Editor’s note: The ecosystem of information technology is constantly evolving. There will always be bad actors, so it’s crucial for organizations to know that the data they trust with software as a service (SaaS) platforms are protected. In this article, Chris Peake, VP of Information Security (CISO) at Smartsheet, shares why transparency around security practices is crucial to building and maintaining trust with customers who need enterprise-grade platforms to manage their work.
After I graduated college in 1997, I started working as a medical mission coordinator at Operation Smile, the nonprofit organization that facilitates cleft-lip and cleft-palate surgeries all over the world. Since most nonprofits don’t have big budgets, my side job there was IT-focused. I built databases, maintained systems, and trained staff on how to use all of the above.
I helped implement some of Operation Smile’s first telemedicine events to connect doctors across various countries for consultations and live surgery. These events were demonstrations of the awesome power of technology and, upon reflection, how critical it is for security professionals to protect the people using it — especially data that is personal or confidential.
Throughout my career, one thing has been crystal clear: Security leaders and their teams must commit themselves to an excellent customer experience. And this customer-centric point of view needs to be driven by a commitment to data privacy, earning and maintaining people’s trust, transparency around security testing, and contributing to the broader information security community.
The evolution of data protection
Over years of research and on-the-job experience, I’ve learned that you can’t earn trust without transparency when you’re handling customer data. For example, prior to the popularization of online banking in the mid-1990s, a lot of people were dubious about shifting away from traditional banking. In the past, you’d just go to your local branch in person, fill out a deposit slip, transact with a bank teller or at an ATM, and then carry on with your day.
To prepare people for the online alternative, banks needed to assure (and reassure) customers that their transactions were safe, secure, and easy-to-track from their home computer. Likewise, when you adopt a SaaS platform, you hand over a significant responsibility for the system and data to the provider.
Enterprise-level organizations that use a platform to manage work need to know that they can trust their provider to protect their data. And as security professionals, protection also means not looking at the specifics of the data customers add to our SaaS platforms.
Earning and maintaining customer trust
At Smartsheet, we're dedicated to earning and maintaining our customers' trust. As part of that ongoing commitment, we will continue to evolve our enterprise-grade security program. We'll meet or exceed enterprise security standards to ensure that Smartsheet is "turn-key" for data security, privacy, and governance.
Our long-term goal is to unleash the potential of Smartsheet by enabling customers to work with data of varying sensitivity while having the confidence that the data is protected in every way it needs to be.
While a great entry point, it’s table stakes to make compliance certifications, privacy and security information, and whatnot available on your corporate website. That’s why we built the Smartsheet Trust Center.
However, when I or someone from my team of security experts speak with customers directly, we can go into more detail about their company’s standard processes and operating procedures, the controls they have or don’t have in place, and be candid about the use cases that are and aren’t appropriate for our service — from an information security perspective. In my experience, this level of candor helps build mutual trust with our customers — which is the foundation of a lasting partnership.
The second thing that builds trust is to remind people that we have a never-ending commitment to improve our security program. In my opinion, the whole point of a maturity journey is that there’s never a finish line. You’re always evolving to match the ever-changing landscape of security threats. My team is always innovating on ways to improve the product and security controls while levering cutting-edge technology that will continue to make the Smartsheet platform secure.
Transparency around security testing
Transparency is a two-way street; we want to keep having conversations with customers to understand their requirements and needs, take those to heart, and do something about it. They trust that their data is secure in our platform, and that we cannot and will not share their data or information.
When I used to give talks for security professionals, I’d ask them to raise their hand if they use a cloud-based service. Pretty much everyone raised their hand. Next, I’d ask if they trust that service, and almost everyone lowered their hand. From there, it became clear to me that security professionals need to know why they trust or don’t trust a service provider.
The Smartsheet application environment is in a state of constant improvement, so we continually conduct iterative yet comprehensive security tests at all levels: hardware, network, individual system, service, and application. This is mandatory for any high-integrity company that provides an enterprise-grade SaaS platform.
At the application level, we regularly complete both internal and external penetration tests. We conduct code reviews at the application level as part of our development process — where we do active scanning checks before any code is deployed.
Next, we conduct peer reviews and participate in a bug bounty program, where we allow third-party researchers to look at our environments and report bugs. We remediate any bugs or vulnerabilities that are uncovered as part of these processes. From a security perspective, we consider multiple directions that an attack might come from to make sure we’re always prepared.
Contributing to the information security community
Information technology is an ecosystem. Cloud computing, on-premises data centers, networking, phone systems, digital systems — these days, everything is linked.
As such, at Smartsheet, we intentionally partner with organizations and other SaaS providers to work on common challenges we all face. From a product standpoint, we partner with other enterprise-grade software offerings, such as Salesforce and Google. These companies have done their due diligence to make sure their platforms are, to the best of their knowledge, protected.
As a leader in the collaborative work management (CWM) space, Smartsheet also plugs into the information security community at large. In 2018, Smartsheet joined the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) because it’s essential to listen to and work with our peers to create industry standards, documentation, and provide guidance.
But it goes beyond this aspect, as organizations of all sizes in every industry use Smartsheet every day. We have a unique opportunity to listen to our customers across all industries, truly understand the security and data privacy challenges they face, and offer other SaaS providers advice in this arena. This level of knowledge sharing and alignment around best practices benefits all of our customers.
By participating with organizations in groups like M3AAWG, we can also help guide the next generation of technologists and startups that are already working on their great idea. Since most (but not all!) large organizations are typically less agile, and slower to pivot, adopt, and innovate, it’s important to provide growth-stage companies that want to scale and students with best practices for security processes and protocols.
Eventually, the next wave of companies will mature and technology-focused students will enter the workforce, and will then guide our collective future. Security pros have an opportunity to mentor, yes, but also learn from the next generation about building and maintaining trust with future customers.
Subscribe to the Smartsheet IT Newsletter for tips, strategies, and ideas focused on helping IT professionals increase their impact on their business.
To learn more about Smartsheet’s policies for information security, compliance, and data governance and protection, visit our Trust Center.