David Stoicescu (Part 2): How Deepwatch Takes a Risk Based Approach to Managing Software

David Stoicescu: I've approved applications that have a very weak security posture. And people look at me and they're like, " Why would you do that?" And my answer is, if you take a risk- based approach and the data that you are putting in there is some form information for some marketing events, there's nothing specific in there that you would be really concerned about, and I'm not going to hold them to the same standards that I'm going to hold someone like a cloud provider.

Cory Wheeler: Hello, hello and welcome to SaaSMe Unfiltered: The SaaS Management Podcast, the show with Give It to You Straight Real life advice from pros knee- deep in SaaS every single day, SaaS management superheroes just like you. Welcome to another episode of SaaSMe Unfiltered. I'm Corey Wheeler, co- founder and chief customer officer here at Zylo. Today we're back with our friend and the Chief Information Security officer at Deep Watch, David Stoicescu. There's a lot to discuss when it comes to SaaS risks, so I'm really excited to continue our conversation. Last time, we covered a lot of ground on visibility and why it's so important to a security program as well as insight into your role in the team at Deep Watch David. And we left off talking about when things go off the rails or those as we like to call them, oh shit moments. So David, you mentioned something that we talk about with our customers often it's that oh shit moment where you get a call from the FBI saying they found your data on the web. That's a really great example of a primary level of risk. But I want to dig in deeper, maybe speak to a little bit of the level of importance you place on apps versus apps plumbed into your own stack and to Deep Watch's stack today. Do you have another level and layer of security that you apply to those and how do you stay on top of the differentiation between the 15th project management app that your company is using or that next application that's actually plumbed into your own product?

David Stoicescu: I'm really glad you brought this up because listen, at the end of the day, you can't apply the same level of focus to every single application and widget that exists out there. So you got to take a risk- based approach. So from that lens, I'm looking at our core applications that we use to deliver our service, and I place the most emphasis on those. I make sure that we're completely dialed in because they're the biggest targets. It's where most of our critical data is now if we had our project management application go bust, they have some sort of breach or ransomware thing. Is it the worst thing in the world? Yeah, it's bad. There's going to be a lot of damage control. There's going to be a lot of, Hey, was our data included in that? It is a very big deal. Is it going to be as big a deal as a core application such as our cloud hosting company? No. So the level of effort and emphasis we put on the application directly correlates to the level of risk that the data within that application represents to us and to our customers. That's how we look at it. I've said this to some folks and I've been surprised by their reaction or maybe vice versa. But I've said before, I've approved applications that have a very weak security posture and people look at me and they're like, why would you do that? And my answer is, if you take a risk- based approach and the data that you are putting in there, some form information for some marketing events, there's nothing specific in there that you would be really concerned about. And I'm not going to hold them to the same standards that I'm going to hold someone like a cloud provider.

Cory Wheeler: How do you run that investigation? And to set that up, it begins with visibility. You need to know the applications that are in use across the business. Then you've got to understand exactly what you just went through. What data are we storing in there? Is that just direct communication? You've got a team that's interfacing with each functional stakeholder across the company, assuming that's it. What are those first components that you're tracking when you're looking to understand the security profile for each application?

David Stoicescu: I'm just going to tell you right now that without some sort of mechanism to identify shadow IT spend, there is no way you will know where all of your data lives. It's just not possible. So that being said, if you go through the procurement process, which is the correct way to acquire any piece of technology, there's a process of steps that are followed and we get the security organization gets engaged as a part of that process. And we ask questions, what is this for? What is the business purpose? What customer data will you be putting in there? And then we do an assessment of that organization and we do an assessment of the product itself. So that's how we get it into our system and we catalog it and we give it a thumbs up or we give it a thumbs down, or sometimes we'll give it a conditional thumbs up. Conditional thumbs up are actually a lot harder because if you give it a condition, that means that my team has to follow through on that condition throughout the relationship with that vendor, which is difficult to do if you don't have some sort of automation in place. So that's one way. Now what's really great, and this happened even when I thought that I had things under control back in the day, you implement or I implemented the Zylo platform, I was like, oh wow, I actually didn't really know about these several applications even when it was like 30, 40 employees. So really kind of blew my mind and I did a retroactive right process or third party review with that vendor. And it is harder because they already have your business, so they don't have a whole lot of incentive to answer all the questions and go through that process. And maybe we can do a whole nother conversation around what that review should look like. So you make it very low friction for vendors so that you actually do get a response from them. But doing the retroactive and then putting them in a system, and then again, based on the risk associated with that data when that particular vendor, that dictates how often we go back to reassess.

