Our customers are at the core of everything we do at JupiterOne. And every security strategy and journey is different for every customer. JupiterOne is starting a monthly customer spotlight series to highlight passionate JupiterOne champions and leaders to share their security journey with the broader community.
This month, we are proud to share Esper's security strategies with the community. We sat down with one of our JupiterOne champions, Jasmine Henry, Director of Cybersecurity at Esper. Jasmine shared her story as an emerging security leader and lessons learned in her security and compliance journey. This conversation covers everything from why CISOs are customer-facing, how to scale compliance with a distributed security team, and how a company can achieve multi-cloud security.
Should CISOs be a customer-facing role?
I believe that the CISO's role is to communicate the company's security posture to customers and regulators. Of course, engaging directly with customers isn't the CISO's only responsibility, not by far, and it's not absolutely the case if a company has a Business Information Security Officer (BISO) or Chief Trust Officer. But, I believe every organization benefits from creating direct lines of communication between security and customers.
The customers benefit because having conversations directly with a CISO fosters greater trust in the brand and a better understanding of the company's security posture. These benefits sales, who can appreciate a greater velocity in the sales cycle since customers trust the vendor. And, CISOs at agile, product-driven companies really win since they're getting first-hand exposure to customer use cases.
My startup, Esper.io, adopted JupiterOne a year ago to prove our security posture to a prospective customer. We've significantly expanded the number of ways we use JupiterOne since then. I've also become more and more customer-facing in the past year and continue to use JupiterOne to have proactive conversations with customers about Esper's security posture.
Selfishly, being customer-facing allows CISOs to understand and quantify their impact on revenue. Unfortunately, virtually all CISOs are under-resourced and struggling to be perceived as more than a cost center. Being customer-facing and engaging with sales is one way to change the perception of security as more than just a cost center.
When does compliance become a priority for customers? What kind of customers require PCI DSS, SOC 2, or other compliances? And why?
Well, it depends. PCI DSS, SOC 2, and ISO 27001 have always been a major concern for the vendor risk teams at major enterprises. But, compliance is an increasingly prominent focus for companies of all sizes.
Compliance can be a barrier to B2B startups, especially organizations that compete with well-established brands. Landing your first Fortune 500 customer is a significant rite of passage for B2B SaaS companies like Esper, especially if your product impacts customer security. Esper's Android DevOps product secures enormous fleets of mission-critical edge devices - like kiosks and point-of-sale systems. Our customers need and deserve compliance reports as objective proof that Esper is trustworthy.
This past year, there have been some enormous and highly-publicized supply chain breaches with a downstream impact on customers. 64% of businesses have been impacted by a vendor security risk this year, and vendor risk is a top concern for CISOs. So, organizations of all sizes are beginning to take vendor security assessment seriously. I see this as a positive and necessary trend, and I'm glad that Esper can use security audit reports to help foster customer trust.
How long does it typically take for companies to complete the PCI compliance audits?
Unfortunately, true industry-wide studies on the average time-to-compliance for PCI DSS or other are scarce. Still, sources show the average timeline may be between one and two years.
Esper demonstrated PCI DSS compliance with JupiterOne in less than a month. We also completed a PCI DSS SAQ-D audit with a QSA within three months, but that's not a common timeline. To be fair, we had several huge advantages on our side. Our CEO is a former Chief Architect at AWS, so our cloud is outstanding. Plus, we implemented JupiterOne at the very beginning of our compliance journey.
I don't think rising CISOs can avoid being focused on governance, risk, and compliance work. Studies show CISOs pass an average of 3.3 security audits per year - most commonly HIPAA, HITRUST, and PCI DSS. Many CISOs are legitimately struggling to scale their compliance efforts to the cloud. I think it's a challenging ecosystem for all of us, regardless of whether you're passing your first or tenth audi cycle, and that cloud automation solutions like JupiterOne are mandatory.
Data is everywhere and navigating changing privacy laws like GDPR can be difficult. How has JupiterOne helped your team when working with international or European-based clients?
JupiterOne creates amazing visibility into your GDPR posture. For example,the GDPR insights dashboard can show exactly where your cloud assets are located. Last week, I used this dashboard to demonstrate our privacy posture to a customer.
The longer, and the more interesting answer is that privacy is quickly becoming a huge concern for organizations worldwide, including companies with no presence in the European Union. The CCPA obviously plays a role and so do the massive GDPR fines that some major organizations have faced recently. But, I think we also live in a world where everyone is conscious of privacy.
I care deeply about privacy, and so do many of my colleagues at Esper, since we're a bunch of Android people. Android engineers have deep open source roots, and privacy is a core value of open source communities. So, I'm biased, but I view privacy trends and legislation as a deeply positive trend. It's forcing deeper collaboration between security and non-engineering functions like sales and marketing. The privacy climate forces boardrooms to have actual conversations about important things like consent and data minimization.
Can you compare and contrast how the DevOps, Cloud and Cybersecurity teams worked together before integrating JupiterOne platform into your workflows?
Security is an independent function at Esper responsible for customer security, GRC, audits, and red team. Our blue team sits under DevOps, which means we've essentially melded SecOps and SRE into DevSecOps - my brilliant coworker Eby Chembola leads a 24/7 team that monitors integrity, availability, and confidentiality. In a cloud-native world, I imagine this type of blue team structure will become less radical.
Esper's Security, DevOps, and Engineering functions are just beginning to tap the surface of what JupiterOne is capable of. We've used it so far for governance, risk, and compliance automation, and cloud asset inventory. In addition, our DevOps team has set up some brilliant alerts for proactive cloud security management with JupiterOne. We're currently digging into ways to use JupiterOne for dynamic data classification and vulnerability management, and there's much more to come.
Does JupiterOne make it easier to be multi-cloud when compared to other options? If so, why is this important for your business?
We're becoming more of a multi-cloud organization, and I know that this trend will continue as Esper wins more and more enterprise customers. JupiterOne will immediately help us scale compliance requirements to different cloud environments and approach cloud compliance as code.
Most organizations are now multi-cloud, so multi-cloud security and compliance has become mandatory. Gaining visibility across multiple environments has usually happened via Security Incident and Event Management System (SIEM). SIEM are critically-important tools, but many vendors are notoriously resource-intensive and expensive.
JupiterOne is not a SIEM, but it's sort of analogous and extremely complimentary to SIEM because JupiterOne creates multi-cloud security and visibility. From a broader perspective, e SIEM are for reactive security and JupiterOne is for proactive cloud security. You need both SIEM and JupiterOne, but I think JupiterOne is the cooler and expansive solution by far.