It may come as a surprise to learn that 34% of security practitioners do not know how many SaaS applications are deployed in their organizations. And it’s no wonder—the recent AppOmni The State of SaaS Security Report 2024 shows that only 15% of organizations centralize SaaS security within their cybersecurity teams. These statistics not only highlight a critical security blind spot, they also point to the fact that organizational culture is often overlooked as a driver of these risks. As SaaS environments become more decentralized, a lack of clarity around roles and responsibilities makes companies invisible.
Most security teams focus solely on technical issues, often ignoring how their company’s culture—its daily practices, attitudes, and default policy enforcement processes—shapes their organization’s security posture. Overconfidence, unclear responsibilities, and a lack of continuous monitoring can lead to SaaS security breaches. Let’s explore why creating a culture that values shared responsibility and proactive security is critical.
The role of culture in SaaS security
Decentralized procurement of SaaS applications has completely changed the game for many organizations. Business units are now free to choose and use the tools they need to maintain agility and achieve business goals, but
with this freedom comes the enormous challenge of maintaining consistency and effectiveness in security practices across the board.
Risks of Unsupervised Autonomy
Business units are often focused on speed and innovation, which means security often takes a back seat. On the other hand, security teams are trying to keep up with the vast and ever-changing landscape of SaaS applications in which they had no say. The resulting disconnect can create a culture where security is not prioritized or, worse, seen as an obstacle that slows down business initiatives and operations.
More often than not, this is an environment where vulnerabilities can flourish. Autonomy increases productivity, but without coordinated security oversight, it also carries serious risks. Rapid deployment of new tools without thorough testing can weaken security controls and allow potential threats to go undetected.
Consequences in the real world
AppOmni’s survey of 644 decision makers and executives worldwide shows this 31% say their organizations have been affected by a data breach— by five points more than a year earlier. This surge in breaches may well be due to the security culture of SaaS. 2023 year Snowflake breakthroughfor example, was caused by customers who failed to implement secure two-factor authentication for the security of their production environments. The massive supply chain disruption at Sisenseprovider of a business intelligence (BI) and data analytics platform, points to the dangers of insecure SaaS ecosystems accessed by third parties.
In both cases, due to decentralized adoption, there was no visibility or control over third-party integrations, leading to widespread data exposure. These incidents drive the need for a security culture that extends across the entire organization, not just IT.
Creating a security-aware culture is not just about setting policies; it’s about changing your mindset. Business units must understand the importance of security and involve security teams in the early stages of selecting new tools. At the same time, security teams must actively work with business units and offer recommendations that support innovation, not hinder it. Bridging this gap between autonomy and security is key to creating a secure and productive environment.
Overconfidence and inconsistencies in SaaS security
Many organizations think they are secure, but preventable breaches such as misconfiguration continue to occur. And overconfidence is a cultural problem that can cause serious trouble.
Perception vs. Reality
While companies often rate their SaaS cybersecurity maturity as high, the reality is often different. There is often a gap between what is perceived as secure and what is actually secure, usually because the complexity and risks of a SaaS environment are underestimated.
SaaS platforms are highly customizable and integrate with many tools, but without careful management, they can create significant vulnerabilities. The AppOmni report shows that nearly half of respondents say they have fewer than 10 apps connected to the Microsoft 365 platform, but aggregate data shows that there are more than a thousand SaaS-to-SaaS connections to Microsoft 365.
The problem of organizational silos
Overconfidence in SaaS security often stems from a lack of understanding of the shared responsibility model. Many believe that basic security measures such as multi-factor authentication are enough to secure their SaaS environment. But without constant monitoring, vulnerabilities and other SaaS security issues can remain hidden until it’s too late.
Organizational silos exacerbate this problem. Different departments may have different levels of security awareness, leading to gaps in oversight. While IT generally understands the need for continuous monitoring, business units may not see the risks of uncontrolled SaaS use and thus have a much larger gap between perceived and actual security levels.
To solve these problems, companies must change their culture towards better collaboration and shared responsibility for security. It’s time to move beyond the false sense of security that comes with implementing generic security controls and adopt a more comprehensive approach that includes continuous monitoring, regular reassessment, and a commitment to security at all levels of the organization.
