Has the success of SaaS and cloud made organizations lazy when it comes to security?

Security & GRC Threat & Vulnerability Management Security Operations Center (SOC)+6 more

299 views1 Upvote10 Comments

Director of IT in Software, 1,001 - 5,000 employees

I’m concerned companies have become lazy about security by thinking their system is bulletproof because they’ve invested a significant amount of money in SaaS solutions. For example, you may give an intern more access than they probably should have because you think the system is going to safeguard you. Many are designed in a way (Salesforce included) that if somebody changes one small thing, it's not going to completely shut down. It’s a great product and we know that it's safe, but there is still risk of exposure that shouldn’t be ignored or provide a false sense of security.

3 3 Replies

CTO in Software, 11 - 50 employees

I don't believe the responsibility for security is transitive, I can’t pass it off to my vendor. This is a partnership, whether it's Salesforce, Workday, or ServiceNow.

CIO in Education, 1,001 - 5,000 employees

At the end of the day, you can't transfer your responsibility for security. It has to be on you. You're still the business. It's still your data.

CEO in Software, 11 - 50 employees

Using the worst tools combined with the best culture, organizational training and stamina is probably better than using the best tools that let everybody believe they can sleep at night without having to worry.

CEO in Software, 11 - 50 employees

It has made some of us lazy, and I’ve argued with one of those people. No matter how many explanations I gave for why the responsibility still lies with you, he still said, "If I give my data to a SaaS provider, they're the ones responsible and I don't have to worry about it." My final example was: If everyone in your company uses a 24-character password strategy, how good is that security? It seems bulletproof because nobody can guess a 24-character password—except for the person looking at the one guy with his password written on a sticker that’s stuck to his monitor.

That’s the problem: Too much of our security depends on us being on point all day long. If you've done physical security, for instance, you know never to ask someone to stay at a monitor watching 1 environment for more than 1 hour at a time. That’s because the human mind can't focus on that monitor and stay open to changes on it for more than an hour.

2 Replies

CTO in Software, 11 - 50 employees

This is why the attackers always win. It comes down to lowest common denominators: PEBCAK. Long ago, I was the intern that messed something up. I didn't destroy the company, but I made a mistake. Interns make mistakes.

Senior Director, Defense Programs in Software, 5,001 - 10,000 employees

Yes. It’s incumbent on us all to let the intern Mike’s of the world make mistakes and not destroy the company!

CIO in Education, 1,001 - 5,000 employees

The tools are smart and we can teach them to a certain point. Look at Armorblox for example: Until a month ago, I was telling my clients, "No, I can't do anything about spoofing." But now I can. When you deploy a tool like that, you can let your guard down and think, "I've got this smart tool out there that's looking for x." But if the human behavior is such that they're no longer looking for x and one gets through, you're dead in the water and that's all it takes. You can defend anything as much as you want, but the people trying to offend are just going to keep trying until they find success and they just exhaust you that way.

Senior Director, Defense Programs in Software, 5,001 - 10,000 employees

I’ve seen plenty of examples of companies not in cloud m environments that are as lazy. SaaS and cloud has made things better overall, but new challenges are abundant!

CTO in Energy and Utilities, 10,001+ employees

Complacent perhaps