SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

Exclusive: Okta CSO on scaling security alongside business growth

By Kai Ping Lew
Fri 3 May 2019
FYI, this story is more than a year old

Identity and access management solutions provider Okta recently marked its ten-year anniversary, announcing revenue of US$115million last year and an employee count of 1,500.

As the company continues to expand its identity platform, security continues to play a major part in the development of its products and strategy.

Techday spoke to Okta chief security officer Yassir Abousselham about scaling security in tandem with its growth, Okta’s recent acquisitions, and the journey to secure second factors.

In terms of security strategy, what’s changed for Okta since last year?

For us as a company, the challenge is to be able to grow the security capabilities at the same speed as the business.

We are acquiring more customers, and a lot of them are high-profile organisations who constitute better targets for attackers.

At the same time, we are acquiring companies and creating and releasing more features, which translates into more lines of codes and more things to make sure we secure.

In the context of all that, the challenge for any security team is to be able to maintain the effectiveness of the security environments while supporting the business.

That means not slowing it down and positioning security as a differentiator as opposed to something that cuts into the velocity of our releases and our products.

How active is the security team in the development of Okta’s products and services?

We are deeply entrenched in every aspect of the business, whether it is our product roadmap, the service, defining the strategy, and being there to define the requirements for a security organisation.

We're involved in branding, in making sure that our marketing campaigns have the right message, to be able to resonate with the security team.

So we're involved in every aspect of our business, and we want to continue doing so as we scale as a company.

Okta is making quite a few acquisitions at the moment – have you found it challenging bringing them to an acceptable level of security hygiene?

If you can get involved in the merger and acquisition cycle early on, then it's not going to be a challenge.

We do two things very well.

Security is involved in the early stages of any acquisition in the sense that we have those conversations, we do our due diligence on the acquisition and we make sure the target’s security is on par with what we expect for a company that's going to join Okta.

The second thing is that we have a process and a framework - we've established a roadmap for how any company acquired integrates within the information security programme at Okta.

Once we complete the acquisition, we do a number of things including deep dives into their security and penetration testing.

If there are any issues or any kind of improvements that we need to make, we make sure that those are completed even before we make the product available to our customers as an Okta product.

We integrate or take over a lot of their security processes.

For example, identity and access management, application security, and compliance.

In fact, for a company such as ScaleFT, which we acquired a few months ago, we're well underway and have made significant progress in getting them compliant, or showing at least compliance with things like SOC2.

We're also working on a number of additional compliance mandates, to be able to position them at the same level as Okta when we have these conversations with our current customers.

Okta is focusing on multifactor authentication (MFA), but attacks like SIM swapping can compromise it. How does this impact the effectiveness of MFA?

With approaches we take to security, there's always going to be vulnerabilities along the way.

You look back at the introduction of FaceID or TouchID on the iPhone, you have researchers that came up with ways to circumvent that.

These are small things that slow us down, but they do not necessarily speak to the effectiveness of the solution as a whole.

SIM swapping is an issue, but it is one that has a couple of things that make it not necessarily material in the larger scheme of things.

The first is that it is a vulnerability or attack that's executed on a one-on-one basis - it's not something that can be done at scale.

It's very tricky and very hard to execute.

The second thing is that it’s a known issue now.

A lot of the players in the industry are going to improve their controls to make sure that's no longer an issue and that the security of their customers is not going to be impacted.

If a threat actor is able to trick them into considering them as the owner of that phone number, it’s a breakdown of a control on the telecom operator side.

But I have to believe that telcos are taking the necessary steps to close those holes, and this is something that has existed for a while.

The verdict is that this is one very small roadblock, but it does not speak by any stretch to the effectiveness of multifactor authentication as a control to protect access.

Does Okta use phone numbers as one of the key ways to authorise the second factor?

Okta is a platform and we have to give our customers the flexibility to choose any factor that they need.

In some cases, some customers choose not to use a second factor and rely solely on password.

You have to be able to allow your customers to make those choices.

As much as it can appear as a given that an organisation will go for two factors from the get-go, it's not always obvious.

For organisations that have been in operation for a while - the more traditional industries, even - it's hard to manage the change between those technologies.

Going from password to a second factor is not something that's done overnight, it takes a lot of work and it takes a lot of organisational change management to make sure that you get to the endpoint.

