Video

Technically Speaking, Episode 3: Balancing Innovation With Technology Risks

Published:


Share this video:
Facebook Logo
Twitter Logo
LinkedIn Logo
Share Email Logo

This interview has been edited for clarity.

Asa: 

So Mike, you’ve spent the last five years building Salesloft’s security program and scaling it for a billion-dollar business. What’s the secret sauce? 

Mike: 

I’m so glad you asked that. I can’t wait to tell you all about it…. there isn’t one! And I think any security leader will tell you that. 

There are any number of ways to build a security program. I will say, if there was a secret sauce — if there was one thing that I would tell another security leader who was starting a security program, it’s don’t shy away from involving others. 

Assuming it’s a SaaS business, in order for security teams to really get meaningful work done, they’ve got to have involvement from their product team, engineers, infrastructure team, and legal team. Risks are generally not owned exclusively by the security team. They’re typically owned by whoever owns the technology or process. You’ve got to have good relationships across the business and make sure that the context for why you’re even having these discussions is well understood by the risk owners across the business.

Asa: 

From a CISO’s perspective, what are some of the potential risks to be aware of in general when thinking about sales engagement for their business?  

Mike: 

This is often a conversation that I’ll have with other CISOs where, right away, they want to know about our security program, but they need the context for what the heck is it that we’re trying to buy.

If you’re a CISO watching this, sales engagement is effectively a tool to improve the effectiveness of your sales reps. And it’s a tool that allows your sellers to engage directly with the buyer. So for a sales engagement platform, you think about the risks. Sales engagement platforms are going to have access to your email system in some capacity. They’re generally going to have access to your CRM. Your reps are going to be typically recording phone calls and those calls get transcribed. There’s going to be AI involvement in the platform. 

That’s why we have a security program.

We want to make sure that our customers trust us with the immense amounts of data that we process. Because this is such a critical platform for these companies, they need to also be able to trust that the providers that they’re working with have a security program that aligns with their policies and their risk appetite.

Asa: 

How does Salesloft help organizations comply with their own security policies? 

Mike: 

I think the answer there is twofold. One, it’s our own security program. Our controls. We hold ourselves to a very high standard of risk assessment and  risk identification.

We want to set the example for security and sales engagement. We want to make sure that our controls align with best practices, and that we’re effectively able to defend against cyber threats and ultimately protect our customers.

Two, if you think about our platform, we are constantly thinking about, not just the sellers and what they need, but also the other buyers that we have. The legal teams. The security teams at our customers. We want to make sure that the features, the capabilities that we’re building in the product also serve them. So that means better governance in the platform. It means granular configurability of configurations within the platform. Roles and permissions in the platform. Making sure that, again, we’ve given the customer the ability to set up the platform in a way that aligns with their policies. The way I interpret GDPR, the way I interpret SOC and these other standards, does not always look like how a customer is going to interpret those same standards.

Asa: 

And I would imagine based off of the industry, those standards and guardrails could look dramatically different. 

Mike: 

Absolutely, absolutely. Financial services business and a SaaS business could potentially look very, very different. 

Asa: 

When my AEs are in a deal cycle and a security review comes up, the number one certification that we hear about every single time is SOC 2. Why is it so important, and why does it come up so often?

Mike: 

The easiest way to explain it is the SOC 2 report that it’s an independent assessor’s opinion, but ultimately there are two things that they’re looking at. For the controls that you have in place, do those controls align with the trust services criteria? And then, when the auditors themselves are doing independent testing, were they actually able to verify that over the past 6 months or 12 months, that you did in fact do what you said you did?

It’s  a useful tool in security reviews because it tells you that not only does this company say that they have all these great security controls and they’re protecting your data, and that they’re highly available, but also they’ve had somebody independently verify it. So it’s useful from that perspective.

The one caution that I would give anybody who’s looking to learn about SOC 2 is that it doesn’t make a company secure. One of the requirements in 27001 is that you’ve got this model of continuous risk assessment and improvement. So if you are doing that and doing it well, and not just checking a box for compliance, then you’re going to be on the way to having a really solid program. Because that means that you’re effectively identifying risk. You’re championing risk within the business.

In the first three episodes, join Salesloft security leader Mike Meyer for an inside look at why we keep seeing CISOs in deals, what’s on security’s mind during the sales process, and what’s ahead of data protection.

In Episode 3 of Technically Speaking, sales leader Asa Winchester and security leader Mike Meyer sat down to discuss which security risks to look out for today, the elements of a world-class security program, and what the heck SOC 2 is — all  through the lens of a curious sales professional.

Check out the rest of the series below

Who knew being risk averse would be such a winning quality! We hope you now aren’t afraid to add in other teams to the responsibility of company data security, and that your company has worked out a definition of compliance that works for your security needs, the customers you’re selling to, and your industry. 

If you missed the first two parts of Asa’s and Mike’s interview, check out part 1 on CISOs in buying groups and part 2 on cybersecurity and AI. You can watch more Technically Speaking episodes below or by visiting our Resource Center.