Building a SaaS security program

Send a text (https://www.buzzsprout.com/twilio/text_messages/1723279/open_sms) This month, we welcome Swathi Joshi, VP of SaaS Cloud Security at Oracle, to discuss key moments and decisions that shaped her career path, including rejections from Google and Twitter. She emphasizes the importance of learning from rejection and seeking feedback to improve. Swathi also shares insights on the role of mentors and advises on finding and working with mentors. In the second part of the conversation, she discusses building a SaaS security program as an enterprise consumer of SaaS. She highlights the importance of addressing misconfigurations, ensuring visibility and access control, and meeting compliance needs. Swathi also suggests asking about backup and exploring risk scoring for vendors. In this conversation, Swathi discusses best practices for managing vendor risk, vulnerability management through third parties, and incident response in SaaS applications. She also shares insights on privacy operations and critical privacy controls in SaaS. Swathi emphasizes the importance of collaboration, robust incident response plans, and data lifecycle management. She also highlights the need for identity and access control and the challenges of normalizing incident response across different SaaS platforms. Swathi's leadership philosophy is collaborative and pace-setting, and she emphasizes the importance of stress management. Takeaways • Learn from rejection and seek feedback to improve • Build long-term relationships with mentors and create a personal advisory board • When building a SaaS security program, focus on addressing misconfigurations, ensuring visibility and access control, and meeting compliance needs • Ask about backup and explore risk scoring for vendors.  • Managing vendor risk requires close collaboration with privacy, legal, and contract partners. • Incident response in SaaS applications shares foundational principles with traditional on-prem software, but there are differences in data snapshotting and managing dependencies. • Privacy operations can be operationalized by focusing on identity, access control, and data lifecycle management. • Leadership should be collaborative, open to ideas, and adaptable to different situations. • Stress management is crucial for effective leadership and should be acknowledged and actively managed. Links Privacy Operations Template (https://github.com/firstprinciplesecurity/Privacy-Operations-Template) Swathi's LI Profile (https://www.linkedin.com/in/joshiswathi/) Chapters 00:00 Navigating Career Challenges and Learning from Rejection 08:13 The Role of Mentors in Career Growth 15:26 Building a Strong SaaS Security Program 21:20 Meeting Compliance Needs in a SaaS Environment 21:56 Backup and Risk Scoring for SaaS Vendors 22:38 Managing Vendor Risk 26:12 Improving Vulnerability Management through Third Parties 26:35 Navigating Incident Response in SaaS Applications 34:03 Operationalizing Privacy Operations in SaaS 40:50 The Importance of Collaboration in Leadership 43:04 Managing Stress for Effective Leadership The future of cloud security. (https://www.paloaltonetworks.com/prisma/cloud?utm_source=cloud-security-today--amer-prismacloud&utm_medium=) Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI. Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.