SaaS (software-as-a-service) cybersecurity is a unique segment with its own landscape of risks. As soon as you identify new ways to combat threats from cybercriminals, new ones appear. What adds to this complexity is the rapid growth of the SaaS market, bringing new applications to market and more users.
So, what is the state of SaaS cybersecurity, and what are the risks and opportunities ahead? A new study of over 600 security professionals, mostly CISOs (chief information security officers), sheds light on this.
Key Takeaways from the Study
Overall, the report relays that CISOs take SaaS cybersecurity very seriously, with 70% of respondents saying it was a top-three priority. However, there are other findings that indicate there may be overconfidence on the part of leaders as having a mature strategy. The majority of respondents (71%) agreed that their SaaS cybersecurity is mature.
Looking at real-world scenarios, those touting their capabilities have also experienced cyber incidents, with 79% stating they had at least one in the last year.
As a result of these attacks, organizations have also experienced data leakage, security misconfigurations, elevated access privileges, and threat detection gaps.
There appears to be a disconnect between awareness of issues and actions to mitigate risk. The study also concluded there are gaps in security posture and understanding of the threat landscape.
Shared responsibility for SaaS cybersecurity between vendors and end-users was also a key topic in the study as the best way to decrease risk. How organizations manage this element of cybersecurity is mixed with manual and automated audits. However, some have no monitoring at all.
These are the highlights. Let’s dig deeper into each finding and the insights they can provide to help strengthen your team.
Maturity Overconfidence and Reality
One of the most shocking statistics from the study is that 85% of respondents said they don’t think there’s a SaaS security problem. That’s a very head-in-the-sand perspective. SaaS is a key target for hackers, and with companies using so many of these, the potential for exploitation grows. On average, most organizations use over 100 SaaS apps.
It’s a standard correlation from a larger ecosystem to more risk. Yet, those answering the survey are highly confident in the maturity of their operations, security levels, and data security. If you looked at this data alone, you would perceive there isn’t a problem, but it needs more context. Much of this optimism is due to how organizations approach SaaS cybersecurity in a narrow view.
Even though respondents have all this confidence, it doesn’t hold true for what’s happening. Hundreds of millions of data records from the SaaS environment have been breached and exposed, with 55% of companies having had some type of data leakage. That’s in addition to the 79% that have had a SaaS security incident. The types of incidents include:
- User permission vulnerabilities
- Data breaches and exposure
- App misconfiguration
- Insider threats
This information confirms that security incidents related to SaaS are common and prevalent. Another SaaS report reveals that over 55% of organizations had an incident.
CISOs still have strong concerns about the security of SaaS, naming these as the top ones:
- Customer data compromise
- Data breaches and loss of IP (intellectual property)
- Compliance and audit findings
- Unauthorized cloud-to-cloud data transfers
- Over-permissioned users
- Insider threats
With incidents rampant and concerns growing, how can CISOs be so confident in maturity? There are a few explanations. One is that they don’t know what they don’t know. It’s an easy place to find yourself. Most businesses don’t know there is a vulnerability until it’s exploited. It’s a blind spot for many, even if they are monitoring their SaaS installations.
The second is about how they approach cybersecurity. They may have initial risk assessments but then fail to continue to do them or take other proactive steps like pen testing. They need to understand and manage SaaS implementations and use across the enterprise.
The third reason has everything to do with your people. They may be overwhelmed and strained due to the many unfilled cybersecurity jobs. You have to do more with less, and that is a slippery slope in cybersecurity. Your team may also lack awareness and an open mindset to evolve how they combat threats because they fear change and hang onto what they do know.
As much as cybersecurity seems to be a technology-focused discipline, most threats and risks are people-based.
Organizations Do Audit SaaS Pre-Purchase but Don’t Continue to Do So
A best practice for any company is to test and assess any application they are going to adopt. The survey relays this is happening, with 89% of respondents saying they do some kind of auditing. The problem is, as noted above, they don’t continue with these reviews and security risk identification after it’s in place.
Due diligence in pre-purchase evaluations is thorough, but once the application is live, there’s no further review. Often, the business owners of these programs are responsible for configurations and protocols, and these folks aren’t cyber-intelligent. They may provide too many users with too much access and don’t add multiple types of verification at login. If every department is managing their own platforms, there’s inconsistency across the company and a lack of security visibility. Survey responses indicate that over one-third believe they do have visibility, secure configurations, monitoring, and user access covered.
Yet, this confidence doesn’t hold up in the real world nor account for every layer of risk in SaaS usage. Thus, confidence seems skewed and misplaced without addressing how they approach cybersecurity.
SaaS Is a Dynamic Space that Requires Continuous Review and Adaptation
Another key issue in SaaS cybersecurity is how dynamic it is. There’s always a new version with added features and users added regularly. Integrations through API connect SaaS platforms as well. It’s not an area of business that stays consistent, which means you have to have always-on security management. In the survey, 66% of respondents say they have monitoring capabilities. But are those enterprise-wide? Most of the time, they are not.
In addition to always-on monitoring, supported by regular vulnerability assessments and application pen tests, your strategy has to adapt continuously. It’s a volatile environment, and that makes it difficult for a lot of technical people. It doesn’t mean they don’t know cybersecurity and have great technical knowledge. It’s a lack of soft skills that makes it hard for them to change.
You can install great cyber tools for SaaS, engage firms to do assessments and pen tests, and be highly aware of emerging threats and still be at high risk. You’ve got to get your people to be willing to evolve too. It’s often the hardest part of any CISO’s job. It’s not impossible, and the Secure Methodology™ offers a guide to do this.
Improving SaaS Cybersecurity with the Secure Methodology
The Secure Methodology is a seven-step process to transform technical people into excellent communicators and collaborators. It’s a strategy our founder, Christian Espinosa, developed and is the central theme in his book, The Smartest Person in the Room. Here’s a brief introduction to each step and how it relates to enhancing SaaS cybersecurity:
- Awareness: We must be aware of ourselves and our impact on others to be agile in thinking and approach. This step helps people open up to new perspectives through coaching and understanding motivations.
- Mindset: After achieving awareness, you move to mindset. The objective is to enable people to shift from a fixed to a growth mindset. Your team must be able to look beyond things being black or white, as that’s not the case in cybersecurity. It involves skill development around reflection and accountability.
- Acknowledgment: The third step is where leaders make a difference. Acknowledging the contributions and value of team members builds trust and rapport. Positive reinforcement works to assist people in evolving because it’s okay not to know everything.
- Communication: Communication is part of every step and area of cybersecurity. It’s essential in identifying, managing, and reducing risk. Communication aptitude development means leaving behind geek speak and talking to all people in a practical and supportive manner, along with listening.
- Monotasking: When you monotask, you focus on one project or task at a time. It’s the opposite of multitasking, which can lead to errors and mistakes. By encouraging your employees to do this, they can think more critically about threats and remove blind spots.
- Empathy: In this step, you want to help others see the viewpoints of others, building on learnings from previous ones. When someone has this type of empathy, they are better communicators and collaborators.
- Kaizen: The last step is a Japanese term that translates to “continuous improvement.” Thus, it’s never “complete,” and you’re always looking for ways to improve your strategies and defense posture. You evolve and adapt as the threat landscape does.
With these steps, you can improve all areas of cybersecurity and be able to really align a mature model with reduced risk. It’s a proven way to build the people skills of those who are technical-minded. Learn more by reading the book and checking out the Secure Methodology course.