CSK Enables Secure AI Usage, with Reco
Cole, Scott & Kissane (PA) is the largest law firm in the state of Florida. We are incredibly technology forward: we embrace automation, AI, and SaaS because we believe technology allows us to provide the best services to our clients.
As the CIO, it’s my job to oversee technology usage across the organization to ensure it supports the business operationally, as well as from a security and regulatory perspective.
When it comes to technology usage, my philosophy is: the answer is never “no”. The answer is always, “yes – but we need to follow policies to ensure we’re being safe.” Legal data is highly confidential. We follow HIPAA rules because we deal with insurance claims and patient information. Nothing would devastate our reputation as a trusted legal partner faster than client data leaking onto the public internet. That's why our cybersecurity strategy is critical. It’s a balancing act: how do I enable technology use that empower users, while also ensuring the lowest possible risk to the business?
In the Beginning: Before Reco
A few years ago, we felt like we had a handle on our SaaS usage at CSK. But in the world of technology, things change very quickly. We started to realize our SaaS environment was getting away from us, driven by the inflection of a sudden, new technology trend: GenAI.
GenAI Explosion
First ChatGPT came out. Then Claude, then Microsoft Copilot, then Gemini. When there were only one or two apps we thought we could block them. But as GenAI radically transformed the business world promising productivity gains, task automation, and more, we knew it was something we had to embrace. We just needed to be able to monitor its usage and enforce policies.
Data Sprawl
When you put information into these AI tools, that information is gone for good. There’s no getting it back. Now, that AI model is at risk of leaking your business data to an unauthorized person, or even to a backend system that’s now at risk of leaking your information to an unauthorized person… It really is a cascading waterfall effect! We needed to be able to track AI usage so we could keep sensitive data out of AI models and actively direct employees toward safer AI usage.
Tool Complexity
Reco was our third try at a solution to help us deal with shadow AI and shadow SaaS as a whole. The third time was the charm for us! The other two tools didn’t fit the bill because they were too complicated to set up and maintain. We had to deploy and manage virtual machines in our environment in order to access the data. It took several days, as well as exhaustive engineering cycles, to integrate new apps – a huge blocker for scaling the solutions.
Enter Reco: SaaS Security Bliss
Reco was incredibly simple and easy to get up and running. It lit up like a pinball machine within hours! Here are the main reasons Reco is the right solution for CSK:
- Ease of deployment: Reco’s API-based, agentless approach allows us to integrate new apps in minutes without the need for manual work.
- Ease of use: Reco is incredibly user-friendly. It does a great job of saying, “Here are the issues, here’s why they’re important, and here’s what you need to do to fix them.” It gives this to you in plain English. It’s something I could confidently pass off to a junior Security Analyst and trust that they’re set up for success.
- Out-the-box support for all our apps: Reco supports more apps than any other provider in the space. It can support all our application needs in the present, and we know that it will be able to support us in the future as our needs grow and change.
The Benefits of Reco
CSK has focused on three primary use cases with Reco:
Here’s an overview of the results we’ve seen with Reco.
Enabling Secure AI Usage
Every day there’s a new AI tool out there. Tomorrow there will be another one. We just need to know what’s being used and how, so we can monitor them, and Reco allows us to do that.
The Data Exposure Module is a big value add. We can discover all publicly accessible links and adjust permissions, ensuring that data is not ingested and leaked by AI tools.
We actually use Reco in conjunction with our Zscaler data protection tool for complete data visibility across our SaaS applications. Reco tells us when someone is uploading a file in our SaaS environment, and then we can use Zscaler to understand what’s actually in that file. Is it PII or is the file benign? Those two tools are our “one-two punch” for managing our sensitive data exposure across AI and SaaS tools.
Improved SaaS Security Posture
We’ve been able to improve our posture score in Reco from 45% to 75% in six months by making small changes regularly. How did we do it? You can check out the blog from my counterpart, Jen Langford, to learn more about our tactics.
What I will say about posture is that you should never rely solely on human expertise for configuring your SaaS apps correctly. There are too many different settings that you don’t even think about that could have an impact on data leaking. Plus, SaaS apps are always changing and being updated. Reco points out things that we would’ve never even thought of that can help us reduce our risk.
Reduced Attack Surface
A wise person once said, “identities are the new perimeter.” Hackers don’t have to burn a zero day when they can walk through the front door. Reco points out potentially exploitable vulnerabilities from an identities perspective and helps us pull back. For example, guest accounts should not be able to access Microsoft Copilot. That’s too big a risk. And we should not have external admin accounts tied to Salesforce. These are risks that, in the absence of a tool like Reco, might float around unnoticed for a while.
Enabling Secure AI Innovation with Reco
We are a very creative organization in terms of finding technology solutions to solve problems. We just have to wrap our embrace of technology in careful monitoring and guardrails. That’s what Reco allows us to do.
I recommend Reco to anyone looking for a holistic solution for SaaS security. The customer success team is truly a partner in our journey and the tool is lightweight and user-friendly, providing quick time to value.
You can read my full customer story here. Or connect with me on LinkedIn if there’s anything I can help you with.
Jason Thomas
%201.svg)
ABOUT THE AUTHOR
As the Chief Information and Security Officer of Cole, Scott & Kissane, Jason brings over nine years of leadership experience in overseeing the firm’s information security and technology strategies. With a career spanning more than 25 years in the technology sector, his expertise extends across a variety of industries, including biotechnology and local government. Throughout his tenure, he has been committed to leveraging cutting-edge Artificial Intelligence (AI) solutions to streamline administrative tasks, significantly reducing the operational burden and enhancing efficiency within organizations.
As the Chief Information and Security Officer of Cole, Scott & Kissane, Jason brings over nine years of leadership experience in overseeing the firm’s information security and technology strategies. With a career spanning more than 25 years in the technology sector, his expertise extends across a variety of industries, including biotechnology and local government. Throughout his tenure, he has been committed to leveraging cutting-edge Artificial Intelligence (AI) solutions to streamline administrative tasks, significantly reducing the operational burden and enhancing efficiency within organizations.
