Vice President of IT and Security at PayFit Espana, James Moos, has been working in the area of SaaS-based security for many years.

Having previously worked at TravelPerk and Hotjar, James' wealth of knowledge when it comes to sensitive data cannot be understated.

We caught up with him to get his views on the latest threats to data security, and how businesses can ensure they're best protected against them.

Over to James...

‍How can security professionals bridge the gap between the security team, and the rest of the workforce? (as Security teams are often seen as ‘the bad guys’ who appear when mistakes are made)

There are a variety of different ways to do this depending on your role and specialism, but I’ll answer this broadly. 

Your security awareness program can be a great tool to break down barriers between the security team and the wider business. It is most certainly an investment (which not all security teams will have the capacity to do unfortunately), but providing live training - face-to-face or online - in smaller groups, allows us to get to know individuals across the company. By delivering content that is genuinely interesting and engaging in a fun way, other teams realise that the security team is there to work alongside others and be an enabler rather than a blocker.

Our attitude and response when partnering with other teams and departments also play a crucial role. It may seem obvious, but as much as possible our mindset should be ‘how can I make this business objective possible in a reasonably secure way’ instead of ‘this is not possible and we can’t allow it’. Actions speak louder than words, and so if we find ways to truly enable our partners to move forward while being practical about managing risk vs reward, our colleagues in other teams will appreciate this and tend to be more proactive in engaging (rather than avoiding) the security team in the future.

We also need to consciously use the business language and talk at that level when engaging with stakeholders. Unfortunately, security is still quite a young discipline in the business world compared to other departments such as Sales, Marketing, Finance, etc. We need to be able to show the impact of what we are doing (or risks we face) in business terms - whether that’s financial impact or influencing current business objectives in a positive (projects) or negative (risk) way. This discussion shouldn’t be limited to senior stakeholders either - it’s also a great idea to be vocal internally to the whole company about the great things your team is achieving for the good of the business. 

For those in a leadership position, expectation management with your leadership team is particularly important. I’ve previously used the following golden rules to help align with the C-Suite when taking up a new security leadership post.

1. We will never be 100% secure. And we don’t want to be. We need to balance risk with opportunity.
2. We will always have security incidents. We have to get it right all the time. Attackers only have to get it right once. 
3. Risks change, but never disappear. We can aim for acceptable risk levels, but they will never be zero. 
4. Security is a strategic enabler to business objectives. When used in the right way, we can bring true business value. 
5. Being a target is irrelevant; some threats don’t discriminate. We need to defend ourselves against the known and unknown. 
6. Communication is king. The earlier we are involved, the more value we can bring. 

With all that said, this is all easier said than done. Security professionals have a tough job with limited resources, a very wide remit, and do sometimes need to say ‘no’ which makes it challenging to also be seen as a partner and enabler.

You’ve spent several years now working to secure SaaS companies that handle sensitive data. What should be the three priorities right now for security teams that handle more confidential types of data?

I think many businesses that take a modern, cloud based approach to their tech stack will be focused on the same challenges regardless of any specificity about the types of data being stored/processed. These are three pillars that come from a ‘Zero Trust’ approach: 

1. The user. We need to ensure we provide the correct access to users with the right permissions to carry out their role - but no more. 
2. The data. We need to make sure that any valuable data (whether confidential data, personal data, or something similar) is suitably protected - via not only preventative measures, but also considering detection and response.
3. The application. We need to ensure the tools we use to store and process this data are securely configured to avoid accidental or malicious compromise.

It’s difficult to pinpoint just three areas since, as any security professional reading this will know, our remit is so broad and complex. Other considerations that are key and very much linked to the above points are:

• Having an asset registry (knowing what you need to protect in the first place and which are most critical)
• Centrally managing devices with a secure baseline, patch management and endpoint protection, to name a few (to avoid device compromise that can in turn, compromise your core business systems and data).
• Establishing a secure software development lifecycle (for any business who develops software, particularly SaaS vendors).
  

You’re based in Barcelona - are there any data security threats that are particularly resonant across Europe right now?

The most relevant thing that comes to mind is the current situation across the globe - with many conflicts ongoing, this brings with it additional challenges:

• The potential for cyber warfare to inadvertently disrupt our businesses even if not the intended target (think ransomware etc). 
• Increased risk of ‘hacktivism’ attacks for businesses (and their leaders) that may have direct or indirect links to states or organisations involved in these conflicts.

These may particularly be front of mind for some security teams right now, while others will be unaffected. Aside from this, the challenges we face here in Europe will largely be the same as our counterparts in other parts of the world.

In your opinion, are there limitations to built-in security measures in SaaS apps?

It can vary hugely, but there are certainly vendors that may not provide what most of us would consider ‘basic security controls’ by default. Single Sign On (SSO), 2FA and data encryption are some of the features that I’ve seen as paid extras which I, like many other security professionals, find disappointing given how fundamental these are to provide even a basic level of security. 

We also have to be very careful when adopting younger innovative SaaS tools. They can be extremely valuable from a business perspective, but come with greater risk. These SaaS apps tend to have a lack of maturity in the secure development and maintenance of their software, as well as features (ranging anywhere from 2FA to security logs with an API to integrate with). 

How can security leaders ensure employees are using approved SaaS apps, including AI tools, to prevent Shadow IT practices?

This is truly a challenge, and unsurprisingly there is no single solution here. A number of things can help security professionals in this, although the odds do seem to be stacked against us:

• Maintaining an asset register that is visible company-wide with defined primary and secondary owners.
• Having a really engaging security awareness program that makes the security team approachable. 
• Operating a procurement process with careful control to ensure it is not possible to purchase tools without following this. 
• Blocking categories of unwanted websites/software at either device or network gateway level (if you’re securing a more sensitive or strict environment). 
• Centrally managed secure browsers that offer some security controls (again, for stricter environments if appropriate). 
• Using software to scan and detect shadow IT (although this is arguably pointless if you don’t also have the means to prevent it, preferably automated). 

Of course, thinking outside the box, we also need to have really careful control of what matters (sensitive data of any kind) so that it cannot be migrated into tools that have not been approved in the first place. This can be through measures that include data loss prevention, secure browsers, internet filtering, sensitive data scanners and many other technologies.