Feed Sponsorship Ads

There's a line in Titanic that any IT or security professional can relate to. The ship's architect explains that he wanted to include enough lifeboats for all the passengers, "but it was felt the deck would look too cluttered."

That decision takes on a tragic significance in the second half of Titanic, and yet it's a choice that's replicated (although with less dire consequences) in companies to this day. It's a constant challenge to get leadership to invest in breach prevention–many leaders would prefer to pay for cybersecurity insurance and hope for the best.

Yet, just as the famous shipwrecks of old inspired today's laws about lifeboats, there are signs that the endless parade of data breaches is forcing greater investment in vulnerability management. (To be clear, we're talking about "vulnerability management" in the broadest sense; not just patch management.)

In the past few years, NIST, the SEC, ISO, and PCI DSS have all published updated guidelines that mandate more proactive vulnerability management. Many of those guidelines specifically call out the role of leadership, such as the SEC, which now requires companies to report on how their managers and board of directors deal with vulnerabilities.

This is good news for IT and security teams; in a 2023 survey, 50% of respondents said that their organization’s vulnerability management program had support from leadership to “a large/great extent.” But obviously, that still leaves 50% of respondents out in the cold.

If you're trying to get buy-in at your own organization, come equipped with the facts about the risks you're facing, and come with a clear plan to remediate them. Thankfully there are plenty of resources available to help prioritize your needs. And if you're still not getting through, you're welcome to borrow the Titanic analogy.

To learn more about how vulnerability management is changing, read the full blog post.

With WorkOS you can start selling to enterprises with just a few lines of code. It provides a complete User Management solution along with SSO, SCIM, and FGA. The APIs are modular and easy-to-use, allowing integrations to be completed in minutes instead of months.

Today, some of the fastest growing startups are already powered by WorkOS, including Perplexity, Vercel, and Webflow.

For SaaS apps that care deeply about design and user experience, WorkOS is the perfect fit. From high-quality documentation to self-serve onboarding for your customers, it removes all the unnecessary complexity for your engineering team.

With WorkOS you can start selling to enterprises with just a few lines of code. It provides a complete User Management solution along with SSO, SCIM, and FGA. The APIs are modular and easy-to-use, allowing integrations to be completed in minutes instead of months.

Today, some of the fastest growing startups are already powered by WorkOS, including Perplexity, Vercel, and Webflow.

For SaaS apps that care deeply about design and user experience, WorkOS is the perfect fit. From high-quality documentation to self-serve onboarding for your customers, it removes all the unnecessary complexity for your engineering team.

We recently attended the RSA conference in San Francisco -- security's biggest event of the year -- and we were struck by how infatuated everyone was with the promise of new, shiny solutions to fix new, shiny problems. On some level that's not surprising -- tech is constantly driving toward the future, and security is one of the fastest-moving areas of tech.

But on the other hand, it seems like the security industry is walking away from some of its most foundational problems before they've actually been solved. People would rather talk about AI-powered behavioral analytics that can detect when a worker's mouse is moving strangely than the decidedly un-glamorous work of rolling out patches and managing permissions.

This disconnect was especially clear in the 2024 Verizon Data Breach Investigations Report (DBIR). This year's report found that "the human element" (accidental breaches caused by human error or victimization in phishing attacks and the like) was the number one cause of breaches. The same was true last year, and the year before that, and the year before that.

The single biggest culprit in breaches continues to be weak and stolen credentials. The 2024 DBIR found that "use of stolen credentials" is the number one initial action during a breach, and that credentials are the number one way attackers get in in non-error, non-misuse breaches, followed by phishing and vulnerability exploits.

What's frustrating about the persistence of credential-based attacks is that they are eminently solvable! Roll out a password manager to your end users, put SSO and MFA in front of sensitive applications, and implement passkeys when possible. Yet in 1Password’s 2022 State of Access Report, only 29% of respondents said they used a password manager at work.

The same narrative about credentials is also true about compromised devices and, especially, employee training. The DBIR's authors said as much in a webinar about the report, claiming that “You can address two-thirds of these breaches by training and equipping your employees appropriately.”

But at RSAC, it was tough to fill a room for a talk on employee training or credential management. The popular talks tended to focus on things like the dangers of AI deepfakes, which is ironic, since the 2024 DBIR said that GenAI hasn't made much of an impact on breaches so far.

This needs to change, and the 2024 DBIR offers a clear look at where we're falling short and where we go from here.

To get more insights about the report and its implications for security, read the full blog.

Imagine if you went to the movies and they charged $8000 for popcorn.

Or, imagine you got on a plane and they told you that seatbelts were only available in first class.

Your sense of outraged injustice would probably be something like what IT and security professionals feel when a software vendor hits them with the dreaded SSO tax.

The SSO tax is the name given to the practice of charging an outrageous premium for Single Sign-On, often by making it part of a product's "enterprise tier." The jump in price can be astonishing -- one CRM charges over 5000% more for the tier with SSO. At those prices, only very large companies can afford to pay for SSO. But the problem is that companies of all sizes need it.

In a world where compromised credentials are the number one culprit in breaches, SSO reduces the number of weak, reused passwords flying around. It's also critical to onboarding and offboarding, since IT only has to manage a single on/off switch, instead of managing access separately for every application.

To be fair, there's nothing wrong with charging some extra for SSO -- it's not free for vendors to build or maintain -- but putting it out of the reach of so many companies is irresponsible, and makes us all less safe.

Still, until outraged customers can shame vendors into getting rid of the tax, many businesses have to figure out how to live without SSO. For them, the best route is likely to be a password manager, which also reduces weak and re-used credentials, and enables secure sharing across teams. And a password manager is likely a good investment anyway, for the apps that aren't integrated with SSO.

To learn more about the past, present, and future of the SSO tax, read the full blog post.