In today’s interview Derik Belair and Co-Founder and CEO of Augment Technologies sits down with Gennady Soloviev, Chief Information Security Officer (CISO) to discuss what does all of this SaaS usage and SaaS adoption mean from a security and a CISO perspective.
Why is understanding and controlling SaaS usage so important?
Q: Maybe you can give us a quick intro and tell us about your security background and how you got into this CISO role.
A: I see myself as a new generation of security professionals. I’ve done my studies oriented towards information security and right away I had a security analyst position at one of the biggest insurance companies in Canada. That’s how I started in information security. Then I saw the potential for creating a new consultancy offering. There was a shortage of expertise, of security talents, not just in Canada, but internationally. So I saw the potential to start consulting companies around the world and today it’s actually going pretty well.
Q: As I talk to more and more MSPs and customers, the security problem used to be addressed at a very high level by very large organization. Now it’s very clear that organization of all sizes, if they’re dealing with data and customers, security is top of mind for everyone. One of the questions I get asked a lot by our MSPs, what’s the size and the type of customers that you typically deal with as a CISO?
A: Honestly I’d say that any company has information security needs. But most of the time when customers actually need an external consultant or specific information security oriented expertise, is when they actually start being asked by their clients or they need it from a regulatory perspective. That’s when they actually start to consider some additional external consulting expertise. So I’d say that most of the time it’s because companies get to a stage where it is either a client requirement or it’s regulatory.
Certainly in this day and age if you’re dealing with customers and their private information, or even employee private information, I would say that security applies to everyone, nobody is immune to it.
At what point do you need a CISO?
Q: Maybe you can give us a bit of an idea for what are the types of engagements like, at what point does somebody say “I’m interested in bringing a CISO full-time” and what does the engagement looks like between yourself and those organizations?
A: Most of the time companies start being aware of the need for some external consultancy when they’re asked, or if there’s a trust issue going in the relationship between the client and the service provider. So when a potential client is asked: What are your practices regarding information security management? Do you have any kind of documentation? Do you perform any kind of a security controls, for example pen testing or security policy reviews or access control reviews? Are you able to demonstrate those things in a more formal manner? That’s when it sort of hits the potential clients or prospects saying “okay maybe we need somebody to help us establish an initial framework, to help us to document security policies, to help us to go through maybe the initial cycle of internal auditing, to help us document those security controls.
I see the typical engagement as a three-phase approach where we document security policies, we establish an initial framework for security control implementation and we go through the initial cycle of a risk assessment and the following security controls.
Check out the full interview to find out:
- Why is understanding and controlling SaaS usage so important?
- What are the top concerns when it comes to SaaS and how to address them?
- Does these concerns affect companies of certain size or specific verticals?
- What is the impact of Shadow IT (un-approved SaaS Usage) on security?
- How do organization “secure” SaaS?
- How MSPs could help their clients understand, control and secure their SaaS environments?
Check out our Content Library for more on-demand webinars.