Shared responsibility and the importance of continuous monitoring
The shared responsibility model is a core part of cloud security that defines what SaaS providers and their customers are responsible for. But it is often misunderstood. SaaS security is not just about the vendor—it’s a team effort that requires active participation from both the SaaS vendor and the customer. Unfortunately, this shared responsibility can falter when there is a cultural gap that leaves the door open to breaches.
Critical role of SSPM
Continuous monitoring is the key to shared responsibility. SaaS environments are always changing, with updates, new users and integrations creating new risks. Without constant monitoring, these issues can go unnoticed until they are used to leak data.
To effectively manage these risks, it is essential to implement a SaaS Security Posture Management (SSPM) solution that offers a wide range of capabilities. A robust SSPM solution should include configuration and drift management to maintain policy baselines, data access disclosure functionality to flag common misconfigurations, and threat detection which integrates with SIEM and SOC tools.
Full SSPM solution must provide visibility into SaaS-to-SaaS connections and offer compliance assessments on demand. These features provide the real-time control needed to detect and fix problems before they escalate, keeping your SaaS environment secure.
The cost of ignoring constant monitoring
While continuous monitoring is a critical component of a robust SaaS security program, many organizations don’t realize the importance of continuous monitoring until after a breach has already occurred and the damage has already been done. Cleaning up after a breach is costly – not just financially, but also in terms of reputational impact. Omitting continuous monitoring undermines the whole point of the shared responsibility model because it leaves security gaps that could easily be addressed with proper precautions. To avoid this, organizations must make SSPM solutions a fundamental component of their overall security strategy. So the company and its SaaS providers each do their part to keep everything secure.
SaaS Security Report
As more organizations jump on the SaaS bandwagon, a strong security culture is critical. Dive deeper into the 2024 State of SaaS Security Report and learn how to create a more secure SaaS environment.
How can you build a strong SaaS security culture?
Because organizational culture plays such an important role in protecting against SaaS breaches, a SaaS security solution starts with building a strong security culture within your organization.
To start building a SaaS-friendly security culture, make sure you:
- Improve communication: Ensure an open line of communication between business units and security. Everyone, including the heads of governing bodies, must understand why security matters and their role in protecting assets and resources. Security leaders can help by understanding business goals, offering fences instead of roadblocks, and speaking the language of collaboration.
- Provide ongoing cyber awareness training: Regularly inform your employees about the latest security threats and best practices. Employees should be aware of the risks associated with using SaaS applications and why it is important to follow security protocols. At the same time, be sure to show employees how best security practices can improve their productivity.
- Implement clear policies: Establish clear security policies that define the responsibilities of both business units and security teams. Make these policies easy to find and update them regularly.
- Develop an active mindset: Encourage your team to be proactive about security by reporting any potential vulnerabilities, participating in security initiatives, and staying current with company security practices.
- Use SSPM solutions: Invest in SSPM tools that provide continuous monitoring and threat detection capabilities. These tools help you detect and fix security problems before they become more serious.
By taking these steps, organizations can build a culture that not only drives their business forward, but also prioritizes security and reduces the likelihood of SaaS-related breaches.
Building a future-ready SaaS security culture
As SaaS adoption grows, maintaining security becomes even more difficult. Looking ahead to 2025 and beyond, it’s clear that technology alone won’t do the trick. Organizations must focus on creating a culture of safety that permeates every part of their operations.
Reasonable costs for better security
It starts with reasonable expenses. Teams are already realizing the need to focus on cost effectiveness in their safety programs. In fact, 29% expect return on investment in cybersecurity, as measured by risk reduction, to be a key issue for discussion in the coming year. To stay ahead, companies must protect their most important assets, use advanced tools to monitor access and configurations, and apply Principles of zero trust by their applications.
Security is about people, not just technology
After all, security isn’t just about tools and technology. It’s also about people. Creating a culture where every employee understands the importance of safety is critical. Ongoing training in cybersecurity best practices will help employees adhere to policies and prevent data breaches. As organizations prepare for the future, aligning their culture with smart security practices will be key to reducing risk and staying safe.
Download the full report to learn more about future-proofing your SaaS environment.