“Privacy is a passion,” says Steve Gentry, Clari’s new Chief Security Officer. So is security, and now revenue operations.
Gentry brings almost 20 years of experience in the tech security realm to Clari. An accomplished presenter who has spoken as a security expert at places like the CIO Forum and with Gartner, Gentry thrives on learning and sharing with others.
“Like many CSOs, I fell into security organically, coming up through the IT ranks until I landed in a role that was all security,” he says.
Here, he shares what he values about Clari, and the future trends he sees when it comes to SaaS and security.
What brings you to Clari?
The executive team. The energy and passion for transforming our customers' revenue operations to be more connected, efficient, and predictable doesn’t feel just like a mission statement spouted to provide a rallying cry for the masses, but a core belief held closely by everyone on the executive team. The care for the customers was very obvious during our calls. Also, I wanted to be challenged. This job isn’t about copy and paste from my last program. There is a true opportunity to contribute something remarkable here.
What excites you most about being at Clari?
Clari’s culture and potential. Clari takes a holistic view of SaaS software development, meaning each department is important and has a voice in the context of their work. It is exciting to be at the forefront of the revenue operations not only because of the potential to impact the lives of our customers, but also because of the way the executive team drives the work through helping others achieve their greatest potential.
What are some of the biggest trends in SaaS security now?
As SaaS applications have come to dominate the marketplace over the last several years, security teams have lost a lot of the visibility they have had from their on-premise solutions. This has driven the importance of third party risk management reviews and the need for CSOs to be able to effectively articulate how this impacts the enterprise risk profile of the company, particularly to the CFO or general counsel.
Another trend would be the melding of security and privacy controls and responsibilities under the CSO. With the explosion of the number of privacy laws and regulations worldwide and the technical impacts associated with this increase, privacy has moved out of the realm of being primarily legal driven to requiring legal, privacy, and security teams to tightly coordinate.
Privacy controls are regular topics for SaaS companies as they seek to expand their global footprints. Though we often hear about social media and search engines companies in the news, the data protection authorities have not been ignoring everyone else. They are just getting ramped up and will continue to scrutinize all industries, SaaS in particular.
What are the top security features buyers of SaaS platforms want to look for now?
When scrutinizing a SaaS platform there are several technical and non-technical controls to consider. Key technical controls that should be in place are access management (least privileged), encryption (at rest and in transit), and data retention.
From a non-technical point of view, I look at:
- External Audits: Compliance does not equal security, but the minimum effort a SaaS company can put forth is to have ISO 27001 and/or SOC2 type 2 audits performed annually.
- SAML Integration: The proliferation of MFA and SSO implementations to reduce the number of user managed passwords while keeping company passwords out of vendor repositories isn't going away for now. Not only should SAML integration be available as part of any paid offering, it should not be an additional cost, and definitely not restricted to the top tier license category.
- Privacy Acumen: SaaS companies need a resource who can intelligently discuss the measures they are taking to meet regulations that are applicable to your business.
- DR/BCP and Incident Response Plans: There should be documented plans and annual testing of the plans for validity. This provides some piece of mind that in a worse case scenario, the SaaS vendor has planned for bad things happening and how to quickly respond and secure the system—not thinking about them for the first time in the middle of a crisis.
How has COVID-19 affected the world of security in SaaS?
The role of the CSO has been elevated, as they are driving or a major stakeholder in digital transformation projects related to remote work. This has driven companies to seek out CSOs with strong business acumen, who focus on collaboration. Success in the pandemic era has required better relationships with Chief People Officers, Chief Financial Officers, and Chief Marketing Officers. These relationships allow for more effective communication about cultural impact, market differentiation during times of tighter budgets, and allocation of budget on the most impactful items.
What trends do you see happening in the SaaS security world the next year/five years?
One major shift will be as CSOs continue to behave as someone who drives security within the business framework, not pushing their own agenda above all else. There will be increased opportunities provided in collaborating with the executive teams and board. Security will move out of being the world of being second class citizens.
Another trend that will continue to make gains is automation as a resource. Automation isn't new, but hiring freezes during COVID-19 have forced teams to do more with less. I don’t mean the vendor pipe dream of automation, which is pitched as “set it and forget it,” but the principle of simplifying and automating repetitive manual tasks to free up time for the team to address higher risk items.
What are some tips you have for sales teams working with their colleagues in security?
Security Reviews: Collaborate with your security team to make sure everything is in order when it comes to the inevitable security review. Share with security the common talking points and concerns that come up during customer interactions. This will assist in the prioritization of customer facing assets to help reduce the security review portion of the sales cycle.
Selling Motion: If the CSO is part of the purchase decision-making, spend time with your CSO to understand what is important to them. What is it they look for when purchasing a product? What are our pet peeves when being contacted or sold to?
Leverage Resources: Many of CSOs are part of larger security executive groups where we share knowledge, from sales experiences to bad vendor interactions. A key to success in any position is using all available resources to develop a deeper understanding of your industry.