[rockostrich]

> get Zapier approved by security

How do you manage this when marketing relies on PII to do anything? We just went through a switch over to a multi-channel messaging SaaS from an internal solution that "worked" for 6 years. Handling the PII aspect of things was taken care of by the SaaS being SOC 2 and GDPR compliant, but something like Zapier seems like it gives users the control to move PII into systems that don't have that compliance. Or are there controls around which data can flow where?

[Kalium]

Long story short, you don't. No competent security organization taking their responsibilities seriously is going to issue a blanket approval of something as broad as Zapier.

What you can do is get an enterprise relationship in place, deploy tight endpoint monitoring and management, careful management of permissions at every level, and then make the review processes relatively fast. Not marketing-wants-to-build-a-whole-new-thing-with-lots-of-PII-tomorrow fast, but fast. Having strong systems for generating realistic test data and systems will make this prototyping much easier, though from experience Marketing will tend to dismiss such things.

Marketing's needs and goals are real and important and valid and blah blah blah blah. Mostly their institutional incentives are to barrel ahead as fast as possible with any and every tools available. A security organization's remit is to make sure that this isn't reckless and liability-inducing, which often means dialing back the speed from breakneck to manageable and maybe even doing some token amount of planning around what you hope to achieve.

[cm2012]

Yep, in small companies you get carte blanche, and there are two kinds of big companies. Those that make it work with a process like the above comment (which looks like a great and reasonable set-up), and those that kneecap their marketing departments by rejecting the tools needed for modern marketing.

As a side note, I've worked with 60+ startups. One thing that kills start-ups whenever it happens is giving too much power too early to the "default to no" departments of a company - security, legal, brand.

[Kalium]

It's been my experience that default-to-no is what happens when groups like security try a reasonable process... and find that marketing and similar enablement-first groups handle this by ignoring and bypassing it. This tends to set up a very ugly reckoning at some point. Marketing will lose, but the company overall will lose too.

If marketing ever says "But an enterprise contract with SAML is too expensive! Can't we just use the basic SaaS version?", it's time to check what other processes they're used to ignoring. I'd suggest starting with expense records. There's probably a bunch of vendors handled entirely on a director's credit card.

[ouEight12]

To be fair, the people that run SaaS platforms that extort a 3x multiple to go from "Pro" which just happens to have every feature they offer EXCEPT SAML, to "Enterprise" which, low and behold, adds no value /other/ than SAML all need to line up and die in a fire someplace.