:30 – “The thing that I see most often is folks just not paying attention to SaaS at all.”

15:41 – “We’re all responsible and we have various levels of responsibility for those applications or that data that lives within those applications. 

Check out other episodes here, Apple Podcasts, Spotify, or wherever you listen to podcasts.