In between the many events of Cybertech Tel Aviv 2022, I was able to grab some time to chat with Sounil Yu, CISO and Head of Research at JupiterOne, and author of the recently published “Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape.” I was interested to hear his take on the effect the fast-growing supply chain of SaaS-to-SaaS third-party applications and integrations have on cybersecurity teams, and how the Cyber Defense Matrix can be used as a framework for managing the risks associated with it.
We discussed how the democratization of IT has resulted in a growing number of SaaS applications being indiscriminately adopted by business units that bring real and tangible value to businesses, but can also put organizations at risk of supply-chain attacks. Sounil wants business units – from sales and marketing to engineering teams – to continue to be able to quickly embrace best-of-breed applications that will allow them to improve business productivity and collaboration, but in a way that maintains security guardrails that don’t become an annoying bump in the wire. Unfortunately, as he also notes, security teams have traditionally used heavy-handed restriction and prohibition as security controls to ensure this growth is managed, but at the significant cost of hurting innovation rather than enabling growth and competitiveness.
During my own conversations with many security practitioners, this dissonance between the perceived role of the security team in the organization and their actual goals (hint: hindering innovation isn’t one of them) is a constant frustration of CISOs. The goal is to empower them to ensure business continuity and be a driver of innovation, alongside the ability to maintain a strong security posture.
Sounil created the Cyber Defense Matrix with the goal of mapping numerous enterprise security capabilities into a single matrix. But he found that the supply chain of SaaS-to-SaaS third-party integrations don’t really fit neatly into it because of the unique characteristics of this growing risk surface. As a result, he had to find a way to characterize assets owned by third-parties.
The key first step that he identified was for an organization to inventory all third-party applications and then map the connections and relationships between them. Ultimately what CISOs need is to maintain complete visibility into all the different plugins, integrations and third party apps, which he has given the playful acronym “PITA”. This enables them to better understand what data is going back and forth between applications, and then ultimately have sufficient insight to make good decisions that benefit the business and secure assets.
These decisions include determining which SaaS apps they will continue to restrict and which to allow. For those that need to be restricted due to inherent risk or disuse, it should be done in collaboration with the application owner through automated processes, procedures, and workflows that enforce security policy and ensure communication between the security team and the business unit and end user, but without significantly adding burden to the security teams. And for those applications that cannot be trusted, but are business critical, security teams need to be able to quickly determine what security controls need to be applied to ensure that these applications can continue to be used in a way that adheres to the organization’s security policy. Ultimately, security teams need to know what kind of controls, mechanisms, and steps they can take to manage third-party risk without negatively impacting business continuity and innovation.
I encourage you to buy Sounil’s book on Amazon - it’s a must read! Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape.