All Articles

Weekly CISO Podcast Pick: SaaS Sprawl, Sessions & Resilience

Posted by pritha on October 16, 2025 at 2:56am in Podcast
Member Contribution • Weekly CISO Podcast Pick

This Week’s Pick by David Cross (CISO, Atlassian)

Series curated by the CISO Platform community. Spotlighting practical listens for security leaders and their teams.

Professional CISO Show — Joe Sullivan on SaaS, Identity & Resilience

David’s take: “Clear-eyed on the SaaS sprawl → identity mess, why long-lived sessions bite us, and what resilient orgs actually look like.”

 
Recommended by: David Cross, CISO, Atlassian
Why this pick: actionable identity + SaaS lessons, not vendor fluff.
⏱ ~1 hr 28 min Focus: SaaS app sprawl • IAM • Session risk • AppSec talent • Resilience

Why this episode matters

  • SaaS ≠ just the primary vendor. Risk surface is Salesforce plus every add-on & support workflow.
  • Sessions & tokens are the soft underbelly. Long-lived cookies and loose device binding make takeover cheap.
  • Identity isn’t “set and forget.” SSO isn’t secure if session hygiene is weak; rotate & scope relentlessly.
  • Resilience is the north star. Ask “can we operate tomorrow?”, not just “did data leave?”.
  • AppSec builders are pivotal. Engineers who speak code carry your AI/product security ramp.

Copy-paste takeaways for your team

  • Reduce session lifetimes for critical SaaS to ≤24h; enable device checks.
  • Hunt support tickets for pasted secrets/tokens; revoke and lint future submissions.
  • Forward SaaS audit logs (Salesforce, Google Workspace, etc.) to your SIEM.
  • Pilot a SaaS security tool for forensics, not just posture scores.
  • Open an AppSec Builder role (or upskill one engineer) for AI/product security.

Standout ideas discussed

  • SaaS sprawl & identity blind spots: “Salesforce issue” → tokens/support data chaining into other systems.
  • Hard keys over weak MFA: mandate hardware-backed second factors for admin/prod access.
  • Passkeys UX caution: pilot first; avoid confusing multi-provider prompts.
  • AI in practice: treat AI as “human problems at hyperspeed.” Visibility first; then guardrails.
  • Org resilience: practice business-down scenarios; security keeps operations moving, not just data safe.

Try this in the next 7 days

  1. Session hygiene sprint: pick 2 critical SaaS → cut session TTL, add device checks, re-auth on privilege use.
  2. Support token hunt: scan last 90 days of tickets for secrets/tokens; revoke and block future paste-ins.
  3. Tabletop “operations offline”: 60-min drill with IT/Finance/Ops: how do we operate if core SaaS is down?
 

About David Cross

David is CISO at Atlassian and a long-time community member at CISO Platform. His weekly picks are short-listed for practical signal—conversations that sharpen how we lead, not just what we deploy.

 

Want your pick featured next?

We’re building a rotating slate of member recommendations from USA, Middle East, and India. If you’re a CISO or security leader, submit a link and 3 bullets on why it matters.

Submit your recommendation (Members)

How we choose

  • Short, actionable outcomes for CISO teams
  • No product pitches
  • Useful beyond one region or vertical
 

Share this with your team

 
 
Views: 114
Tags: ciso, cybersecurity, saassecurity, ai, cyberresilience, professionalciso
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by pritha

Community Head, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)