What security roles should SaaS providers have on their teams?

For those at software as a service companies, it’s easy to forget that cloud services still aren’t standard at most companies. 

According to a BetterCloud report, just 43 percent of organisations today operate primarily on cloud services. By 2020, however, BetterCloud expects that figure to hit 73 percent, and by 2022, it predicts that 86 percent of firms will default to cloud services.

Increased cloud usage obviously benefits cloud service providers. But as SaaS services increase in popularity, so do opportunities for hackers to compromise them. Data breaches in the U.S. cost companies about $225 per compromised record, with healthcare data breaches costing a whopping $380 per record. 

Hackers know that crime pays when it comes to cloud data breaches. Unfortunately, they also know that plenty of SaaS providers and their clients are wholly unprepared to prevent attacks.

SaaS firms’ security obligations

Because they offer a software service, SaaS companies own more security responsibilities than traditional software businesses or even their platform-as-a-service and infrastructure-as-a-service peers.

Unlike PaaS or IaaS providers, SaaS companies must manage access to all levels of their applications. When SaaS providers fail to meet that responsibility, client data can be compromised. 

The worst part of such breaches is that they’re typically preventable. A simple configuration error, for example, led to an Amazon Web Services breach this past June. The data of nearly 200 million U.S. voters was exposed, including names, birth dates, home addresses, phone numbers, and voter registration details. 

Data breaches do not happen in a vacuum. Each brings greater distrust to an industry in which trust is already hard to come by. Today, just 13 percent of IT decision makers say they trust public cloud services. 

For SaaS providers, keeping customers’ data secure isn’t just smart business; it’s key to the entire industry’s success. To prevent breaches and earn customers’ trust, SaaS providers need a crack data security team.

Hiring for SaaS security

Every SaaS provider, from Microsoft to niche app shops, must build a security team that either reports to the chief information security officer or emulates that structure by disseminating responsibilities.

Regardless, the following four roles are absolutely necessary for SaaS companies to come alongside customers in managing security:

SecDevOps professional

At companies using traditional on-site infrastructures, applications are protected by “moats,” including the network layer and various security applications. In the past, this was enough. But in today’s multitenant SaaS world, crowds of hackers and bots prod for weaknesses in SaaS providers’ — and, by extension, their customers’ — castle walls.

To stay a step ahead, SaaS companies typically turn to a DevOps approach, with developers writing code and reviewing and integrating it into the code base. But these teams are typically missing a critical member: a DevOps hire focused on security.

SecDevOps professionals go by many titles, perhaps most commonly information security engineer. In a nutshell, this person’s role is to unravel insecure, lazy development habits.

Just like a quality assurance tester for a new product feature, SecDevOps personnel evaluate coding practices to recognise and shore up vulnerabilities. Their tools include risk modeling, threat assessments, and penetration testing throughout the development and deployment process.

To find the right fit, give candidates a take-home test that includes the identification and explanation of insecure code. Developing this test might take time, but having candidates solve an actual code challenge for the company could counterbalance that time expenditure. To quickly spot talent, look for individuals who are familiar with Microsoft’s Security Development Lifecycle methodology or the Open Web Application Security Project’s top 10 data security vulnerabilities.

Identity manager

SaaS organisations need stronger security than organisations offering on-premise or non-SaaS deployment models. To that end, they must hawkishly manage how, when, and by whom their applications are accessed.

Don’t assume that an application is secure simply because it’s hosted by AWS. A Corvette might park in a garage full of expensive tools, but without a trained mechanic maintaining it, the car won’t last long in any environment. 

In the SaaS world, that mechanic is an identity manager, and his or her job is to manage access credentials and architect a role-based security program. It’s easy to hand permissions to any team member who asks for them, but without an identity management expert’s oversight, those permissions can quickly become security liabilities. And the longer an organisation goes without proper role management, the more difficult implementing those rules becomes.

Governance and risk manager

The job of this role is twofold: to establish a process for communicating the company’s security requirements to relevant parties, including clients, employees, and regulators, and to enforce and evolve those mechanisms, revising them as business or regulatory needs change. 

Without a documented governance process in place, SaaS companies are slow to respond to new threats and ineffective at enforcing existing policies. Conversely, a cumbersome, outdated governance policy may cut into business productivity or lead employees to ignore important security steps. 

The governance and risk manager, then, works to achieve the right balance of security and agility. By understanding the risk exposure of the company’s stakeholders and the types of data in need of protection, he can prioritise security programs without slowing the business down. 

There’s no single background that makes a great governance and risk manager. Start searching for experienced individuals on industry forums such as ISACAISC2; and other governance, risk, and compliance communities.

Security operations manager

Like SecDevOps hires, security operations personnel can go by many titles. Regardless, their role is to detect and prevent threats and, if a breach does occur, manage the response. 

In practice, that requires the security operations team to develop a five-part plan to identify, protect, detect, respond to, and recover from cybersecurity threats. A SaaS provider without any of those capabilities exposes not only its business, but also the businesses of its customers to costly breaches. 

Information security professionals of all stripes, including security operations personnel, are in short supply. When choosing between candidates, look for certified information systems security professionals, but don’t discount others with experience in the trenches and the hunger to learn. 

As SaaS becomes the standard operating model for companies large and small, data threats will only deepen. Don’t wait for a breach to start searching for talent; invest in a security team now, and strengthen your SaaS operation for years to come.