Improving the Information Security Posture of Early Stage Companies with Trend Analysis
In The Democratization of IT, I outlined how SaaS reduces barriers for early stage companies to utilize powerful applications. As accessibility to cloud-based applications increased, new vulnerabilities to businesses were introduced. Examination of the migration to SaaS reveals a fundamental principle which is the source of many current exploits — the decentralization of data management and increased accessibility of cloud applications circumvents control. Without exercising control over application or data usage, early stage companies remain particularly vulnerable.
Initially, companies acknowledged increased risk through the addition of the Chief Information Security Officer (CISO) position. Designed in the mid-90’s to develop and lead a comprehensive information security strategy, the scope is to safeguard company data and operational continuity. An IS team will employ preventative, deterrent, and detective measures to reduce the risk of modern security threats such as ransomware, DDOS, and web/social defacement.
This team was popularized during the early adoption of SaaS in the 00’s but entered a state of flux shortly thereafter. Owing to the nascency of cloud-first environments, material threats to business had yet to substantialize and were few in number. It was also discovered that the cost to identify, neutralize, log, and respond to digital threats was significant, resulting in an unjustifiable ROI at early stage companies.
For 10 years, early stage companies were built lacking digital defenses whose focus on growth and development came at the expense of security and whose resources to neutralize threats are few. These businesses are now the preferred target of malicious actors.
In order to improve the information security posture of early stage companies, this article examines four key trends taking hold in IS after the migration to SaaS.
A Window into Environmental Control
In the late 90’s and early 00’s, IT services and client desktops were housed on-site in an office, requiring an employee to be physically present and logged into a company desktop to access data. By inherently limiting accessibility, this approach’s lynchpin was securing the environment. Logical controls to manage the ‘who’ (and to some extent, when), took the form of personal credentials and access control lists. Still in use today, the premise of username/password has evolved into Identity Management and includes additional verification measures, but a comprehensive solution to access control remains elusive.
The pros of centralizing data storage on-premise provided:
- Centralized access control and data management,
- Predictable equipment lifecycle,
- Small attack surface,
- Homogenous tools and file formats,
- Direct visibility into data metrics and trends.
While the cons are:
- Single point of failure,
- Access bottlenecks,
- In-house uptime and accessibility responsibilities,
- File locks while open/edit,
- Long restore times, and,
- High upfront costs.
As the use of laptops, wireless networks, and cloud storage normalized in the 00’s, data storage locations multiplied as client devices could now cache and download data to be taken off-premise. Simultaneously, new SaaS applications offered cloud storage for company data, permitting remote access and encouraging data mobility. In quick fashion, a secure environment no longer sufficed to protect information as data mobility eroded the security benefits of the centralized management model.
With cloud storage. there were several immediate infrastructure and functionality benefits which included:
- Simultaneous editing of documents,
- Increased data reachability from both time and space,
- Software and file format interoperability,
- Offline data access, and,
- Decentralized access control.
While simultaneously introducing new vulnerabilities such as:
- Unclear ownership and privacy of data,
- Distributed data management responsibilities,
- Use of personal devices,
- Access control management,
- Plugins and third party access to data, and,
- Logging and auditing capabilities.
The breakdown of other previously limiting factors such as the cost of data storage, expertise to manage, and storage capacity accelerated the change just as similar trends in consumer devices socialized it. As a result, data security was more often an afterthought for early stage companies taking advantage of the powerful tools now accessible to them. This mindset persists today, underpinning the hyper growth model.
There was little doubt that cloud-based applications had immense potential, but were practically unproven and conceptually foreign due to their novelty. Business units that stood to benefit from data mobility embraced and advocated for the new technology while technical leadership took a conservative approach. Working in favor of adoption, however, was organizational structure, which classified IT as an operational department reporting up through the Chief Operating Officer. Non-technical leadership understood the benefits but, more likely than not, lacked an accurate forecast of the technical risk involved.
In the name of productivity, early stage company’s appetite grew to favor accessibility over security.
With Increased Accessibility Comes Proliferation
SaaS platforms contributed to data becoming mobile, but offered little to prevent data duplication or limit data creation. While physical copies of information took time to produce and were onerous to recreate, capturing it in digital form had become much easier via breakthroughs in natural language processing, scanners, image recognition, dictation, and even typing skill improvement.
