Tension has long stood at the heart of the business team-security relationship. Business units want to meet corporate targets and choose the most effective software to get the job done. Security teams want to ensure data is secure and try to limit risk.
When software was all on-prem, the security team was in command; they controlled what could and could not go onto corporate servers. The path to innovative software ran through IT and security, and any software solution that was deemed high-risk was rejected.
SaaS applications blew that model out of the water. While security teams tried to maintain their grasp on software applications being used, there were times when they were boxed out of the purchase process. Even when they were included in the purchase process, the large volume of SaaS applications made it difficult for a small, understaffed security team to vet.
Today’s business teams have firm control over the applications they want to use and, due to the nature of SaaS, these professionals have their hands on their applications’ security settings.
Software evolution to SaaS has led to the democratization of security. In a nutshell, this means that while everyone has a piece of security, far too many users lack a basic understanding of what that means, what their responsibilities entail, and the consequences of failure.
As each application is built differently and contains its own security terminology, security teams are unable to develop expertise in Salesforce, Microsoft 365, ServiceNow, Zoom, and 100 other applications. They must rely on app owners – who have the expertise within the application – who rarely approach an application with a security-first mindset.
For SaaS security to take hold, app owners must partner with their colleagues from the security teams. It is only through this collaboration that app owners gain an appreciation for the risk inherent in their applications, and develop the skill set to secure each application.
A Dangerous Time for Business Units to be Responsible for Security
This shift, where security teams often stand on the outside looking in, couldn’t have come at a more dangerous time. Nation-state attacks are on the rise, and sophisticated hacking tools are available for purchase on the dark web. Nearly anyone with a credit card can buy the know-how for breaking into under-secured SaaS applications, and some misconfigurations can be exploited with nothing more than a browser and the ability to use Google Search.
SaaS data is a tempting target. Personally Identifiable Information, medical data, and customer data all have significant street value. Corporate data can be used to manipulate markets, turn competitive advantages upside down, and undermine business strategies.
Building Trust and Working as a Unit
Now more than ever, security teams and business units must develop trust with one another and make the effort to secure SaaS applications while allowing the various business units to do their tasks. Compromises – both in terms of security and in terms of business processes – must be made.
Security teams must remember that not all risk is bad. Calculated risks, with eyes wide open to potential consequences, allow for business units to develop risk-benefit equations, and make a determination as to whether they should move forward with a set approach.
Meanwhile, business units have to understand they are not operating in a vacuum. The security choices they make impact their entire organization, both in terms of compliance with industry standards and in terms of the security of their data. Failures in security could lead to devastating results for the business unit and the company as a whole.
To be successful, business units and security teams must take steps to ease the tension that has built up between the two sides. They must find tools that lead to collaboration, and recognize that you can’t silo productivity and security. For long-term success, the two must work hand-in-hand. There’s no value to a business that is so secure no one can enter. Likewise, organizations that ignore all security protocols will likely find themselves untrusted by customers, partners, and regulators, with little to support ongoing operations.