We caught up with PayFit Espana's Vice President of IT and Security, James Moos, to understand the latest threats to data security.
Vice President of IT and Security at PayFit Espana, James Moos, has been working in the area of SaaS-based security for many years.
Having previously worked at TravelPerk and Hotjar, James' wealth of knowledge when it comes to sensitive data cannot be understated.
We caught up with him to get his views on the latest threats to data security, and how businesses can ensure they're best protected against them.
Over to James...
There are a variety of different ways to do this depending on your role and specialism, but I’ll answer this broadly.
Your security awareness program can be a great tool to break down barriers between the security team and the wider business. It is most certainly an investment (which not all security teams will have the capacity to do unfortunately), but providing live training - face-to-face or online - in smaller groups, allows us to get to know individuals across the company. By delivering content that is genuinely interesting and engaging in a fun way, other teams realise that the security team is there to work alongside others and be an enabler rather than a blocker.
Our attitude and response when partnering with other teams and departments also play a crucial role. It may seem obvious, but as much as possible our mindset should be ‘how can I make this business objective possible in a reasonably secure way’ instead of ‘this is not possible and we can’t allow it’. Actions speak louder than words, and so if we find ways to truly enable our partners to move forward while being practical about managing risk vs reward, our colleagues in other teams will appreciate this and tend to be more proactive in engaging (rather than avoiding) the security team in the future.
We also need to consciously use the business language and talk at that level when engaging with stakeholders. Unfortunately, security is still quite a young discipline in the business world compared to other departments such as Sales, Marketing, Finance, etc. We need to be able to show the impact of what we are doing (or risks we face) in business terms - whether that’s financial impact or influencing current business objectives in a positive (projects) or negative (risk) way. This discussion shouldn’t be limited to senior stakeholders either - it’s also a great idea to be vocal internally to the whole company about the great things your team is achieving for the good of the business.
For those in a leadership position, expectation management with your leadership team is particularly important. I’ve previously used the following golden rules to help align with the C-Suite when taking up a new security leadership post.
With all that said, this is all easier said than done. Security professionals have a tough job with limited resources, a very wide remit, and do sometimes need to say ‘no’ which makes it challenging to also be seen as a partner and enabler.
I think many businesses that take a modern, cloud based approach to their tech stack will be focused on the same challenges regardless of any specificity about the types of data being stored/processed. These are three pillars that come from a ‘Zero Trust’ approach:
It’s difficult to pinpoint just three areas since, as any security professional reading this will know, our remit is so broad and complex. Other considerations that are key and very much linked to the above points are:
The most relevant thing that comes to mind is the current situation across the globe - with many conflicts ongoing, this brings with it additional challenges:
These may particularly be front of mind for some security teams right now, while others will be unaffected. Aside from this, the challenges we face here in Europe will largely be the same as our counterparts in other parts of the world.
It can vary hugely, but there are certainly vendors that may not provide what most of us would consider ‘basic security controls’ by default. Single Sign On (SSO), 2FA and data encryption are some of the features that I’ve seen as paid extras which I, like many other security professionals, find disappointing given how fundamental these are to provide even a basic level of security.
We also have to be very careful when adopting younger innovative SaaS tools. They can be extremely valuable from a business perspective, but come with greater risk. These SaaS apps tend to have a lack of maturity in the secure development and maintenance of their software, as well as features (ranging anywhere from 2FA to security logs with an API to integrate with).
This is truly a challenge, and unsurprisingly there is no single solution here. A number of things can help security professionals in this, although the odds do seem to be stacked against us:
Of course, thinking outside the box, we also need to have really careful control of what matters (sensitive data of any kind) so that it cannot be migrated into tools that have not been approved in the first place. This can be through measures that include data loss prevention, secure browsers, internet filtering, sensitive data scanners and many other technologies.