Ran Senderovitz, COO at Wing Security, brings a wealth of experience to his role, with a professional journey that spans childhood coding on punch card computers to leading business units at Texas Instruments and managing Intel’s development centers in Israel and the United States. In an interview with SafetyDetectives, Senderovitz discusses his transition to Wing Security, founded by individuals he admired from his time in the military, namely Noam Shaar and Galit Lubetzky Sharon. Wing Security’s core mission is to enhance SaaS security posture for businesses of all sizes by building a comprehensive SaaS reputation database and offering SSPM solutions that automate workflows, ensuring efficient and secure SaaS usage. The interview delves into the importance of Essential SaaS Security Posture Management (SSPM), the role of AI in transforming the SSPM landscape, and the challenges companies face in managing SaaS security in today’s dynamic environment. Wing Security’s approach emphasizes automation, scalability, and a collaborative model to address the complexities of SaaS security effectively.
Can you share your professional journey and what led you to your role as COO at Wing Security?
My professional journey began in childhood, writing Fortran on punch card computers and hacking Commodore PC games. After graduating in electrical engineering, I joined Israel’s intelligence forces, laying the groundwork for my expertise in security. On September 9, 1999, I transitioned from a major in the military to the tech industry, joining a startup developing broadband modems that was later acquired by Texas Instruments. This period marked our contribution to transforming global digital infrastructure, making communication a ubiquitous utility. At Texas Instruments, I eventually led the business unit, overseeing its divestiture and integration into Intel and spearheading Intel’s Service Provider Division.
My career then took me to managing Intel’s development centers in Israel, focusing on personal computing SoCs, communications, security and AI. This led to a move to the United States where I directed product management and marketing for Intel’s mobile CPUs during COVID and where mobile PCs transformed the way businesses work remotely.
After witnessing the transformation from a small startup to one of the largest technology businesses, I felt it was time to reconnect with people I admired from my time in the army: Noam Shaar and Galit Lubetzky Sharon, the founders of Wing Security. I aim to bring my business and operations scaling expertise to help grow another enterprise, one that could revolutionize the security of business from any obvious and under-protected vulnerabilities.
What is the core mission of Wing Security, and what sets your SSPM solutions apart in the market?
SaaS usage without proper security is no longer viable! Surprisingly, despite widespread SaaS adoption, security risks remain largely unaddressed.
Realizing the complexity of this dynamic risk landscape, we focus on enabling every business, regardless of size or budget, to use SaaS services more safely and effortlessly. Our mission centers on improving SaaS security posture for all. Our strategy involves building the largest SaaS reputation database and analyzing over 300,000 applications for risks, compliance and security events. Our Free and Essential product tiers, used by hundreds of companies, not only offer risk insights but also gather collective knowledge on SaaS applications. This information is crowdsourced and enables us to automate SaaS management uniquely, catering to those needing advanced security. This approach fosters a hard-to-replicate community dedicated to SaaS safety.
We also pride our solution on helping CISOs with automated flows – requiring intervention only in defining policies and critical decisions. We don’t aim to create more events and action items. Rather, our focus is on automating actionable workflows, enabling CISOs to manage these without increasing the workforce or adding to their already extensive to-do list.
Lastly, we appreciate that every employee in the organization can onboard a SaaS service. This is why we collaborate with the organization and not only police it. We enable security teams to directly communicate with the SaaS user and/or owner within our solution.
Could you explain what constitutes Essential SaaS Security Posture Management (SSPM) and its importance for organizations?
It is essential to onboard SaaS services, in the same way you onboard a contractor to your organization. Yet in the SaaS case, it can be done rather automatically and simply.
Consider SaaS onboarding like hiring a subcontractor. You wouldn’t hire a contractor without a background check or grant them access to unrelated sensitive data, would you? However, this scenario occurs regularly when employees sign up for SaaS services, often unknowingly exposing their company to risks.
