How to Increase SaaS Security through Culture Shifts and Innovation

As a CIO of a healthcare software company, Jason James resonates more with the technology industry than the healthcare industry. While he must stay sensitive to healthcare-specific security regulations, Optima Healthcare Solutions faces challenges that many software companies face.

For example, tech-savvy employees expense SaaS subscriptions that promise to increase productivity or ROI. The consumerization of IT, coupled with BYOD (bring your own device) policies, have accelerated adoption of shadow IT within the enterprise.

Many modern companies appreciate the momentum of strategic tech adoption by business units. However, when it comes to data security, the stakes are high for healthcare companies, including healthcare tech. Innovation must be secure: Data breaches in healthcare can result in fines and jail time.

To ensure that Optima Healthcare Solutions meets high standards for data security, Jason has prioritized innovation and strengthened security culture from buyer, to user, to board member.

Build a Progressive Culture Surrounding SaaS Security

With a background in tech, Jason was well aware of the precautions a SaaS product must take. At Optima, he double-downed on processes to ensure the security of electronic health records.

Today, an auditing process vets all current software solutions. From on-premise to cloud-based software, contracts for each platform must run through Security and Compliance.

Additionally, Jason has socialized security training throughout the organization, especially at the user level. Considerations for a training program include:

• Adoption best practices to uncover and vet shadow IT.
• Recognition and reporting of security threats.
• Regular standardized and practical testing.
• Identify SaaS licensees to require application-specific training.

As cybersecurity programs advance, security leaders are prioritizing user-level training. Consequently, Jason has built a progressive culture surrounding technology one SaaS user at a time.

Additionally, from the beginning of his journey with Optima, Jason has aligned with the CEO and the board on priorities surrounding SaaS security. Through a regular audit, Jason can benchmark, track, and communicate necessary innovations across the organization to secure their technology.

Transformation and Innovation Require Visibility

CIOs and technology leaders continue to feel the pressure of constant evolution. In the past few years, the landscape has changed radically, increasing expectations of enterprise software across the board, from computing power to user experience.

For IT leaders to capture and lead innovation within their organizations, they must access full visibility into their software stack and employee experience. Otherwise, business units will take innovation into their own hands, or more accurately, into their own expense accounts.

Jason says that shadow IT happens when IT has failed the partnership. If business units can meet their business goals and transform more effectively and with lower cost, they will covertly expense SaaS subscriptions. With no SaaS discovery platform, IT may never know about the purchase.

Linked to security breaches and proliferate technical debt, shadow IT, while at times beneficial to business growth, can lead to net losses when unregulated. Therefore, Jason appreciates the partnerships he has built with his business units — these partnerships keep shadow IT at bay.

To maintain relationships with business units, Jason focuses on transparency and compromise. Areas in which transparency drives value include:

• Business priorities and goals.
• Research and adoption of SaaS platforms.
• App-specific security training for licensees.
• Identification, diagnosis, and elimination of technical debt.

Just as partnerships are supported with business units, he must prioritize relationships from his board. For Jason to align innovation efforts with his board, he builds in reporting for every stage of the SaaS lifecycle.

Capture and Report the Entire SaaS Lifecycle

Often, SaaS security conversations focus on answering the following questions:

• What are we buying?
• What data does the SaaS application hold?
• Who holds a license or has access?
• How are they using the application?
• On what devices are our systems operating?

The question of application off-boarding is left out of the holistic strategy. From users to the board, Jason has communicated that each software solution needs to live, retire, and die — no employee can continue working on a defunct solution saved to their hardware.

When an application is no longer patched by a vendor, technical debt creates software security risks. Therefore, when cloud-based subscriptions are adopted, Jason has a high level of confidence that software’s lifecycle will be better tracked and pushed to close.

Because Optima is a cloud-based solution, Jason’s belief in the heightened security of cloud-based solutions is entrenched in the business. However, at previous companies, the cloud discussions were not so effortless.

When in digitally transforming businesses, Jason recommends technology leaders lean into the application lifecycle planning and look 36 months into the future. When a plan is in place, board members will understand the need to innovate, as well as the need to offboard, to boost enterprise SaaS security and the entire organization.

Find Jason James on Twitter at @itlinchpin.