Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

5 minutes with Brian Soby - Understanding Software as a Service (SaaS)

By Maria Henriquez
5 mins with Soby
December 29, 2020

Meet Brian Soby- he has held security leadership roles at Salesforce and in the financial tech industry. Prior to founding AppOmni, Soby founded a cloud software security consultancy. He served as Director of Security at Taulia and managed all security functions, including product/application security, compliance, physical security, and corporate information security. Before that, he was the Director of Product Security at Salesforce and a Lead Security Engineer at MITRE.

Here, we talk to Soby about how organizations can avoid today's biggest challenges with Software as a Service (SaaS). 

 

Security magazine: What is your background, and current responsibilities as CTO of AppOmni?

Soby: My background is largely security. I started off in the government space working for a defense contractor and then to MITRE, a federally funded research and development center. While MITRE is a great organization with a great mission, I switched career paths to move to the west coast and attend business school. That’s when I joined Salesforce and really started to understand the challenges associated with running SaaS applications at scale (from both customer and provider perspectives). Later, I would experience more real-world examples of these challenges after starting a security consultancy that focused on software and SaaS security. 

It was this experience that led me to reconnect with Brendan O’Connor, now CEO of AppOmni, identify the broader industry issues and their root causes, and together start AppOmni to solve these problems for customers. 

Today, I help educate customers about the nature of security challenges when using SaaS and work with a fantastic team of fellow security professionals and engineers at AppOmni to create a SaaS Security Posture Management (SSPM) platform. On a day to day basis, this means meeting with customers and prospects to understand their security concerns, drawing from the decades of experience from our team to help educate them about key responsibilities and pitfalls, and steering the product and technology organizations at AppOmni to expand our platform to efficiently address these problems.

 

Security magazine: Why is SaaS application security important?

Soby: As organizations have transformed their businesses and operations in 2020, including the adoption of SaaS technologies as a result of increasing WFH initiatives, cyberthreats have followed suit. A  recent survey conducted by AppOmni directly correlates the increasing adoption of SaaS to the shift to remote work. The same survey illustrates how IT administrators, who have received additional responsibilities due to WFH initiatives, have less time to effectively manage and secure their SaaS environment. Adoption of new technologies and services coupled with lack of time and expertise by security teams  is a perfect recipe for cyber threat. The benefit of anywhere access to SaaS applications and data is attractive to bad actors that no longer need to wade through different layers of security traditionally implemented in a typical office/datacenter setting.

 

Security magazine: What makes SaaS application security difficult?

Soby: SaaS applications require deep knowledge and expertise to operate. Most security teams simply do not have access or knowledge to operate a wide variety of SaaS applications, let alone 3rd party application providers, that are powering the businesses. It is like knowing how to operate a boat and thinking you can fly a helicopter. SaaS users can unintentionally make configuration changes that put the organization at risk simply because of lack of knowledge. Security teams are typically tasked with securely managing and maintaining 5 or 10 SaaS applications at a time, and as SaaS adoption grows, they simply lack the bandwidth and expertise to manage them all. 

 

Security magazine: How do you solve these challenges at the enterprise level?

Soby: Security professionals have been preaching for years that the perimeter is dissolving. Remote work throughout the pandemic has solidified that case more than any whitepaper, blog post, or tech talk ever could. Security teams have two decades of experience protecting the corporate network, and putting the proper detections in place for their internal systems. In the world of SaaS and remote work, those internal defenses sit idle and provide limited value. Securing a remote workforce and distributed cloud applications is a much different challenge than securing the corporate network. Successful organizations will focus on putting controls directly on the data, wherever it may live. Since our users and data live outside the firewall now, we can no longer build a wall around our network to keep the good people in and the bad people out. 

 

Security magazine: How do you structure an enterprise program for successful SaaS application security?

Soby: With enterprises shifting to a virtual and remote workforce, many are moving their business applications and data to the cloud. As a result, IT staff are tasked with the management and security of multiple SaaS applications and rapidly growing cloud presence. IT staff had to forgo any security benefits they had from network segmentation afforded by traditional office networks and in some cases, start from scratch. In doing so, they are not equipped with tools to scan APIs between applications, automate SaaS configurations, monitor changes to the environment, and assess user access or activity - all key components needed to securely manage and maintain one's SaaS environment. 

The shift to the cloud, unfortunately, has not gone unnoticed by hackers and bad actors. As organizations play catchup, attackers are shifting their strategy to leverage the lack of SaaS expertise and necessary tooling to monitor and keep attackers at bay. As more and more organizations adopt the virtual workforce model for the long haul, we should expect SaaS to be increasingly targeted by bad actors.

At most companies, their top 10 to 15 SaaS applications represent 80 to 90 percent of their risk. While SaaS application usage typically has a long tail with dozens or hundreds in use at medium or large sized companies, the risk of the 25th most important application is an order of magnitude less than the 5th most important application. 

The key to securing these applications is depth of visibility and security insight. For larger applications such as Salesforce and ServiceNow, the security team’s counterparts in IT have gone through months or years of training and often specialize and make careers out of operating a single product. Security teams, on the other hand, seldom have that opportunity and are usually accountable for the security of 5 or 10 large applications without the benefit of that training. The key for these teams is to leverage management platforms that incorporate that expertise and allow them to leverage that embedded knowledge without forcing them to become experts in each system. Additionally, effective security management of these systems (as would be recommended by the internal security teams of any of the vendors) necessarily blends configuration analysis, posture analysis, and monitoring. A program incorporating only one or two of these areas will always have major gaps that create unmitigated risks.

 

Security magazine: What are some important considerations when choosing SaaS application security vendors and tools? 

Soby: Some organizations are trying to maximize their existing security investments to secure the growing dependence on SaaS. However, this approach is yielding limited returns. Although you gain the benefit of familiar technology and existing policies, you also bring the reactive nature of these solutions and architecture not well-suited to maximize the benefit of cloud services. Organizations should look to upgrade to a new and modern breed of solutions, such as SaaS Security Posture Management (SSPM), which are designed for the cloud and offer a proactive approach to security. I expect the new breed of solutions to gain even greater traction in 2021 as organizations continue to transform at an accelerated rate.

KEYWORDS: cyber security enterprise security risk management software as a service

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Software-as-a-Service

    Observing Privilege to Reduce Risk in Software-as-a-Service (SaaS)

    See More
  • 5 minutes with Johnson

    5 minutes with Ben Johnson - SaaS apps security issues

    See More
  • 5 mins with julian waits

    5 minutes with Julian Waits - How Security Operations Center leaders can create a culture of growth

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!