Practically all organizations not using SSPM-like solutions are unaware of the SaaS services they use. Typically, 80% of these services are employed by individual employees or small groups. These services are often interlinked in connections that are not trivially visible to anyone in the organization. Essential SSPM is made of three fundamental and necessary steps:
- Discover: The first step is identifying your SaaS supply chain; you can’t protect what you don’t know exists.
- Third-Party Risk Management (TPRM): The next crucial step is vetting these services for trustworthiness and conducting a security review – a fundamental practice.
- Access Review: Moreover, monitoring access to these SaaS services and understanding permissions within key systems is crucial. This step is essential not only for controlling and minimizing data exposure but also for ensuring robust security measures.
For good reason, these three steps are also essential for compliance with security frameworks like ISO27001 or SOC2.
Wing’s Free tier helps discover hundreds of SaaS applications, eliminating Shadow SaaS. Our Essential tier reveals all interconnected apps and, leveraging our company’s unique and largest SaaS application reputation database, provides automatic risk scoring as well as accessible tools for access review. This process is based on the three steps mentioned above. We priced this in a way that makes it affordable for any organization. Frankly, in my mind, we took the cost argument out of the equation. Every organization should meet this Essential security level. It is simple.
How is AI transforming the SSPM landscape, and what role does it play in Wing Security’s solutions?
In the realm of SaaS security, AI-based applications introduce significant complexities and increased risk of knowledge leaks, on top of the usual SaaS risks and data leaks. Companies must urgently safeguard against these knowledge leaks early because sharing expertise with AI-based SaaS might inadvertently allow these services to learn and disseminate your secrets.
Similar to my contractor analogy, these AI tools not only provide services but they may also learn from your business knowledge, potentially taking away crucial practices and intellectual property and commoditizing them. Similar to residual knowledge concerns in subcontracting, companies establish explicit contracts and guidelines on utilizing acquired knowledge after a contractor’s departure and their potential engagement with competitors. This organization’s risk understanding and sharing process is distributed, and using systems like Wing implements that automatically and simply.
Additionally, the appeal of AI apps to both employers and employees for efficiency and productivity leads to hasty adoption without proper vetting and authorization. Given there is no single curated marketplace for SaaS, we see so many organizations making mistakes in app selection. Many of them sign on to low security applications or applications that are not authentic. Regardless of whether employees are using organizational Single Sign-On (SSO) or personal credentials, we ensure they only use authentic applications with the right risk profile for their business needs.
What are the insider risks associated with employee offboarding?
Employees leaving a company may want to keep access to its resources for their personal benefit, or even, at times, retaliate. Offboarding them from your interconnected SaaS platform should be taken seriously.
Employee offboarding presents a significant yet challenging task. Revoking access from applications linked to the organization’s Access Management (AM) systems may be straightforward, but complications arise when employees use interconnected applications. Offboarding aims to cut off access to all organizational assets.
Job changes within a company also pose similar risks if former access rights remain. Monitoring SaaS tools ensure employees only access necessary data and systems at any given moment.
Additionally, we observe unusual SaaS activities like data downloads to personal devices or file uploads to external platforms during the pre-offboarding phases. This highlights security gaps that we can and should prevent in real time.
What are the biggest challenges companies face in SaaS security posture management today?
The primary challenge with SaaS is its dynamism. With over 300,000 apps and widespread security incidents, organizations struggle with complexity. Many ignore the issue rather than confront it. Another hurdle is the decentralized nature of SaaS onboarding, exacerbated by employees and managers alike. Strict policies fail as employees find workarounds. Effective solutions necessitate automated monitoring and employee collaboration. Establishing these ‘trust and verify’ processes within the organization, as well as defining risk-sharing with the business units, can pose challenges.
After studying hundreds of mid-market companies, it’s clear that SaaS management tools must be tailored. At Wing, we focus on scalable systems that adapt to budget and security maturity, heavily relying on automation. As COO, I assess our success by two KPIs: the time security staff spend interacting with our system and our customer retention rate. Our data shows a strong correlation between our automation usage, minimal system interaction (less than 5 hours a month) and high retention and satisfaction rate, underscoring the value we deliver and our commitment to continuous improvement.