The State of SaaS Security: Insights From John Tooley, Virtual CISO, CyberHaven

Posted on November 13, 2020 - by John Tooley - in Growing Your SaaS Company

John Tooley

This article is part of Securicy’s new State of SaaS Security Series, which will have interviews from a diverse mix of security professionals, including CISOs, CTOs. Our goal here is to provide SaaS companies and their teams with actionable insights to improve their security programs and increase their chances of successfully selling their products to larger enterprises. 

The following is an interview we had recently had with vCISO John Tooley from Cyberhaven.

Why are SaaS startups – even small ones – targeted by hackers? 

Many SaaS organizations in startup mode do not have the focus or resources to build-in security, and malicious actors know this.

Working with several SaaS startups across a number of industries over the last few years, I have observed that speed and agility to market are usually much higher priorities than security. In “pre” (Seed) stage organizations, this is especially prevalent. The focus is on building the product, marketing, and obtaining customers. Cybersecurity is generally an afterthought, and attackers understand and will look for weaknesses at the outset. 

Social media sites like LinkedIn provide attackers with initial information gathering opportunities while bots are constantly scouring the Internet looking for open vulnerabilities. This data feeds into technical intelligence gathering which helps bad actors in understanding the target’s network architecture, IP space, network services, email format, and security procedures, creating entry points for further damage.

It is vital to successful data protection to have a unified framework for governance, secure development practices, and a security-centered architecture in place before the deployment of a single line of code to production!

What are the most common questions large enterprises ask SaaS startups about their security programs? 

“Can I trust you with my data and my reputation?” 

“Can you show me evidence you have good security?” 

“What compliance certifications do you have? May I see them?”

The Target breach made famous the notion that even though you may be “compliant” and your clients are satisfied, a single vendor with poor security can cost you millions of dollars in loss and fines… unless you have a solid third-party risk program in place.

More and more SaaS clients, regardless of size, understand and are starting to address the idea of downstream risk. Certainly large enterprises have been doing this for some time now. Since the responsibility for security in the SaaS model falls almost entirely on the provider, organizations want to know that the data they provide is well protected. Often these same clients have similar considerations to their clients, and are required to do formal assessments on their third parties. 

Compliance certifications are also becoming more and more de facto requirements. SOC 2 and ISO 27001 reports are well-regarded attestations that capture how well a company safeguards customer data. Many larger clients want their vendors to have one or both of these (depending on regional requirements) and if not will ask them to get them in a certain time frame.

Other certification requirements I have seen are the Trusted Partner Network (TPN) for my media and entertainment clients, and for DoD subcontractors, I am seeing the new Cybersecurity Maturity Model Certification (CMMC) requirements driving a lot of compliance work. 

At the end of the day, the real question you want to be able to answer is “Why you and not a competitor?” Better security can be a big reason…

What are the most common mistakes SaaS startups make when it comes to security programs?

Not understanding that attackers are gathering intelligence from day one and having a plan to address is one of the most common mistakes I see with startups. Knowing the cyber risks of your specific business and industry, building a threat intelligence model and leveraging that information to create a robust security “plan” is a crucial first step.

In my experience when security comes up, most startups tend to focus on compliance initially. This is usually motivated by client requirements and tends to come from sales and marketing folks rather than IT. 

While a SaaS startup should absolutely anticipate compliance, especially in regulated industries, a far more practical and cost-effective means is to build a holistic, defense-in-depth driven security program that is aligned to the appropriate framework and standards. This provides an optimal risk mitigation platform across all aspects of the organization. Simply put, compliance is not security, but security combined with compliance is the perfect team.

4) What are 3-5 pieces of security advice for SaaS startups preparing to sell their product to larger enterprises? 

  • Have security built in from day one! 

Start building your governance, risk, and compliance (GRC) footing as soon as possible…have a strong set of policies, standards, and guidelines that align to business priorities and security best practices. Understanding what legal and regulatory compliance tenants you may fall under will also help with your governance efforts. Consult your legal dept or outside counsel to assist.

Adopt a security framework that makes sense for your business. I personally love the CIS 20 Security Controls for its practicality and common-sense approach. If you are in the cloud, the AWS Well-Architected Security Pillar is a great foundation to ensure you protect data, systems, and assets that reside there. NIST and ISO27001 are also outstanding options, depending on your environment and industry.

Confirm your vendors, contractors and other third-parties meet your minimum basic security requirements prior to awarding contracts.

  • Build a security culture and protect your employees

Have someone on staff at least partially dedicated to security in the organization. Of course this person should know the policies and understand the tech, but they should also advocate the principles of excellent security for and to the organization. Hiring a consulting firm to assess and articulate the risks, and possibly retaining a vCISO can be very helpful while the company grows, but an internal resource who will champion the effort is crucial to frictionless enablement.

Make it easy for your users to do the right thing! TRAIN your employees formally at least twice a year on phishing, fraud and good cyber hygiene. Then test that knowledge. Regularly. Supplement with monthly newsletters, lunch-and-learns and provide opportunities to create security “deputies”…people who will be your cyber eyes and ears in the organization. Your employees are your first line of defense, and we need them to be “human firewalls” to stop cyber crime before it starts. 

  • Protect what matters most

Your SaaS application is the key protector of your customers’ data. Build security into the SDLC. Ensure at a minimum you are protecting against the OWASP Top 10 and your API’s are protected against injection attacks. Create secure coding guidelines and enforce with a good static application testing tool (SAST) during code review.

