Despite economic uncertainty and workforce reductions, 70% of organizations prioritize investment in software as a service (SaaS) security, according to a Cloud Security Alliance (CSA) survey of 478 IT security professionals. The commitment is reflected in the establishment of dedicated SaaS security teams within many organizations, as indicated by the report, which was commissioned by Adaptive Shield.

Many organizations already have established such dedicated SaaS security teams. The majority (57%) of respondents have a SaaS security team of at least two dedicated full-time employees, and an additional 13% said they are allocating a dedicated full-time employee to SaaS security.

SaaS Security Teams Need Diverse Skills

Hundreds of SaaS applications are often managed by different owners beyond IT and infosec, such as employees in Engineering, Marketing, Human Resources or Finance, explained Glenn Chisholm, cofounder and CPO at Obsidian Security. “Anyone handling SaaS security needs to be comfortable collaborating across these various functional groups and conversant in how changes to applications can impact the business,” he said.

The SaaS security specialists need to work with application owners to implement and enforce the security requirements. They are – or should be – a guide to help users implement security best practices.

Members of these SaaS security teams must understand the breadth of their exposure across applications, identities and data to truly protect their organizations from SaaS breaches.

It’s important for the specialists to keep up to date on standards impacting their industry and their business. With a growing number of regulations to which organizations must comply, the specialists should be aware of what it takes to secure SaaS applications. “SaaS security is more than posture,” Chisholm said. “We often see identity compromises as the starting point of many SaaS breaches, and these include human and app-to-app identities.”

Teams need a solid grasp of SaaS architectures, threat detection and knowledge of what data is being placed in the system – to start with, added Omri Weinberg, co-founder and CRO at DoControl. Other job functions include awareness of SaaS security configuration options a wealth of compliance information covering all of this. “This is the unicorn of security staff,” he said. “Ultimately, given the lack of staff that can cover all of this and the needed number of people, companies will have to rely on a combination of SaaS-focused security solutions and a well-trained staff.”

It’s important to regularly train staff on security awareness and have a solid incident response plan. “This should include alerting your staff to any exposed data that could be used in social engineering phishing attacks,” Weinberg said. “Continuous monitoring will help you catch issues early.”

SaaS Budgets Rise, Capabilities Improve

The CSA survey also highlights a notable increase in SaaS cybersecurity budgets, with 39% of organizations boosting their allocations compared to the previous year.

Organizations have made substantial progress in enhancing their key SaaS security capabilities, with full visibility into the SaaS stack nearly doubling since the previous year. This improvement positions companies better to prevent breaches and detect threats effectively.

However, challenges persist in SaaS security, primarily stemming from the use of inadequate tools such as cloud access security brokers (CASBs) and manual audits. Among them: managing misconfigurations, connected apps and visibility into security risks.

Chris Morales, CISO at Netenrich, said Generative AI (GenAI) and chatbots in SaaS applications introduce new security risks that organizations must monitor. “These AI systems handle large amounts of data, raising concerns about data usage, storage, and sharing,” he explained. “The rules for managing these risks are often unclear, so organizations must stay alert.”

Regular monitoring and auditing of AI systems is crucial to prevent data misuse or corruption, and protecting data with strong encryption, access controls, and constant monitoring is crucial.

Weinberg recommended doing due diligence on vendors and securing APIs. Adding continuous monitoring is key. “Regular assessments will help keep everything in check,” he said. “This includes understanding what data is stored in the SaaS to minimize the damage of anything that does get through.”

As Chisholm noted, SaaS applications are highly diverse. “The core challenge comes into understanding and normalizing protection across these diverse applications and working with distributed owners to ensure security of the relevant applications,” he said.

While cloud infrastructure breaches often happen due to posture, SaaS breaches are often driven by identity compromises. “It’s critical that SaaS security experts understand what is driving their risk and implement the right capabilities for their defense,” Chisholm said.

Photo credit: Chris Barbalis on Unsplash