Cory Wheeler: Yeah, makes perfect sense. And what you're kind of getting into right now is talking about the concepts of compliance and governance and compliance with process governance around kind of how you operate internally. Let's dig into that. What does that mean to you at Deep Watch when you think about SaaS compliance and governance?

David Stoicescu: I think those two things are going to be intermingled from a compliance perspective. We have to have visibility into all of our applications and from an asset inventory perspective, but also from a data flow perspective, from a governance perspective, we're really going to start to focus on are we following the policies and the processes that we've put in place, whether that's from a spend control perspective or from a automation perspective, or from the perspective of ensuring that we're doing the right thing for the business. And one of the things that, for instance, Zylo has helped me with quite a bit in the past is getting in visibility into duplicative spend. I think you kind of touched on this, it's like how many project management applications do you really need?

Cory Wheeler: Really need. Yes.

David Stoicescu: So there's a bunch of them out there and there's a lot to be said like, hey, if we've made an investment in whatever application and we've given this to every single employee, why are we purchasing this other thing? For starters, it's creating a lot of confusion and chaos within the organization. It's wasting a lot of money and you're widening your risk aperture because you're putting that data in multiple systems.

Cory Wheeler: Yeah. Most CIOs will even say it's just creating inefficiency. You're onboarding new teams on new products, you don't have a central way to support those. And you're creating a lot of inefficiency or lack of productivity across the organization, which I think really resonates. I think as you serve the organization and as we think about SaaS management internally, InfoSec is a key part of that overall strategy for SaaS management. It's definitely a team sport. Talk about your role and your function in that vein at Deep Watch. I think you've previously talked about the office of the COO and finance, how you've worked with them, but talk about that team sport dynamic. Who do you serve and what are the dependencies and who are the peers and groups that you've got to be working with to deliver this all at scale?

David Stoicescu: I think that as an executive at any organization, I think even more so at smaller organizations, you can't just put on your blinders and just say, " Hey, listen, this is my role. This is what I'm doing, and these are the problems that I'm going to solve." In my role, I focus and I spend time on issues that might be in the finance organization, that might be in the people organization, that might be in the COO or the CTO organization, the CMO organization or the CRO organization. As a matter of fact, at Deep Watch, I've touched on supporting every single executive leader. And I think that a lot of that has come from just the experience that I've had and the things that I've done. So it's my job and it's my duty as somebody who is responsible for the direction of the organization and setting that pace and setting that tone to look at all of it. And I think that SaaS spend touches on governance, IT governance, it touches on security, it touches on risk, but it also touches on finance, but it also touches on operations. So it's really just woven into every single part of the business, and it absolutely is a team sport.

Cory Wheeler: How do you evolve your practice internally and talk about from your 30 person company experience to be able to deliver these operations at scale? How are you able to do that within that team sport kind of scenario?

David Stoicescu: So what I will say is that within the security and within the IT organization, we have a particular set of skills.

Cory Wheeler: Sounds ominous.

David Stoicescu: Right. And those skills really are manifested in the ability to think very creatively about how to solve problems, how to make them scale. If you think about it, like the various programs that we have and the IT technology and this, that and the other, there's a lot that goes on behind the scenes to make sure that it scales out. And there's a lot of automation and kind of thought that goes into what does the experience look like? What are our users going to run into? What are some of the potential problems? How do we iterate on this? What I found is that with other folks throughout the executive team, they don't necessarily think that way. They've got different types of problems. And what's really exciting for me is to come to them with a different set of skills and capabilities and say, " Hey, listen, have you thought about it like this?" Right? What if we turned it sideways and upside down, and what if we did this and what if we did that? And I think that's what creates that relationship. And then now you've got the IT and security organization building trust with the people organization, with your CFO or with sales or with marketing. That's the team player component. That's also how you build trust. And I think if I kind of take it down even one step further, one of the things that I talk to my staff about constantly is every time we build something, we're not done. We just did version one and now we're going to come back and we're going to do it again. So it's very common within my organization to see us sometimes revise things, sometimes completely tear them out and say, well, we found a better way of doing it that's more efficient and perhaps more cost effective for the business.