To be able to achieve that goal, a lot of organisations have to take that intermediate step of using something that's available to all of their users - and that would be a phone number.

Not every organisation is going to have the ability to make that change to a stronger factor because of a number of different reasons.

In some cases, it's pushed back, there’s a reluctance to change from their users, many of those users can apply pressure through the executive representative and so on.

And in some cases, those reasons are economic.

Not every company is going to have the budget to invest in second factors that do cost and represents a significant line item in their IT budget.

So I think a lot of the other organisations, and at least security teams, have this target of getting all of the users to have a second factor that is strong.

But it is a journey.

And sometimes you have to be able to take intermediate steps to get there.

Related stories
Top stories
Story image
Tech job moves
Tech job moves - ActiveCampaign, Arcserve, LogRhythm & Qlik
We round up all job appointments from June 17-22, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Online identity theft is rising in NZ - here’s what to do about it
It may start with a few stolen details online, but it could end with thousands of dollars missing or worse, a reputation down the drain.
Story image
Internet of Things
Domino's Pizza: A blueprint for secure enterprise IoT deployment
Increasingly, organisations are embracing smart technologies to underpin innovations that can enhance safety and productivity in every part of our lives, from industrial systems, utilities, and building management to various forms of business enablement.
Story image
Artificial Intelligence
Abnormal Security finds financial supply chain under threat
New research by Abnormal Security has found a rising trend in financial supply chain compromise as threat actors increasingly impersonate vendors.
Story image
Data Protection
Thales solution supports DevSecOps teams with data protection
Thales' CipherTrust Platform Community Edition enables DevSecOps teams to deploy data protection controls into multi-cloud applications faster.
Story image
More than 90% of cyber attacks made possible by human error
The data are clear, with cyberattacks on the rise in recent years and the cybersecurity situation increasingly complex. 
Story image
ConnectWise reveals cybersecurity updates and partnerships
ConnectWise has unveiled new updates to its services and highlighted the importance of cyber insurance at its IT Nation Secure conference.
Story image
Amazon Web Services / AWS
Zscaler, AWS accelerate onramp to the cloud with zero trust
Zscaler has announced an extension to its relationship with Amazon Web Services, as well as innovations built on Zscaler's Zero Trust architecture.
Story image
Securonix partners with Snowflake, Zscaler in joint venture
Securonix is embarking on a joint technology integration with Snowflake and Zscaler to speed up threat detection and response at cloud scale.
Story image
LastPass announces new capability for iPhones and iPads
LastPass has announced its new save and fill experience, allowing customers to fill in, create and save their credentials directly within the site's form field.
Story image
Tech job moves
Tech job moves - Boomi, Limepay, Thales, VMware & Zoom
We round up all job appointments from June 6-16, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
SonicWall recognises partners and distributors at FY2022 partner awards
SonicWall has recognised its distributors and partners for their efforts in producing the company’s most successful year to date.
Story image
Sternum joins NXP, collaborates on IoT security and observability
Sternum has announced it has joined the software partner community of NXP Semiconductors, a manufacturer of and large marketplace for embedded controllers.
Story image
Aqua Security, CIS create software supply chain security guide
Aqua Securityand the Center for Internet Security have together released the industry’s first formal guidelines for software supply chain security.
Story image
New survey uncovers critical OT security challenges
While industrial control environments continue to be a target for cyber criminals, there are widespread gaps in industrial security.
Story image
Trend Micro unveils dedicated security for electric vehicles
The cybersecurity company has announced VicOne - dedicated security for the electric vehicles and connected cars of today and tomorrow.
Story image
Commvault's SaaS division experiences notable growth
Commvault has revealed the global momentum that its SaaS division Metallic has experienced since its launch two years ago.
Story image
New research shows global drive for passwordless authentication
A new study has shown there has been a significant shift towards wanting a passwordless future, but adoption is still in its infancy.
Story image
Schneider Electric and Claroty launch building security solution
Schneider Electric has announced the launch of Cybersecurity Solutions for Buildings, a solution designed to help buildings customers secure BMS.
Story image
Data resilience
Digital resilience in 2022 - A10 Networks releases new study
Of the 250 corporate organisations surveyed, as many as 95% showed high levels of concern for all aspects of enterprise digital resilience.
Story image
Why the success of client collaboration projects depends on addressing these five warning signs
New tools, applications, and software have enabled project collaboration to continue remotely, both between employees within an organisation and with its clients.
Story image
Dark web
Cybercrime in Aotearoa: How does New Zealand law define it?
‘Cybercrime’ is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?
Story image
Palo Alto Networks named Google Cloud technology partner of the year for security
Palo Alto Networks was recognised for helping organisations rapidly transform security operations for future success.
Story image
Threat actors ramp up their social engineering attacks
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. Their new M.O? Social engineering.
Story image
How Wavelink fosters creativity and careers in the channel
Wavelink is a 100% channel business, with all sales flowing through its authorised reseller partners. It has been a B2B technology distributor for almost 24 years and offers a broad range of software across cybersecurity, mobility, networking, and healthcare.
Story image
Identity and Access Management
Ping Identity launches corporate venture capital fund
Ping Identity has launched a corporate venture capital fund to foster innovative offerings for the identity security market.
Story image
Aqua Security launches cloud native security SaaS in APAC
Aqua Security has announced the general availability of cloud native security SaaS in Singapore, serving the broader APAC region.
Story image
Varonis strengthens security capabilities for AWS and S3
Varonis has strengthened and expanded its cloud and security capabilities, with a critical aim of improving safety and boosting data visibility in Amazon Simple Storage Service (S3).
Story image
Why is NZ lagging behind the world in cybersecurity?
A recent report by TUANZ has revealed that we are ranked 56th in the world when it comes to cybersecurity - a look into why we're so behind and what needs to be done.
Story image
10 Minute IT Jams
Video: 10 Minute IT Jams - An update from Rimini Street
Today we welcome back Daniel Benad, who is the GVP & regional GM for Oceania at Rimini Street.
Story image
Ready for anything with the PagerDuty Operations Cloud
In a world of digital everything, teams face increasing complexity. Ever-growing dependencies across systems and processes put customer and employee experience, not to mention revenue, at risk.
Story image
Malwarebytes expands Nebula platform with DNS module
Malwarebytes has expanded its Nebula platform with a new DNS Filtering module designed to provide a quick, flexible, and comprehensive Zero Trust offering for Nebula users.
Story image
Q1 DDoS and application attack activity reveals surprise result
The cybersecurity threat landscape in the first quarter of 2022 represented a mixed bag of old enemies and new foes. New actors dominated the DDoS threat landscape while application security faced tried-and-true attack vectors.
Story image
OCEG survey shows demand for connected GRC systems
The survey also revealed that many organisations lack visibility and connected processes to manage the increased velocity and volume of risks. 
Story image
Ingram Micro launches vendor-backed security program
Ingram Micro has unveiled a new program intended to give resellers the effective offerings their customers need to stay safe in the evolving threat landscape.
Story image
Greater API usage raises concerns for protection - report
Radware has released its 2022 State of API Security report, which shows a rise in APIs, with 92% of the organisations surveyed significantly or somewhat increasing their usage.
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
SMX partnership with Microsoft leads to NTT recognition
SMX has captured the attention of NTT after receiving positive reviews from businesses across Australasia and beyond for its email security.
Story image
Flashpoint unveils security offering for school boards
Flashpoint has released its K-12 risk management and security offering to provide school boards and education security practitioners with tools to recognise, prevent and manage cyber and physical threats.
Story image
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
Secure access service edge / SASE
Cloudflare adds new capabilities to zero trust SASE platform
New features for Cloudflare One include email security protection, data loss prevention tools, cloud access security broker, and private network discovery.
Story image
Significant security concerns resulting from open source software ubiquity
"The risk is real, and the industry must work closely together in order to move away from poor open source or software supply chain security practices."
Story image
Hundreds arrested, millions seized in global INTERPOL investigation
A two-month-long investigation by INTERPOL this year involved 76 countries and clamped down on organised crime groups behind telecommunications and social engineering scams.
Story image
Digital Transformation
Cybersecurity priorities for digital leaders navigating digital transformation
In recent years, Asia-Pacific has especially been a hotspot for cyberattacks, and as we continue into 2022, it’s evident that the problem is becoming more significant.