Assessing & Addressing SaaS Security Risks

David Stoicescu: Hello, and thank you for being with us this afternoon and really excited to share with you guys the journey that I've been over the last couple of years. Well, five or six years now with Zylo. Before we get into that, I'd like to just first introduce myself. My name is David Stoicescu. I'm CISO with Deepwatch. We mainly specialize and focus on, manage detection and response. I've been in the security industry for the last 12 years or so and grew up in the IT field. That's kind of a little bit about my journey. But I want to talk to you a little bit more about that later in the talk today because I think it's going to provide some really important context. A brief outline of what we're going to be going through today. Really, I just want to talk about my journey, what it's been like, thinking about streamlining, vendor procurement process, understanding shadow IT, understanding risk, understanding where data is, and ultimately, building better relationships with my peers across the business. And hopefully, that's one of the key takeaways that I'm hoping you can walk away with today.

David Stoicescu: Like I said, my background is in IT, and that's how I got started in the technology field, wrenching on computers, doing desk side support at one point in my journey. And ultimately, started doing engineering and application support, supporting data centers, working through a lot of what I consider is the underbelly of what makes really good security, which is awesome IT teams, because without those teams, security just can't be successful. I think the best security teams do a great job of prescribing what those security guardrails should be, what great looks like and what do we need to do to protect the business. But it's ultimately the folks that are on the technology side, on the support side, on the infrastructure side, the network side that ultimately create and craft solutions to deliver on those promises and incorporate those security measures into their end product.

David Stoicescu: Now, I find myself kind of torn between these two environments, and if you're a Marvel's fan, I hope you understand where I'm coming from because you kind of have to straddle a little bit of both. On one side, you want to ensure that you've got everything buttoned up and you're protecting the business. But on the other side, you want to ensure that you're creating a really good experience for your staff because a very productive staff is going to be a very happy staff that is ultimately going to provide the best experiences for your customers and that's really, really important.

David Stoicescu: My job as I see it, in a lot of ways is to keep these two worlds glued together as best I can. I would say the majority of my job is relationship building. I want to talk a little bit about the stage today, and really that is, I would say probably a year and a half ago, starting my CISO journey here at Deepwatch, roughly about a 500- employee company. One of the things that I started thinking about as soon as I came in the door was what's what? Trying to understand where all of our data is? Who all of our vendors are? What is our risk exposure? I think that was one of the things that I was trying to do. What do we have out there? And the other thing that I was trying to understand is what is our risk tolerance? What is our risk appetite? How does the executive team, how does the CEO, my boss think about risk? And the CTO, for instance. Obviously they're folks that can produce a lot of risk for the business, as do employees in a lot of different ways. But those are some of the things that were going on through my mind.

David Stoicescu: Having previously solved this problem, I started to think about, okay, how do I go about this journey again and how do I figure out what's in the hopper? What is our exposure? When I started asking questions internally, I wasn't necessarily getting all of the right answers so I needed something else to get me that visibility. I needed to understand what systems were in play. I needed to understand what vendors we had, what were the terms for the various agreements that we had in place. For instance, from a security perspective and a third- party vendor risk perspective, what did the assessments of these vendors look like? When was the last time that we assessed them? What does the policy say when it comes to assessing our third- party risk? There's a lot of questions that I had.

David Stoicescu: Another big problem or a pain point that I didn't necessarily have an answer to was shadow IT, so who is purchasing? What applications exist that have been granted access to corporate, to employee, or to customer data? More importantly, what is the security posture and what is the risk associated with the vendors that are providing us with that service? In some cases, it's high because maybe it's a startup and they don't have their security posture or compliance together. In other cases, it's really good. It's one of the big vendors is providing some sort of cloud hosting services, and I'm less worried about those.

David Stoicescu: It was time for me to come back to an old friend and partner with the folks over at Zylo. Full disclosure, I've been with Zylo now for I think about six years, six and a half years. As I've previously mentioned, I've already solved this problem so I kind of knew what good look like. I knew that because in a previous role, running security and running IT, I brought in Zylo to help me fix a problem of scale.

