The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released the findings of its latest survey, SaaS Security Survey Report: 2024 Plans & Priorities. Commissioned by Adaptive Shield, the leading SaaS Security Posture Management (SSPM) company, the survey gathered responses from 1,000-plus C-level security executives and professionals from all over the world, with the majority from North American enterprises.
“Many recent breaches and data leaks have been tied back to SaaS apps. We wanted to gain a deeper understanding of the incidents within SaaS applications, and how organizations are building their threat prevention and detection models to secure their SaaS ecosystem," said Hillary Baron, lead author and Senior Technical Director for Research, Cloud Security Alliance. “This explains why 71% of respondents are prioritizing their investment in security tools for SaaS, most notably turning to SaaS Security Posture Management (SSPM) as the solution to secure their entire SaaS stack.
“The attack surface in the SaaS ecosystem is widening and just as you would secure a cloud infrastructure with Cloud security posture management, organizations should secure their SaaS data and prioritize SaaS security,” asserts Maor Bin, CEO and co-founder of Adaptive Shield. “In last year’s survey, 17% of respondents said they were using SSPM. This year that figure has soared, with 80% currently using or planning to use an SSPM by the end of 2024. This dramatic growth is fueled by the fact that 55% of organizations stated they recently experienced a SaaS security incident, which resulted in ransomware, malware, data breaches, and more. Threat prevention and detection in SaaS is critical to a robust cybersecurity strategy spanning SaaS Misconfigurations, Identity and Access Governance, SaaS-to-SaaS Access, Device-to-SaaS Risk Management, and Identity Threat Detection & Response (ITDR).”
Among the survey’s key findings:
- Current SaaS security strategies and methodologies don’t go far enough: More than half (58%) of organizations estimate their current SaaS security solutions only cover 50% or less of their SaaS applications. This gap cannot be filled using manual audits and cloud access security brokers (CASB), which are not enough to protect companies from SaaS security incidents.
- Investment in SaaS and SaaS security resources are drastically increasing: 66% of organizations have increased their investment in SaaS apps, with 71% increasing their investment in security tools to protect for these business-critical apps. This can be attributed to the fact that SaaS Security Posture Management (SSPM) provides coverage in areas where other methods have fallen short.
- Stakeholder spread in securing SaaS apps: CISOs and security managers are shifting from being controllers to governors as the ownership of SaaS apps are spread out through the different departments of their organization.
- How organizations are prioritizing policies and processes for their entire SaaS security ecosystem: Organizations are expanding their SaaS security to address a broad range of concerns in the SaaS ecosystem, including SaaS-to-SaaS Access, Device-to-SaaS Risk Management, Identity and Access Governance, and ITDR, etc.
- Companies recognize the importance of human capital in safeguarding SaaS ecosystem but more is needed: While 68% of organizations are ramping up investments in hiring and training staff on SaaS security, only 51% have established communication and collaboration between security and app owner teams, and an abysmal 33% currently monitoring less than half of their SaaS stack.
- More focus must be dedicated to device hygiene: Ensuring the security of devices that access the SaaS stack is critical for preventing unauthorized access and data breaches. Despite this, only 54% of organizations check device hygiene for SaaS privileged users, 47% inspect the device hygiene of all SaaS users, and just 42% identify unmanaged devices accessing the SaaS stack.
The survey gathered more than 1,000 responses from IT and security professionals from various organization sizes, industries, locations, and roles.