Reflecting on the more than 500 companies we serve and several recent meetings with IT and security teams, I am surprised that so many organizations are ill-prepared to counter the growing threat of cybersecurity attacks and breaches. Many innovative organizations are relying heavily on software as a service (SaaS) applications as part of their core business functions, yet many of them have little understanding of the SaaS risks they may be introducing.

Our recent research documented that 96.7% of organizations used at least one SaaS application that had a security incident in the past year. We also found that 8,500 applications already have embedded generative AI (GenAI) capabilities, and many of these AI-powered applications can train their models on user data.

My concern is that the slow adoption of SaaS security and impending regulatory changes could catch these organizations off guard because SaaS operates at a different pace than traditional software. The need for speed will become especially apparent as time-sensitive cyber defense requirements take hold.

Given how fast supply chain attacks can move laterally, in the financial sector, for example, regulations such as NY-DFS in the U.S. and DORA in the EU now require chief information security officers (CISOs) to be accountable for reporting security events in their SaaS supply chains quickly (a few hours for DORA and a couple of days for NY-DFS).

Top SaaS Security Risks

Two important considerations will impact the approach and pace of security team tasks:

• SaaS Invisibility: Unauthorized use of SaaS applications is rampant. Nearly half of SaaS apps in the average organization are being used exclusively by a single employee, often unsanctioned and unsupervised. This trend is driven by the convenient consumerization of SaaS services.

An equally serious issue is the often-unnoticed tendency of employees to unthinkingly accept the terms and conditions (T&Cs) of different SaaS providers without considering, or even knowing, the risks involved. This careless action could inadvertently allow thousands of SaaS apps to access and train on a company’s sensitive, non-public information and data.

• SaaS Security Responsibility: While securing SaaS configurations is essential, the responsibility for cyber protection often lies with the SaaS provider and employees’ usage of the SaaS apps. Initial hardening of these app configurations is necessary, but not sufficient.

This practice adds heavy vigilance requirements to already overloaded security teams that must quickly identify and address incidents to minimize potential damage and adhere to regulations. These teams also must guarantee that their SaaS applications meet essential security and compliance standards, maintain comprehensive records of cyber breaches and uphold security best practices.

SaaS Security Requires Speed

Manual processes to monitor and protect SaaS will be quickly outpaced, leaving the organization open to risk of breach and non-compliance. To ensure a 72-hour turnaround for notifications, security must be simple, efficient, and not heavily reliant on human processes.

SaaS security best practices must accommodate these time-critical challenges:

• Speed in Supply Chain Change Detection: Periodic checks of the SaaS supply chain implied in financial regulations are critical, but not sufficient. The temptation for employees to experiment with new technologies and services has never been higher, and the organization’s supply chain changes rapidly. Triggering risk management processes as soon as a new service is introduced is critical. Expecting security teams to manually manage these actions is unrealistic.
• Speed in Risk Assessment: Business users have a choice of more than 300,000 SaaS applications, necessitating a security approach that can easily accommodate quick decision-making within each business unit. Security, legal and procurement teams don’t have the resources to thoroughly investigate each service. Teams will need automated, quick insights into SaaS usage, compliance and AI capabilities to significantly reduce their time and cost impacts on the business.
• Speed in Supply Chain Event Detection and Response: The interconnected nature of SaaS offerings means that a vulnerability in one application can affect the entire supply chain. Organizations have hundreds of SaaS applications in use. Incidents like the breach involving MOVEit, which propagated through the SaaS supply chain, are examples where quick detection and response are paramount.

Regulations now mandate CISOs to report incidents within their supply chains in time frames measured in hours. The ability to communicate with security researchers or receive alerts from experts who will contact the organization’s teams in case of an emergency is incredibly valuable.

• Speed In Implementation: Skilled and available cybersecurity practitioners are scarce resources in most organizations. Most rely on security solutions and partners, making choices based on what resources are required for implementation.

The ideal cybersecurity solutions are easily deployed in the organization, do not require installation on endpoints (agentless) and use automation to share risk and work between employees, business units and security teams. Once again, the speed factor must be heavily weighted.

Prioritizing SaaS Security

To satisfy the need for speed, CISOs must prioritize efficiency in SaaS security posture management (SSPM) to ensure comprehensive and efficient SaaS security best practices that discover and manage the entire organization’s SaaS supply chain.

These best practices must reduce the attack surface by eliminating unused tokens, unnecessary apps and inactive users. They must also promptly detect and respond to leaked credentials, breaches and security events experienced by SaaS providers.

Criteria to meet speed requirements should include near real-time identification of shadow IT and shadow AI, security changes and security event detection and real-time guidance from an incident response team (IRT) with personalized support until containment is achieved.

Speed is the Only Option

The pace of SaaS security has accelerated tremendously in recent years. Simplified security solutions with automation can help to increase efficiency in complying with regulations and securing SaaS supply chains. Time-sensitive cybersecurity regulations are being adopted by more organizations across more regions, and the growing reliance on SaaS across functions is driving this need for speed.