Information Security Q&A with Patrick Neise, CISO at Groove

Groove recently appointed Patrick Neise as Chief Information Security Officer. Patrick is a former Director of Operations for the NSA Red Team with deep expertise in protecting information systems from cyber threats at the highest level. Not surprisingly, Patrick has strong opinions about the current state of information security, which you can learn a bit more about in the following Q&A.

What put you on the path to become a leader in the world of information security?

I’ve always been into computers and technology, but my time as Director of Operations for the NSA Red Team propelled me into the world of information security. Working with some of the most experienced offensive security-minded individuals against some of the most challenging US Government and DoD targets amounted to an intense graduate education program in the application of real-world information security. After experiencing the incredible talent and top level mentorship from everyone on the NSA Red Team, I knew I wanted to continue in this field after I retired from the Navy.

What led you to take the position of Chief Information Security Officer at Groove?

When it came time to begin the search for my next role, I was primarily looking for three things:

1. A company that knew who they were and what they wanted to accomplish
2. Transparency from senior leadership
3. A company that not only knew security was essential but was willing to take the steps necessary to improve security across the organization.

After meeting people from different parts of Groove throughout the interview process, it became clear that they embraced all three of these criteria.

What role does software architecture play in data security?

The architecture of a software platform and its components are the foundation of its functionality and security. Anytime architecture is being defined, security requirements need to be evaluated alongside performance, reliability, and functional considerations, very early on in the process.

For example, data flow, classification, authorization, retention, and protection requirements will influence architectural and technology decisions during platform design and development. In addition, data security requirements will influence decisions across the entire application stack: identity and access management, in-transit and at-rest encryption, data segregation, retention, etc. 

Ultimately, the awareness and inclusion of data security requirements during the design phase is nearly always the most critical aspect of implementing an effective data security strategy. One of the things that attracted me to Groove is that they did this at their inception.

Most SaaS platforms need to store some level of PII to operate – where do you think informed SaaS buyers need to draw the line?

Ultimately, any time a buyer is looking to purchase a SaaS platform, they must find the right balance between desired/required functionality, and the criticality of the buyer’s PII shared with the technology provider.

That said, there is a level of ‘shared responsibility’ between the buyer and platform providers. As a result, platform providers should architect their systems to enable maximum user functionality while minimizing the amount and type of the buyer’s PII shared with the platform. Furthermore, they need to have effective data security controls to protect the shared PII.

At the same time, buyers need to be aware of where their own PII is stored, the type and amount of PII required by the platform, and the ability of the provider to protect that data. They should also always evaluate whether alternate providers offer similar functionality with fewer PII sharing requirements. With that shared understanding, buyers can make an informed decision concerning the platform’s benefits versus the risk of sharing PII.

What sets Groove apart from other sales engagement platforms when it comes to security?

When it comes to information security, Groove stands out from its major competitors in three main ways. 

First, Groove stores only a fraction of the PII required by other SEPs. Groove limits what we store to metadata about the given activities and none of the email / event bodies. 

Second, Groove maintains Salesforce as the system of record. This allows companies to keep its most critical data within the security protocols they’ve established in Salesforce. The limited amount of information stored in Groove is encrypted at rest and protected by TLS in transit. 

And third, Groove uses the user’s own Salesforce and Google or Microsoft Graph tokens for all user-level API access. Existing access controls in those systems are honored by default.

What other considerations should SaaS buyers pay attention to given current data security trends?

The most important thing a SaaS buyer can do before evaluating any kind of technology solution is to make sure they fully understand their data. A buyer needs to know what type of data is stored, where that data is currently stored, who has access to it today, what legal requirements impact data privacy and security, among many other things. This level of understanding will provide buyers with the information needed to make risk-informed decisions regarding the use, storage, and protection of critical/sensitive data.

With that knowledge in hand, buyers will be more able to keep up with changes in data security and privacy legislation, ask the right questions of their service providers, and understand the impact on their data if a service provider suffers a security incident. In the end, the buyer is accountable for protecting both their company’s data and their customers’ data. This can only be done if the buying committee understands how the vendors they choose to partner with manage data, and who else they have shared that data with to provide features and functions to their users.

What lessons can we learn from the recent high-profile data security incidents at Slack, Okta, Lastpass, and CircleCi? 

The interesting aspect of these recent breaches is what these companies represent as a group; they are infrastructure at the center of how many companies operate and produce products. Ranging from internal communication and authentication to the continuous integration and deployment of software, the targeted companies represent multiple aspects of the day-to-day operations of today’s companies. They got in through the platforms many of us use every day.

Whether the attackers were trying to gain access to customer data or the companies’ data, only time will tell. But one thing is sure – companies need to have a deep understanding of what 3rd party services they use, what data those services have access to, and how they will respond to a breach if one of those 3rd party service providers are hacked.

What kind of attacks do you expect to see more of in the future and why?

On the one hand, we will continue to see more of the same: ransomware, breaches of 3rd party service providers, cryptocurrency theft, etc. However, we will also see an increase in defensive response to these attacks.

Recent high-profile attacks involving ransomware have prompted many countries to take a national approach to identify and shut down ransomware crews. Additionally, more stringent requirements related to incident reporting and security posture attestation are emerging due to intrusions into some of the larger 3rd party service providers.

On the other hand, recent and ongoing developments in AI platforms such as ChatGPT could lead to attack techniques and an improvement in mainstream attacks like more effective social engineering/spear phishing. While we are still at the leading edge of what AIs like ChatGPT are capable of, security researchers are already demonstrating how they could leverage these technologies in attacks. This is one of many reasons that Microsoft recently invested $10billion in OpenAI, the creator of this technology.

Read our announcement for more information about why Patrick joined Groove as its new CISO and what he will be focused on in this new role.