Naturally, the volume of data exploded and so quickly this did occur, that digital files retained the time-value held by physical copies. Our relationship with information in its physical form — printouts, handouts, faxes, was informing the value we assigned to the digital equivalent.
A natural human reaction to control and manage it all ensued. As a containment measure, larger companies hired Knowledge Managers to perpetuate data management systems, whereas early stage companies were less inclined to institute throttles that might otherwise negate gains in productivity. Furthermore, a formal matrixed approach to data management was too onerous to be implemented by companies that lived and died overnight.
Lacking tools and a strategy, this approach became untenable. But even as data slipped through digital nets, businesses continued to operate just fine. This realization allowed companies to relinquish the need for full control and the perception of what made data valuable then changed. Emphasis would no longer be placed on storing all of the data in the hopes of getting the right data at the right time. Instead, we began extrapolating patterns and insights from data in order to make better decisions and identify trends. The practice reflected the temporary usefulness of static information and what emerged was acceptance that data could expire.
Data Analytics emerged as a function to refine raw data into actionable insights which has evolved into predictive analysis via correlation and pattern-matching. The essence of the information could be preserved when it was used to inform dynamic algorithms.
Productivity increases resulting from increased data mobility and proliferation resulted in fewer calls for data protection or restricting unimpeded access. Soon, individual teams assumed ownership of their own suite of data and tools. Information Security or IT provided company standards to assist each department while maintaining influence over a shared, core suite of applications.
The results of this practice should not come as a surprise — breach, ransom, and outright data loss is forcing many early stage companies to reconsider their approach to tooling and data management.
There’s an App For That
To the cloud, data did not go alone — email, voice, and other IT services emigrated, too. The company IT room that once housed all of the technical infrastructure was now very empty and served the same purpose as a public library’s — to provide internet access.
Initially, the office network had functioned as a gatekeeper to provide access to services and the internet for research and outside collaboration. In order to capitalize on productivity advantages, its new role led to a fundamental change from protect and restrict to one of enablement.
The presuming mentality of deny-by-default was replaced with allow-by-default.
When the question became, “how fast can you make this happen”, IT re-prioritized speed over security and stormed its own castle by filling in the moat around data. Gains in productivity often come at the expense of security and ‘allow-by-default’ is a dangerous security posture for organizations. It is the equivalent of an office building without alarms, cameras, and locks — the first person curious enough to try the door will get in.
It is worth noting that the digital equivalent of locks, alarms, and cameras carries an exorbitant cost with an unknown or a weakly correlative ROI. And, as a principle, security and ease sit on opposing sides of the corporate seesaw. Since productivity is in right now, it is no wonder that digital defenses are lacking.
Cloud applications were also decentralizing access as anyone with an email account became capable of registering a new application. When managed appropriately, access for all is primarily a cost concern, but misconfiguration and lack of planning also leads to ballooning costs. In a return to form, domain management has recently become available to restrict sign-ups for some services. IT Administrators can claim a domain and control access occurs through appropriate channels.
At the core of application access is the concept of identity. Identity Management has kept pace with SaaS sprawl and IS will be concerned with:
- Account Creation/Suspension
- Grant/Revoke Access
- Conditional Access (Location/Time/Heuristic)
- Log Actions
- Third Party Access
- SaaS Classification
Concepts such as CASB, SSPM, SASE, and CSPM all promise protection if you centralize access through a common network point (ie: an office network or VPN). A more appropriate tool for startups, though, is client-side control and protection through Lookout or Bitglass or similar endpoint program. As technical controls, no tool provides staff training or security roadmaps, executive guidance or managerial oversight. Early stage companies will suffer ballooning SaaS cost, siloed information, and third party access vulnerabilities until IT/IS are established as gateways to application access.
Early Stage Hires to Fit the Need
In the world today, few barriers exist between your first hires and their digital whims.
The fourth factor to influencing the security posture of early stage companies is available expertise behind organizational development of SaaS.
