Interview: How Application Security And Controls Automation Can Enable Business Performance

Mike Puterbaugh is the Chief Marketing Office (CMO) at Pathlock, a market leader in the access orchestration space that provides a wide range of tools via a single holistic platform designed to help organizations streamline and automate their audit and  IT controls processes across business applications.

Puterbaugh has extensive experience in SaaS product strategy, marketing and management, having created, launched and managed successful product lines for bootstrapped ventures, venture-backed businesses, and large, public corporations. Prior to his role at Pathlock, Puterbaugh has held positions at Ziflow, BeyondTrust, Stratavia, and ProofHQ (acq. Adobe), among others in the IT space, developing product lines and positioning within highly competitive spaces.

Expert Insights sat down with Puterbaugh to discuss how organizations can leverage application security and controls automation not only to improve their resilience against cyberthreats, but also to enable business performance.

Could you give us an introduction to Pathlock, your key use cases, and what differentiates you from your competitors?

Sure! In May, we announced an M&A that resulted in Pathlock becoming the leader in application security and controls automation. And I think that definitely has some important connotations for your audience, so I’d like to unpack it a little bit.

So, application security covers a wide range of activities as it spans across access controls key business applications like your ERP, Finance and HR systems: who can access which applications, what they can do within those applications, hardening the applications themselves, how they’re configured, making sure they’re patched, seeing whether custom code has been developed against those applications and introduced by the customers themselves, seeing whether that custom code introduce any vulnerabilities, and so on.

In short, it spans from the actual access to the applications and what people can do within them, to the shell or the hardening of the applications themselves.

And then the second piece of our positioning is the controls automation, which is really where a lot of our differentiation begins to come into play. We have the largest library of controls—think of it as onboard content within the platform—which are essentially business rules that are mapped to processes being undertaken within those business applications. I think the simplest example would be that, in a business application such as SAP, Caitlin cannot create a vendor and then pay that same vendor. That would be a business process, and that would also be an example of a control that we can enforce: you are not allowed to pay a vendor that you yourself created in the system.

There’s a whole parade of articles that you could find on Google about fraud that was perpetrated within organizations by a rogue employee that had the ability to create a vendor, submit fake invoices and send a payment out the door. This can go undetected for years. And here in the States, the lack of controls in place for those types of business processes was the basis for Sarbanes Oxley, and what is commonly now referred to as “segregation of duties” or “SOD.”

Essentially,  SOD is the ability to ensure that key steps in critical business processes are assigned to roles in a way that ensures checks and balances.  Public companies must be able to certify that controls like these exist and that they’re being regularly tested and enforced. When applied across the landscape of business applications in use at any given organization, this can be a daunting task, and one that is largely manual today. That’s why we feel our controls library content is a powerful differentiator for us. 

And that onboard content library that we have,  when viewed through the lens of the acquisitions that we went just completed, really is intellectual property for us now. Businesses can go and create them, but the differentiator for us is that we already have them, and that we can get you up and running on these controls as part of the deployment; it’s not a manual effort.  

Who are Pathlock’s typical customers, and how do you help them to solve some of the challenges they’re facing?

Our customers tend to skew toward the larger side of your audience; they’re typically the global 2000. But really, any company in a heavily regulated industry—private or public, and regardless of size—is going to be asked for how their controls and how their business processes are enforced and tested and proven. So really, that’s who our customer base is made up of. Any org that relies on supply chains or financial processes as crucial to their business would benefit from working with us.

A huge benefit to our customers is automation. The audit prep around business applications is incredibly manual; it’s all done via spreadsheets, disconnected systems, and consultants. So, automating what can be automated in terms of access governance and application security—as well as the controls testing—is our number one benefit to customers. As we help them automate, we’re reducing a lot of cost and, just as importantly, we’re reducing risk and fraud as well—hard dollars that get put back into the business.

So, what we give them really is the broader promise of automation—which I think you hear about all the time—but specifically around this use case of not only securing these business applications, but also helping these companies demonstrate that they’ve got controls over their business processes and data.  

Really, what it comes down to is that those processes rely on data within the applications; you’re there manipulating data, you’re creating new data, or you’re accessing data to make decisions or payments, for example. So, it’s truly a core business activity.

Pathlock is a comprehensive, unified platform. How important is it for organizations to move away from using disparate security tools in different business areas, to one holistic platform?

Today, our business processes are traversing multiple labs. 10 years ago, you could source a product from Asia, have it built, pay that supplier, record the acceptance of the product and then ship it out, and this could all be done within a system like SAP. That same process today could see your SAP instance talking to Oracle, talking to Ariba, talking to your data warehouse, and so on—it’s a supply chain itself of multiple applications.

Typically, these tools are managed by individual business leaders. In a manufacturing organization, for example, there’s a business leader that is responsible for the ERP system, because the ERP system touches manufacturing, it touches supply chain, it touches payments. So, they’re typically going to be focused on their core application, like SAP or Ariba.

