SaaS Cyber-Security: Retrofitting Too Late & Other Mistakes

SaaS companies, too often, go for a cybersecurity solution after a breach, and Censornet's Ed Macnair deplores that, as he tries to fight against it.



Censornet is committed to giving mid-market organisations the confidence and control of enterprise-grade cyber protection.


That's a crucial element for when you're selling your SaaS apps to an enterprise, as you need to think about security from the ground up.


They talked about the following:

  • The challenges of retrofitting security as an afterthought.
  • How Censornet addresses customer pain points concerning system setups
  • How long-standing, comprehensive security setups improve investor's trust at exit 
  • Customer stories

The Danger Of Retrofitting


SaaS companies, too often, go for a cybersecurity solution after a breach, and Ed Macnair deplores that, and tries to fight against it:


“Part of the problem is that SaaS are, rightly so, focusing on developing the functionality of their application. But that means in most cases, security will be their last priority, and it’s really a shame. And a headache when these applications are actually deployed into enterprise and people start thinking, well, should everybody have access to this specific feature or this bit of functionality? So quite often people are trying to retrofit security to applications.”


It’s important to note that, in a lot of cases, breaches of security are internally produced. Fuse Capital's host, Ben Tresham, recalls: “one of the previous companies I worked for, actually had a breach where people had access to too much of the application. Somehow, a list of customers was posted on a note on a board. I had to go and present to their board of directors the steps we've gone through to make our application secure and that was very much us trying to retrospectively implement security in an application which was a monolith system, you're aware and so are our listeners, is not easy to do at all.”


“It is very complicated”, Ed agrees. “Look at Salesforce, for example. It’s a massive company which provides enormous value to their customers, And it took them 12 years (!) to implement role-based access control.”


Ed McNair did work on this very security system, which was the genesis of his previous company.


“To come back to your story, it’s a very good example: the reality is that somebody in sales shouldn't be able to download all the opportunities as a list, for example, or all contacts list. They don’t need that for their job.”


“But then when you start turning off or restricting areas internally, you need to be able to comfort the user and present them with a sensible reason why they can’t access something, and that’s a big part of the job actually.”


Ben replies: “Well because it’s changed, and everyone fears change.”


Ed’s face lightens up with agreement: “Exactly, You’re absolutely right! But as long as you can manage to communicate with the user why some restrictions need to apply to them, you’re generally fine.”


Access Control Issues


Ben then orients the conversation towards access control:


“I know security scanning is a big thing for many small SaaS companies. It's quite difficult for them to do. You have some products that sort of help in this area, right?”


“Our goal and vision has been to democratize security. If you look at large enterprises, they generally have large IT teams and in those then we'll have a security team.


When you take that approach down to small/ medium size enterprise you might have 1-2 or maybe just a handful of people trying to perform all of the IT function. You can’t expect them to be security specialists, can you?


“So, we've really simplified the user interfaces to enable people without massive skills or knowledge to be able to get the most out of security and secure that organization simply, quickly and effectively. We did that by developing the very first cloud access security breaking technology which enables you to layer on a very fine grain the access control policy over elements of an application.”


“And that's the sort of…most important thing, right?” asks Ben


“Because when you're a small company and you're trying to sell to these big enterprise level companies like banks, insurance companies or anyone really, the first question they're going to ask is: what security scanning do you have? what certifications do you have? Is your stuff ISO 27, double 01 compliant? going through these as a small company, that's quite hard.”


“It’s tremendously hard as a small company and it takes a lot of resources to be able to do”, Ed acquiesces.


“To implement, but also to keep afloat…It’s almost twice as hard. So, there are sets of controls that need to be implemented and we make it much simpler for a small to medium size company to apply those controls.  We also give them the ability to demonstrate that they've secured access to.”


Ben then goes on a tangent: “I remember the auditor going “Show me that log. Show me that log, you say you've got a log for this. Show me the log for this. Oh, look, someone in Russia has tried to access something. Can you show me the log and the security report that you did on that?” We had no idea that someone in Russia was trying to access our system until I looked at the log. (laughs)”


“Part of the challenge is that there are so many different security tools available.” Ed continues, “And typically what we find is that when we're putting the Censornet platform in for a customer, we may be replacing anywhere between three to ten different security tools. And because we're delivering everything in a unified platform, it means there's only one place to go for reporting or configuration or else. ”



Mid-Market SaaS Vulnerability 


“So, what's your ideal customer then, who is Censornet aimed at?” Ben asks.


“For us, it’s the mid-market. Our largest single customers probably have somewhere around 38,000 seats, so what we do scale to larger enterprise, but where I see the problem really lying for organizations, is in that mid-market, low hundreds to low thousand users.”


“And why is that exactly?”


“Well, because typically those companies don't have massive security teams and they struggle to have the resource to secure themselves. They could outsource security, but that’s terribly expensive”


“And not only is it expensive, but you’re also outsourcing control, don’t you?”, Ben adds.


“Exactly, and though that may sound attractive, you can’t outsource accountability…” Ed pauses for a moment and smiles, to let it sink in.


“See, If you have a major bridge and your company ends up as a headline in, say, the Telegraph or the Times, you know you can't just point fingers and say: Well, I gave security to somebody else to do and they got it wrong.”


-“Yes, that sounds double incompetent, not only could youn’t do it yourself, outsourced it and you had a breach…I think your business might be over” Ben adds, cheekily.


-“Exactly, and that’s why it’s all the more pressing for these small to medium companies. When they get a breach, the odds are very much against them.”


Most companies that have a major breach in the SME market do end up folding, don’t they?”


And it’s true, more than 60% of SMEs that suffer a security breach end up closing business within 6 months.


Ed concludes: “. Yes, yes they do. Which is tragic really. It's terrifying. But as we said, security is often an afterthought. It only happens after something happens. And that’s usually too late.”


Closing Thoughts


As the interview nears its end, Ben asks for a conclusive remark: “ What would be the main thing that you would advise a CTO?”


“Look to implement security into their platform would be the key message here. Understand your risk.


Understand where your data is. It's you know, data…. It’s that lifeblood or the oil lubricating an organization. If you don't know where your data is, you can have a hard time securing it.”