Cory Wheeler: That resonates. And I think you've spoken a lot to those best practices, those things that make InfoSec and your role really successful. And maybe this is just a derivative of that, but where do you see organizations making those mistakes getting tripped up within the InfoSec world when it comes to software as a service, tooling in general? What are some of those missteps that you've seen or learned from?

David Stoicescu: The thing that I see most often, frankly, Cory, is folks just not paying attention to SaaS at all. And I think this is a bigger problem in organizations that have been around for the past 20 years or so. They've been in business for a while. Maybe they were an on- prem environment and they had co- locations and data centers, and they're on their journey to maybe hybrid cloud or moving completely to the cloud. Maybe they're exploring SaaS applications. So that muscle just isn't there, it just doesn't exist. So I've seen just a broad spectrum anywhere from not knowing what to do whatsoever and having no visibility into what's going on to a very small number of organizations that actually have some semblance of, hey, what applications do we have and where's our data? Nevermind the spend, right? I think as soon as you tack on the spend, it makes solving the problem through something like Zylo a no- brainer, because you could just look at that number simply and just say, " Well, if you look at the math like this, this thing will pay for itself in a month."

Cory Wheeler: Yeah, it's the large shift from on- prem to the cloud. As you talk about that distributed nature of SaaS now. Nobody owns it. It does not own SaaS. They own all the on- prem deployments, the hosting, provisioning, deprovisioning. They've got the server closet that they're maintaining 20 years ago. So security was a completely different ballgame. And it's that lack of ownership. The CIO will very clearly say, we don't own software throughout the company, we own the core applications, we own the birthright apps. We'll get you spun up on your single sign- on solution, you'll get email, you'll get your CRM, your HR system, but there is no clear ownership across every single organization. So in that vein, how do you, and it's probably through those governance and those processes that have been set up, but you've got to get your arms around a centralized view and a process that you're accountable to, which is much larger than just what IT owns today. So you've got to make sure that you're finding those shadow IT apps that those one- off applications that R& D is putting information in. That could be a risk. That's a difficult charge when you sit in a function that doesn't wholly own all of it today. So you've got to kind of be your ninja on the outside really being able to reign all of that in conjunction with your IT folks as well. Is that a fair way to put it?

David Stoicescu: I would say that is fair. Part of the problem is in the question, and something that you said was, who owns it? I think that's a mistake. I think that's not the way that you should be looking at it. I think that the way we should be looking at applications and services is really from a data perspective. Forget the application, just look at the data, but then let's replace the word own to responsible. Who is responsible, and guess what? We're all responsible and we have various levels of responsibility for those applications or that data that lives within those applications. And again, I think the more, more you're going to see this in larger organizations, things are kind of siloed out and there is a lot of ownership and there's a lot of swim lanes, and especially the larger the organization gets. I don't think there's getting away from that. And I'm certainly not naive to that. I'd love to think that especially in the mid- market to commercial space, there is a sense of kind of responsibility rather than ownership. And I would love to see this propagate to the enterprise space as well, where CISOs and CIOs work together and they become, I think, disciples of data hygiene and data security regardless of where it lives. And they create change agents within marketing, within finance, within sales, and they work very closely with those operations teams that are responsible for those applications. I don't see a lot of that today. Most CISOs that I interact with, and I think I have a unique view, Corey, because I work for a security company. I've worked for security companies for the last 10 years now exclusively. And CISOs are our customers. So I have a lot of conversations with these folks, and a lot of times they're trying to get budget for endpoint, right? Or they're trying to figure out how to make sure that they have asset coverage throughout their environment. They are trying to make sure they've got vulnerability management at bay. And it's almost like, you know what you don't know, you just don't know. It's like out of sight out of mind. And a lot of folks are unaware of unaware and unfamiliar with where their data is, what that risk is to the business or to their customers, and they need to start taking some action to figure out how to bring all that in.

Cory Wheeler: Last question, before we jump into our fun follow up, give us a look into next year. What are your goals as you head into next year professionally? Maybe peak into KPIs that are most important to you that you're tracking, but what do you view as next year's priorities?