This role could be an HR person too —I’ve been talking about business and finance quite a bit, but HR is an essential part of the business too, and there’s a lot of sensitive data stored in Human Capital Management systems: Personally Identifiable Information (PII), such as social security numbers, health information, home addresses, things like that.

So, the business leader is typically focused on their app. They’re just worried about Workday or Ariba, and they’re trying to manage it with spreadsheets and whatnot.

Now, when you go up a level to the CIO—who the CISO typically is reporting to or sits next to—they care about all the applications. And when the business leaders are working with these disparate spreadsheets, there’s a lot of opportunity for things to fall through the cracks.

When all is said and done in the business world, Excel is the killer app. It’s the app that everyone relies on to run their businesses in many ways. When you’re looking at spreadsheets, you’re looking at a point in time; you’re effectively sample testing. And what we aim to do with Pathlock is to provide that real-time capability of identifying business processes and business risk in terms of access, fraud, or malicious activity.

So, the benefit of using one holistic platform is that it reduces the risk of something being missed or falling through the cracks. Additionally, there’s a lot of opportunity to streamline the operations and get a more complete picture. I hate to use that line of “a single pane of glass,” but that’s truly what it is—that single pane of glass, that one area to surface all the core information about your business applications, and then layer on top of that with intelligence about what the actual risks are, or could be.

Then we get to compliance. What does this mean for Sarbanes Oxley? What does this mean for any of the HR and data privacy acts such as GDPR, or the California Consumer Protection Act? Being able to layer on those guidelines and regulations saves organizations a lot of time, because every one of those guidelines and regulations would be its own spreadsheet otherwise.

Some security experts are talking about the need for the industry to rebrand itself—rather than selling security solutions as a kind of insurance, we need to be focusing on business enablement. Where do you stand on that?

The big “why” here is to enable the business, and to do more of what you’re doing as a company in a more efficient, secure manner. Think about the first company that was going to offer online banking. They were going to allow you to deposit checks over your phone and so on; think about the infrastructure underneath that was required to do that. For them, the big “why” was, “We want our customers to access their money faster. We also want to reduce the costs associated with a teller having to take a physical check and deposit it at the branch.  We’re not just offering mobile deposits for the sake of it; we’re creating a more efficient process.”

And it’s the same for any big decision within a business, including implementing security. So, you have to think about security as part of enabling a bigger business opportunity. You have to let the business continue to run and you have to support business growth. So, I totally agree with that. It all must be in the name of helping the business grow.

How can the technologies that make up the Pathlock platform help organizations to achieve a zero trust security architecture?

We look at zero trust as a lifecycle or a maturity model. We have a platform that we offer modularly. So, we have modules for role design, provisioning, SOD risk analysis, user access requests, and so on, and they all work by themselves for a very specific use case, but they also work together.

When I talk with customers about starting from scratch, my recommendation is always to start with role design. Role design is the process of literally designing the roles for users and groups, so that all users are attached to a role when they are newly deployed or freshly provisioned. And that role basically allows for everything they may need to do as part of their job. Role design is really good example of something that—when done effectively—has some great downstream benefits. Because a well-designed role allows your employee to help you develop as a business, but it also doesn’t slow them down. And what I mean by “slowing them down” is that they reach a point where they need be able to do something they don’t have the permissions for, so they have to submit a user access request. User access requests are a part of doing business, you’re always going to have them, but a well-defined role will help cut down on those user access requests and allow people to keep moving forward in their roles, while also saving admin time.

I think that’s a really good place to start, and then you can build out from there. For us, these all work together to create a lifecycle approach to zero trust.

I saw a note last week that said IT spending is going to grow, even with what’s going on today in the economy, and that’s because organizations want to move to the cloud. They want to adopt the cloud because it will be cheaper for them in the long run. And that’s a great opportunity to take a fresh start; a lot of times, some of the roles in your on-premise ERP don’t translate to your cloud ERP. So, you start effectively with a clean sheet of paper. That’s a great opportunity to rebuild your roles and learn from the past.

What is your final piece of advice to organizations struggling to establish and secure their business processes?

It’s kind of a “choose your own adventure,” based on the type of organization I’d be talking to.

If you’re starting fresh or undertaking a digital transformation project, start with the biggest areas where you can get compounding benefits over time, like role design. Bulletproof those roles from the get-go and have a good process for redesigning them over time.

In absence of a clean sheet of paper, if you’re bound by regulatory requirements, the first place I would start is where you think you can reduce risk and fraud immediately, like segregation of duties.

And if you’re not really affected by regulatory requirements, then you should consider where you’re spending most of your time in manual efforts. Look at your costs and see where you’re spending every quarter on consultants to come in and do work, and see how much the power of automation could help you reduce those efforts and that cost.

We talk to all kinds of customers and they’re all in different points of the journey. That’s why I’m really excited about Pathlock—we can offer all these different organizations something different, with the same end goal of enabling their business.

Thank you to Mike Puterbaugh for taking part in this interview. You can find out more about Pathlock’s application security and controls automation platform via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.