Closing the Adoption Gap: CSK's Framework for SaaS Security Success

I'm thrilled to introduce Jen, who joined CSK as their first Security Analyst about a year ago. When Jen came aboard, CSK had just made their first meaningful investment in SaaS security with the Reco platform to gain visibility into misconfigurations across their SaaS applications, particularly ServiceNow, and to establish a systematic approach to clean up and manage risks.

‍

What Jen quickly discovered is that SaaS security presents unique challenges compared to other security domains. Its ownership is fragmented across multiple departments and platforms – the ServiceNow Admin might sit in IT while the Salesforce Admin might be in Sales or Operations. These app administrators, while experts in their platforms, aren't necessarily security specialists and are primarily focused on their departmental objectives.

‍

The challenge Jen faced was significant: 

• How to improve CSK's security posture across numerous SaaS applications owned by different departments when none of these stakeholders reported to her? 
• How to make security a priority for teams with different goals and incentives?

I'm excited to share that through persistence and strategic thinking, Jen has successfully improved CSK's security posture score from 45% to an impressive 75%. She's managed to integrate SaaS security into daily and weekly workflows and, more importantly, into CSK's organizational culture.

‍

Jen has documented her journey and the effective strategies she implemented in a blog that I encourage everyone to read. Her insights and practical tips can help organizations make lasting security improvements across their SaaS environments.

5 Tips for Getting App Owners to Embrace SaaS Security

‍

When it comes to SaaS security, traditional approaches to improving security, like reviewing controls and assigning remediation tasks, can create friction rather than forward momentum if not handled carefully. In part, this stems from the fact that these approaches feel more like audits. When app owners feel they're being audited, defensive barriers go up, and progress slows to a crawl. 

‍

Instead, you need a collaborative approach that reaches across different teams. App owners should feel like allies with a shared objective, rather than adversaries with conflicting goals. Nobody wants more tasks showing up in their ServiceNow dashboard coming out of left field – especially when these tasks may be unrelated to their KPIs, come from someone who they don’t report to, and feel like a disruption. So it's your job to adjust your approach to turn resistance into receptivity.

‍

What follows are the practical strategies I used to turn SaaS security from yet another burdening set of “to-do list” tasks into a catalyst for wider cultural changes, and how I used Reco to help. Here are five tips for driving SaaS security change at your organization.

‍

Tip 1 - Create a Committee

‍

One of the first and most powerful steps I took was to set up weekly security calls with key stakeholders, including our CIO and senior system administrator. In them, we use the Reco dashboard to review issues, prioritize fixes, and generate tickets to make sure work was delegated and completed. 

‍

Candidly, if I could start over again, this would be something I would have done right away. The regular cadence created momentum that simply wasn't there before. It kept the initiative top of mind, no matter how busy we all got.

‍

By basing security on regular team reviews instead of the occasional frantic audit, we created an environment where substantial improvements became possible through gradual increments. 

‍

Tip 2 - Sync Regularly with Core App Owners

‍

For us ServiceNow is a critical app, so I meet with the ServiceNow admin on a weekly basis. I initially framed this as an opportunity for him to be a leader and to drive cross-functional impact. That got him excited about the initiative. 

‍

We broke it up and decided we would pick three Reco alerts per week to remediate. Every week at our meeting, we discuss the latest progress, check in to see if he needs any help, and pick the next three we are going to work on for the week. We talk about the alerts and their broader organizational impact, which helps reiterate that the work he is doing is important. Lastly, I point to measurable success metrics, like the improvement in our posture score or the decreasing number of alerts, and give him kudos for his work.

‍

Tip 3 - Use the Platform to Build Credibility (Not Assign Blame)

‍

When I embarked on this journey, I quickly realized that how I approached application owners mattered at least as much as what I was asking them to fix. As someone new to the organization working with people who didn't report to me, it was important for me to build credibility without creating friction.

‍

Reco has been invaluable in this respect. With it, I can show app owners hard data backed by third-party expertise, allowing me to say, 'We need to pay attention to this, and here’s why' with confidence. 

‍

This means the focus has subtly shifted from "You're doing this wrong" to "Here are some ways we can improve together." This might be one of those “soft factors” that aren’t captured well by metrics, but trust me: it matters.

‍

Tip 4 - Start with Critical Vulnerabilities for Quick Wins

‍

Looking back, another important piece of the puzzle was prioritizing anything that we knew would give us a big up-front impact. This meant we could knock out quick wins in succession.

‍

Addressing high-severity issues first meant not only an improvement in our posture score, it also energized the entire team. Once people saw that progress was possible and relatively straightforward, it wasn’t hard at all to garner enthusiasm for tackling the medium and lower-priority items too.

‍

Tip 5 - Create Structured Accountability with Ticketing

‍

Once we’d built momentum and were really marching on, I wanted to make sure nothing fell through the cracks. For that reason, I integrated Reco into our existing workflows by leveraging its ticketing system. When we identify issues during our weekly reviews, I can assign tickets directly from the Reco dashboard into ServiceNow. This creates clear ownership and ensures the tasks populate within existing workflows and dashboards.

‍

How Reco Supported My Success

‍

When I joined CSK, I knew I needed to leverage Reco to build a program. I’ve already outlined the concrete steps I used to do that, but here are some additional thoughts on specific ways Reco helped with my success.

• Providing essential visibility into our SaaS environment - Reco unified all our SaaS applications into a single dashboard, giving me comprehensive visibility I couldn't get anywhere else.
• Creating a collaborative security culture - Instead of creating tension with interactions that seemed more like an audit, Reco fostered a collaborative environment where everyone could learn as a team.
• Making implementation and integration surprisingly easy - Setting up Reco was remarkably straightforward, with excellent documentation that allowed us to integrate nearly two dozen applications in just about three hours total.
• Weekly syncs with Customer Success - Customer Success worked closely with me to ensure I was being successful with the platform, share best practices, offer solutions to overcome barriers, and keep me honest the whole way through.
• Empowering me to drive organization-wide change - By providing recommendations backed by world-class expertise, Reco gave me the facts I needed to persuade departments that don't report to me.

Conclusion

‍

Tools alone are not enough to improve your SaaS security posture, you also need a thoughtful approach to making sure such tools form the basis of changes to team behavior. In my case, Reco was the foundation and the processes laid out in this blog helped me activate the program and drive lasting change.

Remember: though our work focuses on technology, security transformation is ultimately about people; when you get the human element right, the rest follows naturally.

To learn more about how Reco can help you improve security across your SaaS ecosystem, schedule a demo or reach out to info@reco.ai.

‍

‍