David Stoicescu: I knew that the company that I was at, we were going to reach a magnitude, we're going to reach a velocity where we would have problems associated with shadow IT, with not knowing necessarily where all of our data is so I started doing research and partnering with companies and founders that had a really good solution to this problem. I implemented Zylo years ago to help me scale for what I consider to be a future problem and that went really, really well. Now, I found myself in a position where I was fast- forward several years, the company had already reached that point where they've got several hundred employees and several hundred applications, but I didn't necessarily have the answer to these questions that I had.

David Stoicescu: I needed to partner internally and start to work with my peers, for instance, the CFO, the head of legal, the chief technology officer to evangelize and share with them where I was coming from, the risk associated without knowing where our data is and the potential issues from a contractual perspective and so on and so forth that really we needed to consider. That started working really well and I started getting a lot of support. Obviously from a finance perspective, added visibility, there's a lot of cost- saving potential. From a CIO perspective, simplifying access reviews, managing access, and just reducing unnecessary license and application spend. There's a lot of benefits for everybody in the room as we're looking to solve this problem.

David Stoicescu: What did that journey look like? We kicked off the Zylo implementation. As I've mentioned, I've been a previous Zylo customer so I knew what I was going to get. Now, there had been obviously quite a few improvements along the way from a product perspective, which is pretty cool. For me, it was already kind of a table stakes solution. I already knew what it needed to look like and none of the competitors in the market space really offered anything that came close to what I had come to love, the platform and the team.

David Stoicescu: We needed to solve a few problems, we needed visibility into what existed and who had access to it, we needed to solve the shadow IT problem and ensure that we knew what apps were in play and by who. That's kind of a last line of defense. We needed to create a top of funnel kind of process from a procurement perspective where we could plug Zylo in and we can understand at the beginning, from a contractual perspective, what all those pieces are and do they make sense? Are they the right thing for the business? And are we getting the absolute best deal for our organization? We wanted to reduce surprises in vendor renewals, especially those we're not happy with, so having the capability to set alerts depending on whatever the contract terms were, whether it's 60 days, 30 days, 90 days or whatever so we could have that control.

David Stoicescu: Because I will tell you, I definitely walked my early days, I walked into a few renewals that I didn't necessarily want to renew because I didn't have that visibility. We had to just go and renew that contract even though we knew we weren't happy and we wanted to go with somebody else. That was very unfortunate. Then from a security perspective, one of the last problems that I wanted to solve was having visibility into single sign- on enforcement really for any of the applications possible. For some applications, just looking and seeing that maybe you've got the wrong SKU or you don't have the additional piece that you need to enable the single sign- on capability or SCIM from a user provisioning and deprovisioning capability or setting attributes, so those components were very important from a requirements perspective.

David Stoicescu: How did all of this come together? The implementation just took a couple of weeks, so that was really good. We did discover a lot more applications than we had predicted, and I think that there were a lot of ankle- biter applications, a lot of one- off, just for a couple of employees. It just didn't make a lot of sense. We did spend a lot of money on them and we had opportunity to reduce those things into either a larger application and even for some of those larger applications, maybe we had two or three or four project management applications run by different teams, which didn't make a lot of sense.

David Stoicescu: Having that support early on from the CIO and the CTO and the CFO was great because now I can come to the table and say, " Listen, we've started this journey. We found all of these redundancies and we have some opportunity to consolidate and save the business money and maybe even provide a better experience for our employees." We started to assign application owners, so that was really big. It was kind of a change or shift in culture when it comes to how we think about managing applications. We put those pieces together. We did get all the contracts in one place and we gave visibility to a lot more people, those application owners that previously didn't have visibility into all of those contracts. We set up custom alerts for renewals, which was very important. As I've mentioned, we took the opportunity to terminate some relationships that just didn't make sense for our business.

David Stoicescu: Now, one of the unintended consequences I think on the IT side, at least as those folks saw it, is we did create a new stream of work for them and it just sparked, I think, some healthy kind of cross- team conversations. Do we have the right entitlements to some of these products and services, especially some of the bigger ticket items that have a high price tag. Ultimately, it was good conversation because we were able to save quite a bit of money for the organization and I can give them too a little bit more of that later in the conversation. The consolidation was a good effort. We downsized quite a bit, saved quite a bit of money, and we also were able to plug in Zylo at the top of the funnel from a procurement perspective, which was really great.

