The recent attack on SolarWind's Orion product demonstrated how vital it is for Chief Information Security Officers (CISOs) and their teams manage supply chain risks and understand all the products in their environment and how they are being used. Here we talk to Michael Lines, CISO and Head of Security Product Management at Cleanshelf, about why the IT and information security community should be concerned after the SolarWinds hack. 

Security: What is your background and current responsibilities at Cleanshelf?

Lines: I am an information security and risk executive with a 20-year track record as a CISO for companies ranging from TransUnion to PwC Global, advisory Information Security practice leader, as well as an information security and risk consultant. I write, blog, present, and provide interviews on a wide variety of information security topics, primarily concerning what it takes to develop and run effective information security programs, and why so many companies continue to suffer security breaches due to ineffective programs.

At Cleanshelf, I am the CISO and Head of Security Product Management, helping define and guide the evolution of Cleanshelf’s platform to better meet the needs of the Security/Risk buyer when it comes to Enterprise SaaS Management.

Security: Why should the IT/infosec community be concerned after the SolarWinds hack?

Lines: The most significant issue that the SolarWinds hack highlighted was how pervasive SaaS products are in supporting business operations, not only from the customer-facing perspective but also for internal support, in this case, IT. Every SaaS vendor comes with associated risk as a result of vendor integration into the company’s internal networks and business processes, and the access to data and networks that this integration provides. Without full knowledge of the SaaS vendor’s technology stack, where they are in the company’s environment, or how they are being used, companies are likely to feel double the impact when hacks occur. First from the event itself and how damaging it is, and second from the delayed awareness of the event due to their lack of knowledge of what SaaS vendors they are actually using. 

Security: Why is it vital that CISOs understand all the products in their environment and how they are being used?

Lines: A CISO can’t protect what they don’t know about. With so many SaaS products being accessible with nothing more than a credit card and a browser, employees may be exposing their company’s sensitive IP and regulated data without the knowledge of the CISO. These transactions mean that the vendor has not gone through appropriate risk review, and is not being managed in accordance with the company and CISO’s security policies. In addition, there will often be no contractual protections in place to even notify the company should the SaaS vendor suffer a security incident.

Security: Why are SaaS products in particular a problem?

Lines: SaaS products are easy, cheap and quick to purchase. Employees can and do purchase SaaS products to enhance their productivity, resulting in unintentional consequences far beyond what they could ever have anticipated. This problem is so extreme, for example, that clients often purchase Enterprise SaaS management platforms simply to try and grasp the magnitude of the problem, and are often shocked when they discover hundreds of vendors and millions in SaaS spend that they were not aware of.     

Security: How can CISOs better manage their supplier risks?

Lines: CISOs need to make sure that they have a complete picture of their environment. These days, the data center is dying and the traditional role of Software Asset Management (SAM) is now to monitor and manage fixed IT assets. SaaS is now the latest line item in many company’s IT budgets, if not one of the top 5 for the company over. CISOs should look for Enterprise SaaS Management platforms that provide unparalleled visibility into SaaS usage with unmatched capabilities for CISOs to rationalize, optimize, monitor, manage and secure their portfolio of products and suppliers.