CISOs’ Perspectives on Trust, Resilience, and Governing AI

The digital landscape is rapidly evolving, marked by sophisticated attacks targeting software-as-a-service (SaaS) data. At this year’s Dreamforce, a panel of leading security executives‌ — ‌including Lee Kaiser (CISO, Highspring), Matt Hillary (CISO, Drata), and Kelly McCracken (SVP, Cybersecurity Operations Center, Salesforce) — shared their strategies for managing risk, bridging security gaps, and establishing governance in the AI era. Their insights highlight the complexities of securing SaaS environments and the need for proactive resilience in the face of increasingly advanced threats.

The challenge of third-party risk in SaaS environments

As organizations move to SaaS for its speed and scale, they inevitably relinquish some control over their security posture. This shift is fundamental, with security teams needing to place their trust in the native security controls of SaaS applications, as well as foster regular collaboration with the system administrators who configure and manage these applications. 

The challenge is magnified by the scale of modern SaaS usage — organizations manage security across hundreds of applications, many of which are not easily integrated for Single Sign-On (SSO) or robust end point management without costly tier upgrades. “The biggest challenge for security teams is configuring the native security controls of the SaaS application itself,” Kaiser noted, highlighting the inherent risks in this new paradigm.

The security leaders expressed significant concern about threats targeting third-party applications. While acknowledging that these threats don’t originate from the platform itself, they fear these add-on applications could be used as a vector to compromise one of their customers. This fear underscores the need for simplified oversight, as managing third-party risk across hundreds of suppliers is exponentially difficult. 

McCracken shared a recommendation to address this challenge by mandating a security review for every new app and prioritizing risk using financial exposure metrics on the executive dashboard. Despite these efforts, the leaders acknowledged that no SaaS security strategy is a silver bullet. Hillary made the analogy of having a bucket of lead bullets, and said that what keeps him up at night is the “small dissonance” of the CISO role: the awareness that even with comprehensive efforts, one small, missed detail could lead to a major business impact.

Shifting to proactive resilience

In the face of these more sophisticated and frequent threats, the leaders agreed that traditional detection and response are no longer sufficient. The focus must shift toward prevention and resilience, leveraging advanced technologies and organizational restructuring. 

A significant challenge in achieving security resilience is managing the inherent tension between security teams and business units. Kaiser referred to this as “the ‘Export to Excel’ Problem,” where security must enforce non-negotiable requirements despite potential unpopularity with the business.

To combat AI-backed threats, the modern strategy involves moving toward Managed Detection and Response (MDR) and Managed Prevention and Response (MPR) solutions that are AI-powered. This approach emphasizes that security isn’t a ‘set it and forget it’ task; tools are constantly evolving, requiring a proactive, hands-on approach and continuous monitoring. Hillary detailed how his team is implementing a “proactive shift-left” approach to codifying SaaS configurations, detecting and preventing insecure changes before they are deployed. 

Similarly, McCracken shared that Salesforce has implemented a Top Threats Program, which identifies critical gaps in Salesforce’s Cyber Security Operations Center (CSOC) ability to detect and respond to threats to the organization. The prioritization program enables these gaps to be identified, prioritized, and implemented to improve CSOC’s ability to identify  and contain malicious actions being taken in our environment.

Governing the future of SaaS security

With the emergence of AI agents, establishing clear governance is the single most critical challenge for the future. Kaiser warned that the number of listed AI applications has surged from 10,000 to over 50,000, making a “deny all and allow only what is approved” approach through a governance council the only manageable security strategy. 

Beyond technical risk, he highlighted the unseen risks built into Large Language Models (LLMs) around bias and discrimination. To oversee third-party AI capabilities, the leaders suggested establishing an AI Council comprising the CISO, CIO, and Deputy General Counsel to adjudicate the risk of every new AI feature introduced by vendors.

McCracken emphasized the need for consistency in governance, applying the same rigorous standards to AI as to third-party SaaS. This includes having complete visibility into what data AI models access and establishing continuous monitoring to enforce organizational policies. Hillary noted that for AI agents acting on behalf of users, SaaS providers must offer granular scoping capabilities to limit permissions to the specific access required.

The path forward

The leaders made it clear that while Identity and Access Management (IAM) is contractually essential, there’s no single silver bullet for security. Securing SaaS and AI requires a delicate balance of technical controls, organizational resilience, ongoing collaboration between system administrators and security teams, and expert human judgment. The CISO’s role is to master the craft of communication and influence, ensuring security is a non-negotiable foundation for innovation from day one. 

Ultimately, securing the future means shifting from a reactive mindset to a proactive one, designing security into every application and policy, and viewing all partners and systems through a constant lens of governance.

Watch our new Trusted Enterprise Security video series to learn more about proactive strategies and best practices for securing your Salesforce environment.