Interview: How To Avoid Financial Fraud And Sophisticated Cyberattacks With Access Governance
Adil Khan, Chief Executive Officer and Founder at SafePaaS, discusses how applying and automating advanced access controls can help organizations to prevent internal fraud and mitigate the risk of cyberattack.
Adil Khan is the Chief Executive Officer at SafePaaS, a policy-based access governance platform that enables organizations to identify and remediate security incidents and audit failings across all company levels, via one single platform. Adil has almost 30 years of experience in enterprise risk and compliance management, having held roles at Oracle and Hencie before founding SafePaaS. A sought-after speaker and successful entrepreneur in the risk management space, Adil has also co-authored The Governance, Risk, and Compliance Handbook for Oracle applications.
We spoke to Adil to discuss how the scandal leading to the passage of the Sarbanes-Oxley Act inspired him to found SafePaaS, and how organizations can mitigate the risk of cyberattack and prevent financial fraud through applying and automating advanced access controls. We also discuss why organizations should consider moving to a holistic platform instead of using fragmented security tools, and how we can expect the threat landscape to evolve as we move into 2023 and beyond.
Could you please introduce yourself and tell us about your background?
My name is Adil Khan. I’m the CEO and founder of SafePaaS. I started this journey back in 2003 when I was running a publicly listed company on the US stock exchange called Hencie. I’ve been named as the entrepreneur of the year by EY, and I’ve written a book on the topic of governance, risk, and compliance with a co-author from Oracle, Nigel King. My area is enterprise controls, risk management, and financials.
Could you give us an overview of the SafePaaS platform? Why did you found the company, and what challenges are you helping your customers to solve today?
Let’s start with the story of SafePaaS and why we founded it. The journey started back in 2003, when the US passed a law that put criminal penalties on senior executives that disclosed financial statements with errors and mistakes, because that impacted our economy.
I was running a public company, and I was closely linked with the example that was cited—a company called Enron—because we were both in Texas and they were one of my customers at the time. Lots of friends and family lost their jobs because they were misstating financial results, even though they were passing their financial audits every year.
People were scratching their heads. How could a company be so successful, then suddenly lose billions of dollars that would so negatively impact so many people and communities? We all learned a very expensive lesson there.
There used to be five major audit firms. Arthur Andersen, Enron’s auditor, was essentially disbarred from doing any business and collapsed because of that. As a young entrepreneur, that really affected me, and I wanted to do something about it.
So, I studied and learned the law. I read through it, and I talked to the audit firms that I worked with—back then, Deloitte was my auditor.
We found that the reason companies were able to disclose inaccurate financial statements was because the internal controls were never audited. So, even though the audit firms would audit the financial results, such as by looking at variances on a general ledger, they would never audit the controls that were used to produce those transactions that disclosed the results to the market. And that’s where I came to the idea of helping companies implement those internal controls.
Technology has always been my area of interest, and I figured technology could help, so that started our journey. We spent the first 10 or 15 years travelling the globe, visiting 200+ enterprise customers, and learning from them the challenges of doing internal controls.
What I found was that most of the work was being done manually—on paper and pencil and spreadsheets—and was full of errors. So, we saw the need to take all these lessons and then turn them into a software that could automate and streamline those processes.
So, that’s what SafePaaS is. It helps companies at the top of the Fortune 500 and mid-market companies prevent disasters from happening by applying automated, advanced controls to reduce risk.
Who are your typical customers? Do they tend to approach you because they’re more concerned about security, or about compliance? Or is it a mixture of the two?
Our customers tend to be the home brands that you all recognize, that really care about their reputation. That can include higher education institutions, government agencies—we even work with one of the largest food chains around the world.
It’s been an evolution. It started with compliance—people just wanted to get compliant with the law President Bush passed because they had this huge financial risk. And the biggest risk of financial misstatement is the segregation of duties. So, that’s where the company got its start.
But in the last five years, we’ve seen an acceleration into security as the top topic at the board level. What’s driven us into the cybersecurity market is this need for companies to protect their assets and their resources against bad actors. So, we very much work with the C-suite around concerns that impact the governance of an organization, and any kind of disclosure to that.
One of the biggest security challenges organizations are currently facing is ensuring only the right identities have the right access to the right resource at the right time—especially with the continuing adoption of hybrid work and cloud technologies. Why is this such a challenge for IT and security teams?