David Stoicescu: So I'm always in a state of building, just like the folks that are on my team, and they've got various responsibilities. They are always looking to reinvent the work that they just did and make it more efficient. So sometimes you do it every six months or whatever the case might be. I think that you can't run a successful business without data. If you don't have any metrics, you can't do that, but you got to move past the traditional understanding of metrics. I think when I say metrics, the first thing people think about are graphs and numbers and hey, here's how many tickets have come into the queue. When I think about that, I say, okay, what are the things that I care about? And what are the things that I hold my team accountable to? And do they have the tools to also see how they're performing and what those things are that we care about? But I feel like where a lot of folks fall short is what does success look like for any data set, right? Because it's one thing to say we have the metrics, but it's a completely different thing to say, I know how to interpret those metrics and do something with them. I know how to tell a story. I know how to take us from where we are to where we'd like to be to achieve X, Y, Z outcome. So when you say, hey, what are you looking for? What are you looking at doing in the next year? I want to start building that muscle and that skillset capability within every single person in my team. And while we've done a great job of implementing very, very strong programs, strong controls and processes and procedures, we've done great from a compliance perspective, now I want to kind of change the game up a little bit and say, Hey, listen, we're going to start focusing very heavily on maturity, but I want you guys to be driving that, enabling you to tell a story with data and with metrics, enabling you to create the path as opposed to continuing to come to your boss and say, " Hey, what's the next thing?" So that's what I'm really stoked about. It's not a common skillset that you find in engineers or analysts. They're always kind of focusing on like, Hey, what's the thing that's right in front of me? I'm trying to get them to think like, Hey, what's the thing that's 3, 6, 9, 12 months? And if you're a director, you should be able to see 18 months away. And if you're a VP, you should be able to see 24, 36 months away and so on and so forth. And that's difficult to do. It's easier said than done.

Cory Wheeler: Much. Well, we're going to close this out with our favorite segment, the rapid fire segment. I'm going to throw a few terms out there, maybe a thought provoking question. I'm looking for your hot take, your very quick response. Could be one word, could be a sentence, however you want to take it. Are you ready?

David Stoicescu: I'm ready.

Cory Wheeler: You better be ready. Here we go. Security breach.

David Stoicescu: Oh shit. Let me expand on that a little bit. Who's the first person I got a call?

Cory Wheeler: Ah, that's great. Shadow IT. Oh shit, right?

David Stoicescu: Not good. Yeah. Well, I didn't want to say this, but I was going to say, oh, I got that covered. But first thing that comes to mind is how did this get through the cracks?

Cory Wheeler: Yeah, I think the product led growth approach over the last five, 10 years has really driven so many new ways for employees to grow and leverage. But boy, I think about folks in your seat and it's just a huge concern. Okay, couple fun ones here. It's the most important equipment or gear for my mountain biking. The most.

David Stoicescu: God. Well, you can't get very far without a chain.

Cory Wheeler: Sure.

David Stoicescu: Oh, you know what, here we go. A multi tool. You got to have a good multi tool on you. Absolutely.

Cory Wheeler: There you go. High speed auto racing. Boy, being a fan of that is super awesome. Tires versus brakes.

David Stoicescu: Ah, I'm going to go with tires. I'm going to go with tires. Well, if you've got good brakes and bad tires, you're still not going to be able to stop.

Cory Wheeler: True. That works. David, a heartfelt thank you for coming on the podcast today. Your insights around governance compliance, the role that InfoSec plays are really advanced as I think about the customers that I've had the good fortune to work with on the security side, your thought processes around programmatic approaches to SaaS management from an InfoSec, I have been progressive and ones that you've carried over from role to roll, and it's been fun to build that with you. So thank you so much for jumping on the show today. I look forward to talking to you in the future, and we wish you the best.

David Stoicescu: I appreciate that, Corey. And listen, the same work that I do internally within my organization and being a disciple and steward of data hygiene and good data security is something that I want to extend to folks outside of my organization and to my network. So I'm very excited to do that with you today and thank you for the opportunity.

Cory Wheeler: Great. Take care, David., did you enjoy the episode? Pass it along to your friends, subscribe to get notifications for the latest episode, share your favorite takeaways, and join the conversation on social media using# saasmeunfiltered.