  • Ensure visibility

First off, know your environments. A complete and accurate record of What, Where, and Why of your ecosystem is critical. Next… turn on logging… for EVERYTHING. Audit logs are a prime target for attackers to hide their activities to maximize opportunities to compromise targeted data. Logs are the key to understanding “Who’s attacking us today?” and “How did they get access to all of our corporate secrets?” Ensure the right security elements are enabled (failed logins, account changes, app startup/shutdown, etc.) being logged. Ensure you have strong access controls around logs so only a few with absolute need can modify. Consider storing logs in a separate, encrypted location with strong access controls as well.

Actively monitor logs for suspicious events. Consider a security information and event management (SIEM) tool to consolidate and normalize log files from different systems and services. You will want logs from your key servers, especially your Active Directory server and your key application and database servers. You will want the logs from your firewalls and antivirus as well. You will want to keep an eye on your web server. SIEM’s provide a consolidated view into your overall attack surface and correlate event information for improved visibility.

An effective audit logging and monitoring program can be the difference between a low impact security incident which is detected before client data is stolen or a severe data breach that costs the company its business.

  • Protect your customers… from themselves

While this may seem obvious from a technical perspective, you should also consider educating your customers regarding security and account takeover fraud. Strong passwords, not reusing credentials and insisting on MFA for sensitive accounts is a good start. This also protects you as these are common entry points for criminals to look for vulnerabilities and can give them access to other customer’s accounts or even control of the system itself. SaaS products can be highly vulnerable to this attack vector due to common resources being shared between all user accounts.

What cyber security trends should SaaS startups keep an eye on as we make our way into 2021?

  • User Awareness

As attack vectors change and threats become more aggressive, businesses need to take steps to improve the cyber “awareness” and skills of their employees and staff. A recent report by Infosec indicates that about 97% of the people cannot identify a phishing email, while 1 in 25 people click such emails, thus, falling prey to cyberattacks. Aside from this, cybercriminals now resort to more advanced and high-tech forms of phishing (spear and whaling) and malware infections.

Cybersecurity awareness can help prevent the assault of threats and attacks. Some organizations have started to implement the combined use of web- and classroom-based methods and visual aids for cybersecurity awareness training and promotions. On top of this, creating policies focusing on how employees handle and share confidential corporate data and enforcing can have excellent results.

  • Remote Working

If we don’t segregate work computing from home/family computing, we’ll find home users’ using untrusted environments and entities to access the corporate crown jewels, which can allow hackers to either lock down sites with ransomware or steal valuable intellectual property.

Focus on business requirements and understand how users and groups access data and applications. Perform a needs assessment and review what has changed to determine if access levels are still correct, systems are effectively segregated, and if any security measures are actually impeding work. 

  • Cloud Breaches

While the cloud may offer more services and integration points for security, it is only as secure as it is architected, enabled, configured, and maintained. Poor configuration of cloud security can lead to cybercriminals bypassing internal policies that protect sensitive information in the cloud and on-premises. Accordingly, security in the cloud must progress into predictive and inventive security solutions to combat cyber attackers. Consider solutions that follow the MITRE ATT&CK framework to stay ahead of your adversaries.

  • Mobile Devices and IoT

Mobile devices are connected to more and more corporate resources while also blending personal (banking, shopping, bookings) activities as well. Expect 5G to see even more devices, people and enterprises connected than ever before with millions of end points – further increasing the attack surface. Networks will require more complex and automated security solutions from end-to-end. Traditional boundaries will fade as open ecosystems with swell with untrusted, unmanaged devices. According to the RSA’s Current State of Cybercrime whitepaper, about 70% of fraudulent transactions originated from mobile platforms, with popular mobile attack vectors including malware, data tampering, and data loss. Applying AI and security automation will become critical to protecting your business and customers from vulnerabilities and attacks, as moving toward a Zero Trust posture will become the norm.

  • Cyber Skills gap

While new threats, vulnerabilities and sophisticated attack vectors surface everyday, new security products and services also continue to be developed to help mitigate these risks. Additionally, many startups deploy in hybrid environments that require deep knowledge of cloud platforms, serverless, AI, machine-learning and other 3rd-party tools and technologies. 

Having the right talent with the expertise to understand these highly complex environments, the capability to effectively use ever more sophisticated tools, and understand the threats to your business and environments is crucial to the execution and maintenance of effective protections and risk reduction. A good security practitioner should have great technical skills but also be able to communicate with end-user and management alike. These individuals can be challenging to find and are usually highly compensated.

Engaging with a security managed service provider (MSP) may be an initial first step to understanding what skills are needed for your organization and deliver a lower cost runway while providing strategic, tactical, and operational support. A virtual or fractional CISO, along with cloud security engineers and operations center support services can provide a full “team” of experts at less than the cost of a full-time cyber staff member.


Do you need help getting your security posture up to your clients’ standards? Book a demo with our team at Securicy to learn how we can help.

About the author

John Tooley, CISSP, CISM, CCSP is an accomplished Information Security leader experienced in communicating with C-level executives at a strategic level, understanding business risk appetite & aligning with and supporting the business technology agenda. He has held the titles such as Chief Information Security Officer, Vice President Information Assurance, and Global Information Security Manager.