You’re right, it absolutely is a big challenge. And every day our customers talk about that challenge. Many of our customers are global organizations. That could mean you have offices around the world, or it could mean you’re based in one location and you’re serving customers all around the world.
Now, identity is linked to your customer, your supplier, your employee—it’s not just the user of one software, it’s everything you use. And as we’re moving everything to the cloud and working from home and all these different places, identities have spread across different systems. The biggest challenge, our customers tell us, is being able to orchestrate—in one platform—all of these identities, to be able to apply some sort of top-down governance.
How can identity governance and administration (IGA) and the proper management of identity lifecycles help organizations to overcome this?
SafePaaS provides a platform where companies can hook in different fragmented sources of identity management—whether it’s coming from your IdM [Identity Management] system, an ERP [Enterprise Resource Planning] solution, or a third-party cloud applications like Salesforce or Workday. We give customers a single platform where they can see the orchestration and lifecycle management of identity, and then be able to apply consistent controls on what those identities are doing.
We solve the problem of identity fragmentation.
While we’ve focused mostly on identity governance today, SafePaaS is a holistic risk management platform that helps remediate threats across a business’ entire digital ecosystem, not just at the identity level. How important is it for organizations to move away from using disparate security tools, to one holistic platform for managing these processes?
Fragmentation is an existential threat to companies. The most exploited format of cyber threat today is to take over the identities which are owned by insiders. And if you have a fragmented identity, you cannot control or apply consistent policies across the business. So, using a holistic platform is essential to being able to solve that. That’s step one, the first line of defense.
But there’s more to it. There are many more layers where fragmentation causes a problem. If you have a point solution that looks at database security, another one that looks at applications, and another that looks at infrastructure, each of these point solutions will find problems on what they’re monitoring. But the key is to connect those dots into a meaningful result set that managers can act on to prevent or remediate risk, while making sure the business is agile and streamlined.
When you have point solutions, they’re only looking at their piece of the puzzle, but not the whole picture. Threat actors are exploiting that. So, by moving that to a single platform, you are removing the risk of something falling through the cracks.
How do you anticipate the threat landscape will continue to evolve as we move into 2023 and beyond?
Firstly, we are facing a global recession. And one of the things that we’ve seen in recessions is that fraud risk goes up. I mentioned earlier that auditors do a lot of things manually and, unfortunately, that’s still true, despite our best efforts. Currently, around $2 trillion dollars are lost to fraud every year, and that risk is only going to go up next year.
So, we’re building more security capabilities that allow us to take that burden away from our customers; the data that we collect can identify “needle in the haystack” type fraud.
Secondly, supply chain is another area that is going to continue to present challenges next year. Businesses are experiencing a decline in their customer activities and an increase in their supplier challenges, so they’re looking for agility to quickly onboard suppliers. New suppliers bring a lot of risks: it could be risk of not being able to deliver a product on time, it could be the risk of having defective products. All of those risks in supply chain continue to be concerns for businesses. And as they constantly switch suppliers, they need access governance to be able to control that supplier access into their environments.
The third trend is that we don’t see the hybrid workforce going away any time soon. I was reading a New York Times article this morning that said the number of office space leased in the US has dropped nearly a third compared to the last few years. People have adopted different habits and different work styles, and they’re just not coming back. So, hybrid work will continue to present access governance challenges.
What are your final words of advice to organizations struggling to secure themselves against the prevalent identity-related cyberthreats we’re seeing today?
Start from the top. If you start from the bottom, you miss the forest for the trees. It’s hard to solve the problem, because there are so many smaller pieces you can get lost in solving. So, you start from the top, with your policies and your governance. Figure out what your priorities are and what it is that you’re trying to accomplish as a company. And, based on that, assess your current risks.
We strongly recommend starting with your policies and assessing them, bringing in an independent firm to really understand the risk that you can tolerate. Think about risk, likelihood, impact, and velocity, and what parameters are acceptable to your organization to still enable you to execute your strategy.
Once you do that, addressing the problem becomes easier, because then you can essentially pass out the directives to your line managers on what controls are key to your business and—if those controls fail—what compensating controls will back it up.
With this approach, everybody becomes part of the solution. So, if your primary control fails, you have second, third, and fourth controls in place as a backup. That’s what I would advise companies to do next year.
Thank you to Adil Khan for taking part in this interview. You can find out more about SafePaaS’s policy-based access governance platform via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.