While housed on-premise, servers, networks, and data storage required specialized expertise to deploy and maintain. Cloud management has created an abstraction layer between user and service, allowing anyone to deploy SaaS without an understanding of the technology. With limited resources, it is in the very early stages of a company’s evolution that SaaS development is least considered but most influential.
In a very generic sense, the first four hires for modern startups are a CTO (full stack engineer), a CMO (sales/marketing), a COO (HR/operations), and Controller (payments/finances). Demonstrating that lifting a new company off the ground requires (mostly) general, not specialized experience.
The initial, basic functions of IT have become generalized. Buying a domain, setting up email/productivity software, and communication platforms (Slack/Teams) can all be completed in an afternoon with no IT/IS Administrator. Information Security, in particular, is a specialized function with limited applicability within an early stage company. Without IS guiding technical decisions or IT as a central channel, it should be no surprise that SaaS proliferates, creates data silos, and maintains vulnerable default configurations.
The cloud tools your team chooses will try to spread quickly as the early discounted rate comes at the provider’s expense. While there are many ways to spread, a common method is to use the contact book of your customer and offer the service to everyone in it so they, too, can work with you. Employees are unwittingly permitting data exfiltration.
When SaaS tools have this information, they can use it to provide very useful functionality by extrapolating patterns and insights through data correlations (ie: Spotify’s Year End Wrap Up). Many SaaS services could tell you how many employees have conversed with a competitor of yours because that competitor’s contact information is in your employee’s contact list. When a giant in the industry takes notice of a SaaS tool and buys it (ie: Salesforce -> Slack), now they have that data and insight.
Constituting the largest slices of IT debt pie chart for early stage companies are software silos and fragmentation, inflexible contracts, and information security gaps, largely as a result of inexperienced technical decision making and early lack of technical direction and barriers.
Plotting the Data: Information Security Trend at Early Stage Companies
The migration from on-premise technology to SaaS was a paradigm shift exposing new risk to companies on a fundamental level. The intent of this article was to identify how the migration to SaaS produced our current state of information security, the new vulnerabilities and their associated risks, and extrapolate trends to anticipate the next shift in Information Security.
The transition from on-premise to SaaS greatly increased accessibility to digital tools by reducing up-front cost, removing specialized expertise to implement, and producing immediate deployment.
When paired with consumer trends in mobility and inexpensive resources, SaaS adoption drove data mobility and proliferation resulting in poor data protection practices such as unrestricted access and storage outside of company control. The same practices resulted in the proliferation of company SaaS applications which retained default configurations, lacked cost control, and created data silos.
The reaction drove a premature popularization of the CISO, a new executive role to address new vulnerabilities. Lacking materialization of these new threats and unfavorable ROIs, the IS function quietly left the spotlight and remains inaccessible to early stage companies which stand to benefit most from IS guidance during their foundational technological development.
Current technology trends share two similar undercurrents: reinstating control and using SaaS to fix…SaaS. However, SaaS solutions built upon these trends are making architectural assumptions that simply do not exist in early stage companies.
At their core, the approaches are designed to address a lack of visibility into cloud application usage (discover/monitor), a lack of controls to regulate usage, and identify vulnerabilities (alert/log). They attempt to do this through a mixture of pattern recognition and human input.
Most recently popularized as a fix-all is zero trust, which fails to recognize the cultural role technology plays within organizations. Names like these are dead giveaways that the program was designed by security people for security people and imply oppositional positions between IT/IS and the rest of the company.
By adopting the SaaS strategy of cost distribution, IS has to become more accessible to early stage companies. It must also remove any perceived threat to productivity, as we’ve seen companies willingly sacrifice in the name of it.
Ramping up access will require venture capital firms and investment groups to become a conduit by offering centralized IS consulting to portfolio companies. Through IT debt reduction and greater operational efficiency, this practice has the potential to be a net positive at scale.
On the other hand, ignoring the need for information security may prove to compound the problems early stage companies are facing. New threats are emerging from the proliferation of APIs, cloud development environments, remote work, and securing information in transit.
The story of a weak cybersecurity posture is now being told through public demonstrations. Damage to the brand and costly follow-up measures are available for all business leaders to see. It is my hope that business leaders soon accept IS as a cost to offset risks of doing business in the cloud, versus the antagonist to productivity.