Security pros often have a thankless job. CISOs rarely get praise when cybersecurity programs run smoothly. But as soon as a data breach occurs, it’s the security team that’s held accountable. And that’s why many security leaders prohibit or heavily limit the use of cloud-based tools and SaaS apps for fear of employees inadvertently exposing sensitive data. The end result: the security team gets a bad rap for doing their job while the rest of the business lacks access to the very tools that encourage collaboration and drive productivity.
Today, CISOs have legitimate concerns when it comes to cloud-based tools. After scanning more than 5 million Google Drive files, we discovered 40% contained potentially sensitive data, customer PII, security credentials, and confidential company information. But security teams need more flexible options than zero-tolerance policies that restrict the use of SaaS work apps. CISOs need security products that align with the company’s overarching goals instead of establishing rigid policies that automatically pit the security team against the rest of the organization. This often makes security leaders the bad guys when they’re simply trying to protect the business.
But how do security teams even begin to protect the company’s most sensitive data when so many SaaS applications open the door to serious cybersecurity risks?
Find common ground between the security team and everyone else
Most employees are not acting on malicious intent. In the same way that security teams are not on a mission to stifle productivity and collaboration, employees outside of the security team do not set out to purposely share sensitive company data with bad actors. In fact, many don’t even realize they have uploaded vulnerable information. And yet credit card numbers, personally identifiable information, and login credentials are often stored in popular work management apps without the offending employee realizing what they’ve done.
It helps to remember that most colleagues are trying to achieve ambitious goals to move the business forward. They want tools that let them get their work done faster and with better results. They are not looking to expose sensitive data that puts the entire organization at risk – they just want to do their job.
For a cybersecurity program to operate successfully, it’s imperative that the security team and the business units it supports trust each other. Both sides need to realize that the best results happen when they act as allies and not adversaries. This requires having open, transparent conversations about cybersecurity initiatives and the policies in place to keep everyone safe.
Companies also need to implement security products that allow for more flexible cybersecurity policies. This doesn’t mean adopting an “anything goes” mindset and allowing employees to download work apps without proper guardrails in place. Fortunately, there are effective options available that allow for common ground between security teams and their counterparts.
Embracing the power of SaaS apps while continuing to keep the network safe
Many businesses run on the power of cloud-based apps today. Startups with limited budgets are especially prone to implementing SaaS applications with little to no oversight by their security team, often a one-person department. Studies have found that the average company uses more than 250 SaaS apps, but more than half of the apps are not owned or managed by the IT team.
Without proper oversight, an unmonitored cloud-based application can become a major cybersecurity risk. Yet, cracking down on apps only hurts the company, curbing productivity and limiting progress. Not to mention how saying no to all SaaS applications can lead to ambivalence, distrust, and antipathy toward the security team. It’s also not realistic to expect that companies will hire additional headcount to monitor the use of SaaS apps either, especially since most security teams are already spread thin.
CISOs need complete visibility into their company’s network of SaaS apps so that they know who has access to the apps, the data being stored within the apps, and the data shared. They need security platforms with customization capabilities that let them set restrictions at both the account level and individual level, and automated notifications to alert employees when they’re about to share sensitive data that’s best kept out of the company’s SaaS ecosystem. Most of all, they need security policies and platforms that foster collaborative, productive work across the business.
With the right tools in place, security leaders can keep their organization safe without becoming the bad guys who deny collaborative work environments and impede productivity.
Rich Vibert, co-founder and CEO, Metomic