Zuora & Workday CSOs in Conversation

By Aarthi Rayapura May 12, 2016

Leading SaaS CSOs Pritesh Parekh, VP & Chief Security Officer at Zuora and Niall Browne, VP & Chief Trust Officer at Workday talk about their favorite topics. Read on to find out what they think about security strategy, the need for DevSecOps and lots more!

Pritesh Parekh: Thank you for joining me today, Niall. I want to begin by talking about the benefits and struggles of SaaS cloud security. Let’s start with the positive. What would you say are the benefits?

Niall Browne: There are numerous benefits. I think most organizations have realized the tremendous business benefits provided by secure cloud services. One key benefit is — “the Power of One” — it’s one technology stack, one version of the software, one operations model, and one security model across the board. Its homogenous nature means that security is now — for the first time — able to focus on protecting a single platform, rather than draining critical resources to support multiple versions of the application and platform. Additionally, if there is a new industry security vulnerability discovered, then the fix only has to be rolled out once across the entire platform. Hence all customers simultaneously benefit when security improvements are made at the request of one. This cloud “Power of One“ delivery model provides tremendous economies of scale and agility. Another major benefit is the interoperability of standards based models. The technology stack for enterprise cloud providers is based largely on open industry standards,and their cloud is audited against well-known security standards such as IS0 27001, ISO 27018, SOC I, SOC II. This open, transparent model allows enterprise customers to quickly understand, review, and validate the controls in place.
And of course there’s the undeniable benefit of increased transparency. Traditional, legacy on-premise software oftentimes does not support the ability for a customer to see into what is happening to their data in real time. On the other hand, cloud is driven by open APIs. This API model enables customers to monitor changes, user activities, and potential security threats in real-time, and indeed integrate the cloud directly into their Security Operations Center (SOC) through these extensive API’s. It really gives businesses an unprecedented level of visibility, control, and transparency, which they would never have with a legacy on-premise software stack.

Pritesh Parekh: Absolutely right, the benefits from cloud applications are far superior to legacy systems.However, cloud systems also pose challenges to businesses. For instance, embedding security as part of the product lifecycle hasn’t been easy for companies. The traditional mindset around security views it as the gatekeeper and only considers it towards the end of the product lifecycle. Companies struggle with the question of how do we embed security at every stage of the lifecycle? How do we empower developers and product managers with the tools and processes they need to make the security decisions?
Another issue is overloading the security stack. Most companies have realized that security is really important and are constantly adding tools. But few pause to consider if it’s really adding value to the security program. Is it really generating the right set of security alerts?
Lastly, CSOs around the industry are finding that hiring skilled security personnel is a big challenge. Speaking of which, how much
do you think organizations should invest in security and what should be the determining criteria for investments?

Niall Browne: Organizations now realize that security is an integral part of their business, and are treating it as such. I would consider the investment from two perspectives. The first is the level of risk for the organization. If there is a security breach, what would be the monetary cost and the reputation cost to the company? That should help you begin to identify what percentage of the IT budget you should spend on security. Luckily there are many risk versus spend formulas and models available that can help you.
Secondly, I strongly believe that security is a key business differentiator and enabler. It can allow a company to win a larger market share or close a deal quicker with customers. Companies want to work with providers that they can trust. Investing in security not only helps protect your business and reduce your risk, it can also help you succeed as a business. Both of these factors should be taken into consideration when determining the appropriate security budget for your organization.

Pritesh Parekh: I’d add that they should also consider the laws around regulation and compliance in the geos they operate in. Also, many enterprise companies require their vendors to comply with a certain level of security requirements, so that’s another criteria. In some cases, these can have significant impacts on the budget. Once companies decide on the investment, they need a strategy to build a security program. Your security program vision and mission needs to be aligned with the business. Segmenting your security program into different pillars helps.
Start with the highest risk and figure out how you can protect that information. For example,a mid-size SaaS company can segment the security program in four pillars. The first pillar is your infrastructure pillar that hosts your customer information — protecting the systems and networks that runs your product or services. The second pillar is your product or services. As much as possible, embed security considerations into the product lifecycle process itself. The third pillar is corporate and personnel security — these are your internal business systems, applications, and endpoints. The final pillar is compliance — the laws, regulation, and industry requirements you need to follow.
A common framework of policy and procedures can govern all the pillars. Approach all of them in terms of progression from a base of the absolute minimum through maturity to best-in-class. You can’t achieve everything at once, so breaking it down into phases is advisable. Would you agree, Niall?

Niall Browne: Certainly. Successful security teams align security goals with the organization’s business goals. This ensures that security is supporting the business and working on the right priorities. To be successful, it’s imperative that a culture of security and shared responsibility is fostered throughout the company. This helps ensure that the entire organization is collectively working together to make the right decisions that protect the organization.

Pritesh Parekh: What would you say are the key considerations for building a security program?

Niall Browne: The most important thing is to understand the business — What is the business trying to achieve? What are the risks? How can security help? The first step is to speak to all the key business leaders and all the technology lead-ers in the first months, and understand what they’re working on, what do they perceive as the security weaknesses and threats, what are the opportunities. Their insights are critical and will help you tremendously in creating your road-map.
At the end of this exercise, you will have achieved three things. Firstly you will have met and begun building those key relationships with all the stakeholders. Secondly, you will understand the business. Lastly, you now have an invaluable list of
the risks which you can categorize into high, medium and low level risks.
Bear in mind that no company can remove all risk. As such, ruthless prioritization is needed, as well as detailed budget and
resource analysis. As you add new risks to the list, continually review the residual level of risk – is that increasing or decreasing across the board, and why?

Pritesh Parekh: That’s great advice. I’d also like to suggest proactive hunting, i.e. detecting security gaps before hackers
do. And on the other side is breach preparedness and cyber security insurance. You’ve done everything you can but there’s
a data breach — what do you do? You need to have a plan. I’d also urge companies to consider the continuous integration
of security as part of the product life cycle. I cannot stress the importance of this enough.
Niall, What are your thoughts about DevOps transforming into DevSecOps? How feasible is it for companies to make the switch?

Niall Browne: If you examine the traditional model – development writes the code, then hands it off to operations, with security having periodic checkpoints. That model never really worked effectively as there wasn’t a sense of shared responsibility, and none of the teams truly understood what the other teams did. To help counteract these problems, Dev and Ops have begun to merge over the past few years, which has proven to be hugely beneficial.
Now, we are looking at a model where shipping a codeline and shipping a technology stack has almost become the same thing across the board. Dev and Ops are working in tandem to troubleshoot and resolve issues. This results in much better quality of product and service, which benefits everyone. But in many organizations, security is still seen as a gatekeeper. If you merge Security into the DevOps cycle, it means that you’re now shipping code as well as your technology stack and security in one cohesive model.
Having development, operations, and security aligned helps build that critical culture of knowledge sharing, agility, security and shared responsibility. It’s a highly effective cohesive model and can offer tremendous benefits to an organization.

Pritesh Parekh: I completely agree with you. The security as a gatekeeper model is simply not scalable. The goal should be to empower the development and operations teams with the right tools, processes, and training so they can make security decisions. It goes with the fundamental rule of security that it really is everyone’s responsibility.
Thanks for joining me today, Niall. It was great chatting with you.

Niall Browne: Thanks for having me. Always fun to talk about security!

Check out the Zuora Academy for in-depth guides on SaaS IT and Security!