December 17, 2020

Last Updated on January 15, 2024

There’s a reason why the ISO 27001 standard emphasizes the criticality of top management involvement to the effectiveness of any organization’s information security program. This is especially important for SaaS companies, which need to drive security through their software development lifecyclebecause a SaaS business is only as strong as its security.
On a recent episode of The Virtual CISO Podcast, host John Verry, Pivot Point Security’s CISO and Managing Partner, covered this issue with special guest Ryan Buckley, a software security expert and veteran SaaS security consultant. 

As John points out, “You don’t have to be a guru to do that, right? If you turn around and say to your team, ‘Guys, be aware of the OWASP Top 10.’ Or ‘We’d like to use the OWASP ASVS as guidance.’ Give your people these tools and frameworks and say, ‘Please follow these.’ That’s all management really needs to do to get the ship going in the right direction. And perhaps some software security training, right?”

“Exactly,” agrees Ryan. “We often talk and think in an ISO 27001 context about ‘tone at the top.’ Is the senior leadership living security?”
“We all know that senior leadership is hellbent on innovation and business development, as they should be,” Ryan adds. “But they also need to think about security because it’s such a big threat. It’s a threat reputationally. It’s a threat to the trust of their customers.” 
“They need to be involved not just as a hood ornament, but as a real influencing factor over the program when it comes to resourcing,” emphasizes Ryan. “Senior leaders need to ask their people, ‘Are you doing okay? Are you spread too thin? Are you wearing too many hats? Should we invest in more people?’”

“Smaller companies, you got to run lean, maintain profitability,” Ryan acknowledges. “But sometimes, there’s a fork in the road. You’re either going to buy the right tool, do the right thing, or you’re not… and you’re going to keep winging it. There are important decisions to be made along the way about those investments, and the leadership controlling the budgets needs to be involved in that.”

A big part of security for a growing SaaS is risk management. Here Ryan advises: “Even smaller companies need to strategize and implement a risk management program and very quickly think about senior leadership when it’s necessary to accept a risk or accept that you’re not going to fully mitigate a risk. Senior leadership needs to be informed. They need to understand what the risks are and weigh in from their perspective on whether or not it’s okay to accept a risk and live with it.”
“And you’re totally right about the training—from a budgeting point of view, but also from an evangelism point of view,” clarifies Ryan. “Most companies will have a town hall meeting or an employee meeting every so often, and it should be evangelized in those meetings that everybody needs to take general security training and/or developer security training. There are a lot of risks and threats to the company when it comes to being duped by a phishing email that results in the loss of money or reputational impact or something worse.”
“The developer education piece is hugean ongoing education is very, very important to the health of the program,” Ryan asserts. “That stuff is not going to happen unless senior leadership is involved, because even an engineering manager in charge of a development team will get hyper focused on innovation and go months thinking functionality without thinking security.”
“And it’s the leadership that’s going to have the clarity of mind to intervene and make sure everybody’s heads are staying on straight,” stresses Ryan.  
If you work in the SaaS industry, this podcast with Ryan Buckley belongs on your “must-listen” list. 
To hear the full episode, and also wrap your earbuds around our other awesome information security podcasts, you can subscribe to The Virtual CISO Podcast here. 
If you don’t use Apple Podcasts, you can access all our episodes here.