June 14, 2023 CSA: 55% of Orgs Experienced a SaaS Security Incident

New research shows significant rise in adoption of SaaS security posture management (SSPM) solutions by end of 2024.

The Cloud Security Alliance (CSA) shared findings of its latest survey, SaaS Security Survey Report: 2024 Plans & Priorities. The survey, commissioned by Adaptive Shield, the leading SaaS Security Posture Management (SSPM) company, is an annual effort to gather responses on SaaS security attitudes and efforts informed by 1,000-plus C-level security executives and IT professionals from all over the world, with the majority from North American enterprises.

“Many recent breaches and data leaks have been tied back to SaaS apps. We wanted to gain a deeper understanding of the incidents within SaaS applications and how organizations are building their threat prevention and detection models to secure their SaaS ecosystem,” said Hillary Baron, lead author and Senior Technical Director for Research, Cloud Security Alliance. “This explains why 71% of respondents are prioritizing their investment in security tools for SaaS, most notably turning to SaaS Security Posture Management (SSPM) as the solution to secure their entire SaaS stack.”

Maor Bin, CEO and co-founder of Adaptive Shield says that the enterprise attack surface in the SaaS ecosystem is widening, and just as organizations would secure a cloud infrastructure, they should prioritize SaaS security by securing SaaS data. “According to last year’s survey, 17% of respondents were using SSPM. This year, that figure has soared, with 80% currently using or planning to use an SSPM by the end of 2024.”

The dramatic growth is fueled, in part, by 55% of respondent organizations that recently experienced a SaaS security incident, resulting in ransomware, malware, data breaches, and more. Bin concludes, “Threat prevention and detection in SaaS is critical to a robust cybersecurity strategy spanning SaaS misconfigurations, identity and access governance, SaaS-to-SaaS access, device-to-SaaS risk management, and identity threat detection & response (ITDR).”

The IT and security professionals surveyed were from various-sized organizations, industries, locations, and roles. Other key findings included:

• Current SaaS security strategies and methodologies don’t go far enough: More than half (58%) of organizations estimate their current SaaS security solutions only cover 50% or less of their SaaS applications. This gap cannot be filled using manual audits and cloud access security brokers (CASB), which are not enough to protect companies from SaaS security incidents.
• Investment in SaaS and SaaS security resources are drastically increasing: 66% of organizations have increased their investment in SaaS apps, with 71% increasing their investment in security tools to protect these business-critical apps. This can be attributed to the fact that SaaS Security Posture Management (SSPM) provides coverage in areas where other methods have fallen short.
• Stakeholder spread in securing SaaS apps: CISOs and security managers are shifting from being controllers to governors as the ownership of SaaS apps is spread out through the different departments of their organization.
• How organizations are prioritizing policies and processes for their entire SaaS security ecosystem: Organizations are expanding their SaaS security to address a broad range of concerns in the SaaS ecosystem, including SaaS-to-SaaS Access, Device-to-SaaS Risk Management, Identity, and Access Governance, and ITDR, etc. Companies recognize the importance of human capital in safeguarding the SaaS ecosystem, but more is needed: While 68% of organizations are ramping up investments in hiring and training staff on SaaS security, only 51% have established communication and collaboration between security and app owner teams, and an abysmal 33% currently monitoring less than half of their SaaS stack.
• More focus must be dedicated to device hygiene: Ensuring the security of devices that access the SaaS stack is critical for preventing unauthorized access and data breaches. Despite this, only 54% of organizations check device hygiene for SaaS privileged users, 47% inspect the device hygiene of all SaaS users, and just 42% identify unmanaged devices accessing the SaaS stack.

To review the complete State of SaaS Security Survey Report: 2024 Plans & Priorities, visit https://cloudsecurityalliance.org/artifacts/state-of-saas-security-2023-survey-report/.

Subscribe to Industry Today