Views from the top: CISO perspectives on the state of SaaS security

A look back at the highlights, themes, and insights from Nudge Security’s “Overshadowed” interview series.

Over the past several months, I’ve had the pleasure of talking with nine CISOs and privacy experts as part of Nudge Security’s “Overshadowed” interview series. As a founder of a fast-growing start-up, I find it incredibly beneficial to talk with practitioners in the field as frequently as possible—it helps me to ensure we’re maintaining a clear focus on solving the truly important problems that are facing IT and security teams today. 

Looking back over this series, a few key themes emerged. In this post, I’ll summarize those themes, and share highlights from the interviews that encapsulate the perspectives of our guests.

Visibility, visibility, visibility. It’s critically important.

As the old saying goes, you can’t secure what you can’t see. The CISOs I spoke with emphasized that the basic requirement for an accurate inventory of technology assets has not changed. If anything, it’s now more important than ever, because the network perimeter has become far more amorphous with remote work, cloud services, and other dynamics of the modern workforce.

“9 times out of 10 when I got in trouble it was because I didn’t know a thing." —Ed Amoroso (Episode 1: Rethinking the modern attack surface)

“To us as an MDR, we have to know what’s out there because we have to tune the systems to know what’s in use, what’s supposed to be in use, etc.” —Tony Simone (Episode 4: How Incident Response has changed in a SaaS-first world)

“You have to start first with visibility. You cannot solve this problem or provide guidelines or improve your overall security program without having the right visibility.” —Mario Duarte (Episode 7: Transforming IT governance in response to generative AI)

SaaS sprawl is undermining effective IT governance.

It’s no surprise that we wanted to explore how security leaders are grappling with the visibility challenges introduced by the explosion of SaaS app usage in modern organizations. The resounding response was that this lack of visibility is leading to serious gaps in IT governance, causing security teams to be reactive rather than proactive.

“Unless you have a good inventory of apps outside of SSO, it’s impossible to know who has accounts where.” —Dave Anderson (Episode 2: The security risk that should be avoidable)

“It’s so important that organizations pay attention to this. And by the way, it’s (third party risk) in everyone’s risk register.” —Kunal Anand (Episode 3: Navigating the challenges of SaaS sprawl)

AI and government regulations make this even more challenging.

Meanwhile, there’s a “perfect storm” brewing: the explosive adoption of generative AI tools is coinciding with new SEC rules that raise the stakes for CISOs (and organizations) when breaches occur.

“All of these things are creating the right conditions for errors to occur.” —Mario Duarte (Episode 7: Transforming IT governance in response to generative AI)

“Sometimes the risks are worth it, sometimes they aren’t…but you certainly can’t do anything about them if they aren’t pointed out.” —Bradley Gold (Episode 8: Data privacy implications of generative AI)

Blocking is not the answer.

The upside of the new SEC rules and the focus on AI is that CISOs have a golden opportunity in front of them. Their boards and other leaders across organizations are being forced to pay attention to cybersecurity. At the risk of being trite, this reminds me of another old saying: “never let a crisis go to waste.” CISOs can (and should) leverage this focus and attention to cultivate greater security awareness, a positive security culture, and partnerships across the business. 

"Cybersecurity should be considering 'how' you do things, not just you can’t do something…You don’t want cybersecurity to be the department of 'no.'" —Ira Winkler (Episode 6: Considering the human element in security)

“Control friction is not immutable. It’s something we can design towards or away from.” —Malcolm Harkins (Episode 5: Managing risk vs. friction in IT security)

“So, visibility, policy and real time education of the employee are going to really be the only way, in my opinion, that you’re gonna have an educated and well-informed employee base.” —Mario Duarte (Episode 7: Transforming IT governance in response to generative AI)

Identity is the new “edge.”

We capped off the interview series with a discussion with Steve Zalewski about the evolution of securing “the edge,” and how the primary focus has shifted from the network edge to the data and identity edges. 

“The bad guys don’t break in, they log in.” —Steve Zalewski (Episode 9: Securing modern work from the network edge to the identity edge)

This represents a significant shift for security teams—but also creates opportunities for how we manage risk and respond to incidents.

“The beauty here is, what you’re doing with Nudge…is you can take action. You can not just tell me something, but you can do something for me to give me some immediate breath.” —Steve Zalewski (Episode 9: Securing modern work from the network edge to the identity edge)

Closing thoughts of my own…

I truly enjoyed each and every interview in the series, and am grateful to each guest for taking time out of their busy schedules to talk with me. As a closing thought, I’ll leave you with this snippet, encapsulating the “big picture” of the design goal of security programs.

“Set a design goal…manage the risk dial, the total cost dial, the friction dial…you end up with a better answer for the business and a better answer for security.” —Malcolm Harkins (Episode 6: Considering the human element in security)

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors