Meet the Head of Application Security at Emarsys in Hungary, SAP’s customer engagement platform. István Szénási is responsible for the secure development and operation of their SaaS product; he brings expertise in vulnerability management, incident response, and security awareness. Additionally, he advises on product development, focusing on essential security functions. In pre-sales interactions, he collaborates with major clients, customizing security features to meet specific needs.
With Emarsys seamlessly integrated into SAP‘s ecosystem for three years, this interview offers a look into securing a complex marketing tool powered by AI and data-driven capabilities.
What key security functionalities do you find most important in supporting the development of Emarsys’s products, and how do you ensure they are seamlessly integrated?
If you check the published Secure Software Development Lifecycle frameworks of software companies, you’ll see many of them begin with training, and I can’t agree more with this. That provides the necessary skills and focus for the developers and everyone involved in the software development process. A properly implemented SSDL framework guarantees seamless integration; this involves several manual or automated tests, many integrated into the software build pipelines and a validation and response plan.
Can you share some insights into the challenges of securing a SaaS product like Emarsys, especially in customer engagement and AI functionalities?
It’s not Emarsys-specific, but AI security is a new challenge. It’s been told so many times that 2023 is the year of the AI revolution, especially for the Large Language Models. They introduced new types of threats, where we (the world’s cybersecurity community) don’t have full (100%) solutions. Still, we have something like a medicine: It usually helps, but it does not always fix the whole problem; maybe you need to take it continuously.
With the ever-evolving landscape of cybersecurity threats, how do you approach the process of identifying and mitigating vulnerabilities in the development life cycle of Emarsys’s applications?
Shift left! We try to detect and mitigate the threats as early as possible. Security should be included in all phases, especially the design/planning phase. However, many threats cannot be handled in the design phase.
Besides the regular internal and external penetration testing, a (semi-)public bug bounty program can be a great addition.
Managing incidents effectively is vital in cybersecurity. Can you introduce the magazine readers to your incident response framework and how it ensures an effective response to potential security breaches?
In my opinion, a good incident response framework is designed to ensure a timely and effective response to potential security breaches, minimize the impact on customers and the company, and prevent similar incidents in the future.
Identification from various channels (internal monitoring, security researchers, law enforcement agencies, etc.), Triage: Determine the severity, impact and scope. Investigation: Get the root cause, the affected systems, data, and the potential impacts. Mitigation: Create a mitigation plan to address the incident. This can be deployment updates, disabling systems/services, or other measures. Communication: Communication with the stakeholders (customers, partners, agencies,…) Review: Conduct a post-incident review to identify lessons learned and improve its incident response processes and procedures.
Looking ahead, what emerging trends or technologies in cybersecurity are you closely monitoring, and how do you envision them shaping the future of securing customer engagement platforms like Emarsys?
Obviously, AI will heavily influence not just the products but the security as well. Also, the emerging need for privacy features will have a big portion in our future.