David Stoicescu: Now, what we ended up with was kind of a next question. I alluded to this a little bit earlier, was how do we ensure we're getting a good deal so we know where everything is, we know now who the application owner is. We've plugged in Zylo to the top of the funnel when it comes to acquiring from a procurement perspective, but how do we ensure that we're actually getting a good deal? Because there's a lot of buyers in what we had going, what we had was every application owner is essentially buying stuff. We've got 15, 20 people acquiring software across the organization. Not everyone's going to be the best at getting an awesome deal. Now, I do like to think of myself as a true negotiator and that I am, but not everyone is in that same boat. We needed to figure out a way to bring all of that to a point and define a single resource or function that folks can go through to ensure that they're getting the absolute best product for the business and everyone is aligned on that need and that ask, and then of course, that we're getting the absolute best terms for us and what we're trying to do. We did have a lot of poorly- negotiated terms. We need to consolidate and reduce some of that burn, and I think with the timing and a lot of what's going on with the economic situation out there in the world today, everything kind of worked out in such a way to we're able to create a new function for the business that made sense from a procurement perspective.

David Stoicescu: Enter Zylo negotiator, which was really great, and we were able to actually reduce quite a bit of unnecessary burns. It was a huge, huge opportunity for us and we've been very excited about that. One- stop shop is what we've created to manage all of our contracts, our apps, any kind of acquisition and renewal now fully integrated into the procurement workflow also from a negotiation perspective. The folks over at Zylo have just kind of become an integral part of the team and that's been a fantastic journey.

David Stoicescu: What does that look like? What does that journey look like? We identified the problem. We talked about that unmanaged spend. We're really not knowing the unknown. Probably the most scary thing for a CISO, it's the things that you don't know they're going to get you. How to create partnerships across the C- suite, CFO, CIO, CTO and so on. Very important. Evangelize a problem that I'm trying to solve and the value that's going to bring to the business. Partnering with Zylo. Again, a very fruitful relationship that I've been very happy with over the years so that was a no- brainer. Then, we got to work and started putting some pen to paper on solving this problem for the business. Assigning the owners, getting everything in one place and then starting to think about how we're going to consolidate things and get rid of things that are unnecessary. When you couple that with getting a better deal and leveraging the folks over at Zylo from a Zylo negotiator perspective, leveraging their vast network and database to understand what everyone else is paying for all these different services, these SKUs for different types of companies of different revenues, that was invaluable.

David Stoicescu: Where did that take us ultimately? Now, we've got complete visibility. We have a consolidated app stack. We've sunsetted over 55 applications. Saved over $500,000 in less than one year, which has been fantastic. From a security perspective, we've been able to enable single sign-on for about 12 applications. Now, the shadow IT perspective. There hasn't been any surprises so that's been absolutely terrific. Now, I talked a little bit in the opening couple of minutes about friction. We've been able to reduce friction for the CFO, for the CIO, for the legal team and then of course, for me and my organization, I've been able to solve quite a few problems and that's been terrific.

David Stoicescu: What are some key takeaways? You don't know the unknown, so you really need to plug something into the procurement workflow from an IT and security perspective to understand what's coming in the door and what is your risk from a third- party vendor risk perspective. If you want to use Excel, you can, and maybe that's the right thing to do when it's just a couple of employees and you're just trying to figure things out and you're trying to keep costs low. But if you want to get to a point where you want to scale, have a consolidated view, Zylo's been absolutely tremendous. Especially once you plug Zylo into the procurement workflow and kick on the negotiator component and have that one single resource that you can rely on to ensure you're getting the best for your employees and that you're getting the best for your business. Leverage the contract management and then of course ultimately, keep track of all of your renewals. What are some of my final thoughts? I think the best outcome of the Zylo relationship from when I think about bringing first, the app and then negotiator on board from the early days has been the relationship that I've been able to build with the C- suite, and providing value across the various functions in the enterprise. And that's been absolutely terrific. With having everyone on board, it's been something that's great for the business and it's also something that's been great for me and my journey as an executive. I hope you found this useful and I hope that you can take some nuggets of wisdom away and apply them to your own journey. Thank you.