When Jesse Kriss started as head of security at Watershed, a 200-person climate tech company with multiple office locations and remote employees, he knew he would need immediate visibility into the organizationâs SaaS footprint.
â
Past experience as a staff security engineer at Netflix had taught Jesse the importance of looking beyond corporate-managed devices and known asset inventories to understand what SaaS applications are really being used across the organization, as well as which employees and third parties have access to sensitive customer data stored in those applications.
â
Whereas gaining visibility of engineering systems was straightforward, Jesse knew that getting a handle on Watershedâs SaaS footprint would be a more complex challenge. âWith web applications, it's kind of impossible to know what's going on. People are purchasing software on their own, and expensing it. There's tons of free stuff. Looking at the officially approved apps or the things that go through SSO is really just a tiny fraction of the story.â
Within his first few weeks at Watershed, Jesse deployed Nudge Security to provide immediate visibility of Watershedâs entire SaaS attack surface.
â
âI thought the approach was really clever,â Jesse explains. âI'm a big fan of figuring out ways to look at the actual whole picture and not just the things that are easy to measure. Not just what's set up in Okta, what's going through SAML, or what's on the approved vendor list, but whatâs actually in use. Thatâs the much more important question.â
â
The result was a level of visibility of his organizationâs SaaS footprint that Jesse says wouldnât have been possible to achieve manually, or with a different product. âNudge Security is the way to find out what applications your employees are actually using, and that's just not addressed completely by any other solution.â
Jesse sees Nudge Security as a critical part of keeping track of his organizationâs SaaS attack surface on an ongoing basis, providing him with critical information on who has access to what without slowing down the pace of business.
â
âMy first motivation was to know what the current SaaS surface area was. It was a huge benefit to be able to plug in Nudge Security and see what was already in use. That was awesome,â says Jesse, adding, âBut itâs not just about historical discovery. I also wanted to know when people started using new applications without having to implement a heavyweight approval process.â
â
With Nudge Security, Jesse knows any time an employee signs up for a SaaS application the organization hasnât used before, giving him the opportunity to assess new vendors before usage spreads, but without forcing employees to jump through hoops. Nudge Security also gives him security context to help accelerate security reviews for each new application, including compliance certification details, breach history, and third- and fourth-party SaaS attack surface visibility.
â
Before Nudge Security, Jesse had no way of knowing the implications of a third-party applicationâs security breach on Watershedâs supply chain, because he didnât have complete visibility of what was in use and by whom. When news came out about a potentially serious breach, he would have had to choose between ignoring it or sending an alarming message to the entire employee population.
â
Now, Nudge Security notifies Jesse when a tool his employees are using experiences a security incident. Earlier this year, for example, Nudge Security alerted Jesse to a data breach affecting LastPass, an application that wasnât under official IT governance at Watershed. However, Nudge Security revealed that several employees had created their own accounts for corporate use.
â
âThere was no sign of LastPass use in our organization,â Jesse says. âWithout Nudge Security, I probably would have just asked in Slack if anyone used LastPass or offered general guidance and left it at that. But instead, I had a solid answer of who was using it at work that was nearly instant and offered high assurance that the list was complete.â
â
With knowledge of the exact employees affected, Jesse was able to intervene quickly in a targeted way that made sense for the business. âIt was this great shortcut: I have a tool that can answer this question for me right now, and I can do the thing that makes sense given the actual surface area,â he explains.
â
Using Nudge Security, Jesse has been able to improve the effectiveness of Watershedâs offboarding process, extending his ability to find and deprovision accounts that could pose a security risk to the organization.
â
âNudge Security is really great at the stuff you don't know you should be looking for,â Jesse explains. âIt's great for the cases where you don't even have SSO set up and there are five users of a system, but it's critical. Nudge lets you find those accounts and turn them off, even if they arenât on your standard offboarding checklist.â
â
With Nudge Security, Jesse has more confidence that departing employees have been offboarded completely, with no lingering SaaS access or orphaned accounts that could expose corporate data.
"It was a huge benefit to be able to plug in Nudge Security and see what was already in use."
At some organizations, security can be perceived as a business blocker or a Big Brother figure. Thatâs not how Jesse wants security to operate at Watershed.
â
For Jesse, Nudge Security helps Watershed strike the right balance between security, employee productivity, and transparency.
â
âIn startup environments, thereâs a mentality of, âdo what you need to get your job done,ââ he says. âEmployee productivity and overall company productivity is a really big question. Clearly we want people to be able to use SaaS products and be able to onboard them quickly and be able to experiment and all of that. If people are using applications for good reasons or itâs core to the business, I'm not going to ask them to stop. But, if we can see the SaaS applications that have a lot of unnecessary access and reduce that with little to no impact on productivity, that's really ideal.â
â
Thatâs why Jesse appreciates Nudge Securityâs approach of engaging employees in this effort. âI like the user-respecting approach of, âWe're not just going to block things. We're not just going to do things invisibly.â We're going to give the information to the people, including the people that the information is about, which I always like,â he says. âIt definitely fits the ethos of how I want security to run and how I want it to be perceived.â
â
Overall, Nudge Security helps Jesse to reinforce the relationship he wants security to have with the rest of the organization. He explains, âIt's important for me that the security team is not âthe scary people who have all the information and who knows what they're even doing?â Tools like Nudge Security that are designed to actually be transparent about what is being collected are really helpful. To me, that is a big piece of building and maintaining trust internally with the security team.â
âNudge Security is the way to find out what applications your employees are actually using, and that's just not addressed completely by any other solution.â
