At Bishop Fox's second-annual livestream from the 2024 RSA Conference in San Francisco, we interviewed special guest, Charrah Hardamon, Head of Marketing at Riscosity. In this discussion, we'll dive into the complexities of SaaS, AI integration, and effective vendor partnerships.

Transcript

Matt Twells: Hi, welcome back. Matthew Twells, senior solutions architect, Bishop Fox, talking to a good friend of mine, Charrah Hardamon. She's head of marketing at one of our partners here at Bishop Fox, Riscosity. She's a fellow economics grad. So, the people who didn't want to be business majors but still wanted to do a bit of math, but not too scary a degree. She has extensive experience in product marketing. Tell us a bit about yourself. How's your week at RSA been? The chaos of San Francisco?

Charrah Hardamon: The chaos has been very exciting. A lot of cool companies have been showing up, really putting their best foot forward. It's been interesting to see what everyone's focusing on in 2024 from a CISO perspective, as well as a business perspective, like where companies are investing their resources, what features they want to build, and what they want to sunset. It's been a research time for a marketer.

Matt Twells: And the most important question: How is the swag haul?

Charrah Hardamon: I don't want to show my bag, but the swag hauls have been intense. People have definitely been upping their game. We won't name any vendors specifically, but there have been shoes, hats, even new phones. I'm just coming to re-up my items every year. It's kind of a thing.

Matt Twells: Well, I was going to be a bit of a downgrade from people giving out phones, but it's more reliable. Exactly. We've talked a lot before because we worked together as part of that partnership program. A lot of it comes down to having one company and taking a service from another. That's how you get operations going, make money, and keep the lights on. Data goes back and forth. Eventually, when you've built a whole company that way, like you said about SaaS programs, and RSA is a forest of SaaS. When you have dozens, sometimes hundreds of these things, where do you get security involved? It’s easy beforehand to put a tool to model your stuff. I'm interested, as someone who works in this space, what you think about getting involved with other third parties?

Charrah Hardamon: That's a really interesting question. It's something our company is trying to answer because it's evolving. Security has to be involved every step of the way. You're lucky if you get to start ground up. Many security leaders come in when things are already in place. They need to start from a middle ground. As the industry moves towards faster innovation and development, companies need to move faster. Customers say, "I spoke to X company and they do this more than you," so companies start to allocate resources to build faster. Often, without those resources, they use tools. Companies need to make onboarding easy, like linking a Google account to use Copilot or check code.

When it comes to security, if you have this type of ecosystem, you need visibility at scale and holistically. If my teams are using SaaS products, how do I get a full list I can be confident about? What does our shadow IT landscape look like? How can we trim it down based on what we're not using? With hundreds of vendors, the need is probably very low. How can we get back to using the tools we need versus the ones we thought we needed but never off-boarded? Off-boarding is where it gets really sticky.

Matt Twells: I always make the joke that if you mess up AI for API, you might end up with venture capital by accident. It's the word of the conference. How do you think AI will change what you do and strategy in general? Is it feeding into your product plans? Are customers talking about it more?

Charrah Hardamon: It's definitely being used from a verbiage perspective, but the concepts and risks are the same. Putting sensitive information into ChatGPT is the same as doing it in Stack Overflow. The risks are higher because of how fast it moves and is distributed. Our core goal is to provide visibility so companies can confidently say, "This is the list of vendors we have." If my team needs to experiment with AI, how can I ensure they're not accidentally leaking secrets or putting data in the wrong places? The only thing that makes these tools scary is that once data is out there, it's out there. It comes back to data governance, which is where Riscosity sits. We see a lot of conversations where people say they need AI security, but it's really about data governance and security. You need to know what you have in your infrastructure and provide guardrails to prevent data from leaving your infrastructure and going to the wrong endpoint.

Matt Twells: I saw a job listing for ChatGPT or OpenAI enterprise, and thought maybe the answer is going back to basics. You have the same kind of API integration you manage at scale already. Treating it like any other app might be the secret. What's going in? Are we trusting what comes out? Where's the data going? It's similar to firewall data.

Charrah Hardamon: Exactly. Make sure you're doing risk assessments, vendor overviews, and understanding security posture before sending data. If you're using a new tool, test it out. Security isn't new, and the philosophical approach is that there is no one-size-fits-all. It's a continuously evolving landscape. The approach is foundational but tailored to what works for your company. The bigger question isn't what risk AI introduces, but what risk the company is willing to accept. Enterprises have a lower risk tolerance than smaller companies. Treat AI like another tool, do the steps you're confident with, and figure out what to introduce for your specific business.

Matt Twells: Absolutely. Thinking about third parties in general, it's all about people skills, collaboration. Sometimes it can feel adversarial. What's your take on it?

Charrah Hardamon: I see vendor partnerships as the company's responsibility to implement the tool. It's about teaching them what you need. Going into a vendor partnership expecting it to always be 50-50 isn't realistic. Understand the type of partnership, tool, and company. Larger companies have resources to onboard you, while SMBs may not. Maintaining a collaborative relationship means outlining what you need from vendors, running risk assessments, and setting expectations. Know your SLAs and communication protocols. Approach onboarding a vendor as being responsible for your data. Set guardrails before partnerships to avoid a jaded mindset. Understand what you need and be proactive.

Matt Twells: Knowing where you want to end up before you start is key.

Charrah Hardamon: Exactly. Have internal conversations with your team about what you need from a tool. Be realistic about what you can expect from different vendors. Can a small startup meet your security requirements? If not, are you prepared to accept that?

Matt Twells: It's about finding out early, not too late. How do you get alerted when a new vendor enters your ecosystem? Ask vendors specific questions and work as a team to close gaps. Due diligence is important. Can I see the information? Do I trust it? If you get all three, you're 90% there. Trusting small or large vendors puts you in a position to manage risk.

Charrah Hardamon: Exactly. Tailor controls to your company. Larger companies can put barriers in place, while smaller ones need to be more flexible. Protect your business with simple toggles on the back end.

Matt Twells: Thank you for your time today. Enjoy the rest of the week in San Francisco. This was super interesting, a pet interest of both of us. It's been a pleasure.

Charrah Hardamon: It's always a pleasure having these conversations with you.

Matt Twells: Thank you very much.