Bridging the Gap for Under Resourced Organizations
Understanding Organizations with Few Resources
The best way to describe the gap that exists today for under resourced organizations, may be told best through real stories.
Imagine a set of small businesses in a town that hire someone to manage their security and IT. This person goes between several businesses with a set it up and forget it approach mindset in order to manage IT and security for multiple businesses. This means no one is watching the logs unless it’s done by the application provider or a managed service provider (MSP). The business is selecting what products to use among a sea of competing applications, balancing features and cost without much thought to add-on toolsets for IT or security. The business is small and does not have skilled staff to spot system compromises, including anomalies that could signal an intrusion. If the application is not secured, phishing and other attacks have a higher chance of being successful.
The small business may see the applications audit results that demonstrate compliance to a framework, but frameworks have variance in terms of how controls might be met. Additionally, there may be a shared responsibility model in place where the small or medium business (SMB) is expected to deploy add-on toolsets. The under resourced business may have deployed the required add-on toolsets (if they can afford them), but lack the expertise to maintain them appropriately. As you can see, there are a number of hurdles to overcome as there is a model mismatch.
Informed Application Selection
Let’s step back to the first hurdle, selecting the application and understanding the security posture. In the past year, several small organizations asked us some important questions. One was a non-profit who has donors that give in varying ways. The question they posed was, with X application (a SaaS product),
”Are the credit cards of our donors safe, in particular the ones that are stored in the system in order to charge a monthly donation?”
A similar question was raised around a gala event for a school where credit cards would be put into a SaaS application from laptops on site at the gala event. They asked,
“How can we assure donors their credit cards would be safe?”
Organizations with few resources have no way of knowing if their data or their customers data is safe or how to assess risk levels versus costs.
The SecurityBiaS Difference: Clarity and Confidence
In these situations, research into each of the SaaS applications demonstrated that the respective applications had passed audits against SOC2, ISO27001, as well as PCI. Ideally, this would be enough since the SaaS provider demonstrated due diligence to these frameworks. While we were able to provide some recommendations to further secure the entry of data at the organization, it was too difficult to assess the actual security provided by the application from published information alone.
A visible control assessment showed that TLSv1.2 was in use, but not how it was configured or if any points of interception were in use for monitoring.
It was unclear how credit cards were stored as the provider just disclosed that credit card information is protected.
It was not possible to determine if they used tokenization or some form of encryption to protect this information.
If encryption was used, it was not possible to find details on the algorithms, cipher suites, or key management practices in use.
These are just a few examples of knowledge on the controls that would have helped answer the questions asked with confidence to the non-profit organizations. Additionally, it was unclear how controls were met or the application providers expectations around add-on tools that would be required. It was not possible to gain insight on plans included in a roadmap (e.g. quantum cryptography support plans) or even detection capabilities around fraud prevention.
Closing the Gap for Under-Resourced Markets
In discussions with a few other experts who also have risk assessment expertise, we agreed that while the current assessments are good, this is a high barrier for a small business. Even if they were handed a detailed SOC2 audit that was framed to provide answers to these questions, there is no consistency between audits and it quickly becomes overwhelming. The Cloud Security Alliance’s STAR matrix and self reporting is a great leveler where SaaS providers can self report that controls are met against a cloud centric framework based off of ISO27001, helping to compare providers. The audience for this resource is an organization with skilled staff that can interpret and compare solutions. Comparison is left to the purchaser as the deciding business may weigh risks in a way that is unique to their business.
A gap remains for businesses with few resources and we are working to close that gap at SecurityBiaS for the under resourced market that includes critical infrastructure, SMBs, and state, local, tribal, and territorial (SLTT) organizations. The market and the underlying needs are distinct and unless the needs are met, the status quo remains. These businesses need to be able to purchase business applications and have them just work. The requirements industry has established for products and security have been designed around the requirements of large organizations with resources.
SecurityBiaS helps organizations shift to being able to select a business tool for the purpose of that business tool, with a full understanding of the IT and security requirements upfront.
Reach out to learn more on how SecurityBiaS can help unlock access to this under resourced market.
