At some point in your tenure as a business leader, you’ve likely been asked, “What keeps you up at night?” My answer is the same as that of any IT leader I know — data breaches, cyber attacks and other incidents that endanger the privacy and security of customers and colleagues alike.
Throughout my career, I’ve been as deeply committed to protecting organizations from risk as I am to getting a good night’s sleep. In fact, one of the reasons I was drawn to this Chief Information Officer opportunity at Miro is the company’s increasing investment in strategic security-related enhancements. For example, earlier this year we introduced an EU data residency solution to meet customers’ privacy expectations and GDPR requirements, plus we recently deepened our partnership with AWS to meet users’ flexibility and security needs.
It’s no secret that SaaS stacks have expanded significantly in recent years to meet the demands of increasingly distributed and asynchronous work. And although async work has made collaboration less stressful for more than a third (39%) of knowledge workers, it has also created circumstances that cause IT leaders’ stress levels to rise; namely, managing the proliferation of SaaS apps and the security risks that their configuration and governance have introduced.
When I think of the strategies that CIOs (myself included) should pursue to optimize the security of ever-growing SaaS stacks, they fall into three main categories: prevention, remediation and crisis management. Let’s dig a bit deeper into each solution:
First things first: prevention and remediation
While it's always preferable to prevent problems before they start, preventing new issues and remediating existing security concerns share four key steps.
1. Prioritize sound business practices
We’ve all heard the old adage that it’s the journey that matters most, not the destination — but this saying misses the mark when it comes to the security of your SaaS stack. For IT leaders, defining and orienting toward a desired end state is an essential first step. By taking into account the privacy of data flows for critical business processes from the start, you can identify and implement the SaaS tools that will help you hit that target.
But tools are only part of the solution, and they cannot get you to your desired end state nor solve business problems on their own. Process considerations — such as following a business process optimization (BPO) methodology like Lean Six Sigma and including a control plan to make sure your desired end state remains that way — are also priority pieces of the puzzle.
2. Perform regular audits
In the absence of a target end state and a solid data plan to reach it, SaaS tools that own the same data can proliferate, resulting in synchronization issues — not to mention significant cost and complexity for the IT department to manage. Regular audits of systems and processes can spotlight both rogue SaaS applications and instances where multiple tools own the same critical data.
While audits help uncover areas for improvement, it can be hard for leaders to know how to tackle these long lists of recommendations — which fix should you tackle first? The answer varies by organization, and there’s no one-size-fits-all approach. You may choose to accept some risks if the cost and ongoing operational burden outweigh the potential consequences or if there are other, more critical remediation items to address first.
Stakeholders from cross-functional departments and various levels should be included in discussions about audit results and remediation roadmaps to mitigate misunderstandings about the consequences that can come from top-down decisions.
3. Establish clear ownership of applications and data
No matter the size of an organization, some form of centralized oversight is necessary to keep track of all the apps that are in use and the data on which they run — but it is especially imperative at small companies.
As organizations grow, moving to a federated system of ownership around a central nucleus allows for a similar level of control, while enabling the business to move faster and with more agility. This hinges on a widespread understanding of and discipline around data and privacy across the organization, which leads me to my fourth suggested step.
4. Create a culture of awareness around privacy and governance
While IT may be home to a select group of experts who stay up-to-date on the latest market and regulatory trends to effectively manage data on a day-to-day basis, data protection is every employee’s responsibility.
At Miro, this education starts as soon as Day 1 with an onboarding training that teaches new hires — and tests them on — defining personal data and understanding why protecting it matters. To ensure ongoing compliance with global privacy requirements and security standards, we also require Miro’s workforce to complete a Security, Education, Training and Awareness course annually.
Let’s say that your company requires similar trainings, but completion rates are low and you don’t have a way to measure compliance. This is proof that top-down policies alone are not enough to engender real change. Securing bottom-up buy-in and facilitating a true cultural shift requires a disciplined change management approach. Start by interviewing people at all levels of the organization to identify influential champions, and empower them to rally the workforce around privacy and security as a collective responsibility. You’ll undoubtedly meet a few detractors, but I suggest taking the time to understand their attitude toward privacy and governance — and then involving them in building your cultural change plan.
Before crisis prevention fails, be prepared
Even with the best prevention and remediation, crises are inevitable. Though you may not be able to predict them, there are a few steps you can take to prepare your organization for a variety of incidents:
5. Form a cross-functional crisis management team
As with the prevention and remediation strategies above, crisis management is a cross-functional responsibility. Identify data and system owners — among other experts from IT, Legal, Privacy and the executive team — who are educated on various crisis scenarios and empowered to make decisions in the event of an emergency. You may also consider whether you have a need for and resources to retain external counsel.
6. Create a crisis communication plan
Communication can make or break an organization’s response to a crisis, making this an integral part of pre-crisis planning. Consider how the crisis management team will communicate with customers, employees, and one another and be sure to plan for different scenarios and contingencies. Align on answers to questions like:
- When will the team communicate the onset of a crisis?
- Which channels will we use to reach the affected audience(s)?
- How will we facilitate ongoing collaboration between team members in the face of a crisis?
IT: Facilitating SaaS security, fostering innovation
Implementing these six security strategies shouldn’t stymie innovation. In fact, taking steps to ensure that employee and customer data is safe frees them up to focus their energy on leveraging the SaaS stack at their fingertips to create the next big thing.