Seventy percent of enterprises are prioritizing investment in SaaS security by establishing dedicated teams to secure SaaS applications, as part of a growing trend of maturity in this field of cybersecurity, according to a new survey released this month by the Cloud Security Alliance (CSA).
Despite economic instability and major job cuts in 2023, organizations drastically increased investment in SaaS security. In fact, the survey found, enterprises added headcount to SaaS security in 2023, increasing SaaS security staff by 56%, as well as increasing budgets by 39%.
Figure 1: How investment in SaaS security has shifted from 2022 to 2023 |
The fourth annual SaaS security survey, "2025 CISO Plans and Priorities," was conducted by the CSA and commissioned by SaaS security leader Adaptive Shield. A total of 478 global security professionals participated in the survey, across all verticals. The survey shares their perspective on SaaS security successes and challenges as CISOs prepare to set priorities for 2025.
Download the full SaaS security survey report
Key findings:
SaaS Security is More Important Than Ever
The survey shows the growing importance of SaaS security to organizations, who use SaaS applications to manage operations and store critical data.
"For years, SaaS security has been an afterthought. However, the landscape depicted in this year's survey paints a dramatically different picture, one where SaaS security has surged to the forefront of corporate agendas," the CSA said in the report.
The survey found that 80% of organizations are prioritizing SaaS security with 41% making it a high priority and 39% a moderate priority.
Figure 2: Security professionals rate the priority level of SaaS security in their organization |
70% of Organizations Have Established Dedicated SaaS Security Teams
The emergence of SaaS-specific security roles was identified for the first time in the annual survey, with more than 70% confirming they have dedicated teams: 57% percent reported having a SaaS security team of at least two full-time staffers, while another 13% said they had one person dedicated to securing SaaS applications.
"Dedicated SaaS security teams make sense in an enterprise context. The role of SaaS security is cross-functional, overlaying multiple areas that are rarely touched by just a single team. Due to the nature of SaaS, these teams are involved in identity security, risk management, endpoint security, and threat detection," the CSA said in the report.
SaaS Security Capabilities Are Improving
Organizations have also significantly improved key SaaS security capabilities compared to the previous year, the survey found. In fact, 62% of organizations now consider their SaaS security posture to be moderately to highly mature.
Figure 3: How organizations perceive their SaaS security maturity |
Thanks to acquiring SaaS security capabilities, visibility into the SaaS stack is increasing. Today, 70% of organizations have moderate (47%) to full visibility (23%) into their SaaS applications, with those achieving full visibility having more than doubled over the past year, the report said.
This enhanced oversight is pivotal for effective configuration and user management. It also plays a crucial role in identifying mistakenly or unwanted publicly shared data resources, such as documents and repositories.
Detection capabilities surrounding multi-factor authentication (MFA) attacks have also improved from to 62% from 47% a year ago. In threat detection, 62% percent of respondents state their ability to detect abnormal user behavior, compared with 44% a year ago.
Organizations are Still Facing Challenges in SaaS Security Efforts
While organizations have improved SaaS security oversight, 73 percent surveyed pointed to achieving visibility into business-critical apps as their biggest challenge.
According to respondents, the top 10 most difficult apps to secure include business-critical apps such as Microsoft 365, GitHub, Microsoft Teams, Jira, Salesforce, and Google Workspace.
Figure 4: Top 10 most challenging applications to manage from a security perspective |
Additional challenges include tracking and monitoring security risks from third-party connected apps (65%); locating and fixing SaaS misconfigurations (65%); ensuring data governance and privacy (63%); and aligning SaaS application settings with compliance standards (61%).
Figure 5: Security professionals rate the biggest challenges in SaaS security |
Despite challenges, SaaS security investment is paying off
The investment the survey uncovered clearly demonstrates that organizations are taking SaaS security seriously. In fact, the survey identified a positive trend: 25% of respondents experienced a SaaS security incident in the past two years, compared with 53% last year.
The most common security incidents reported were data breaches (52%) and data leakage (50%), followed by unauthorized access (44%) and malicious applications (38%).
Figure 6: Thanks to investment in SaaS security, the number of breaches declined over the past year |
SSPM Users Able to Better Handle SaaS Security Challenges
Companies that have adopted SaaS Security Posture Management (SSPM) are faring better than those using other tools, such as CASB and manual audits, to secure the SaaS stack.
Those using SSPM are more than twice as likely to have full visibility into their SaaS stack — 62% of these organizations are able to oversee over 75% of their SaaS environment compared to those who utilize other tools and manual processes in their strategy (31%).
SSPM users were also more likely to find key SaaS Security tasks to be easy, while non-SSPM users found them to be very hard.
The survey demonstrates a positive momentum in SaaS security strategy. From establishing teams to implementation of new SaaS security processes and tools, organizations across the board are prioritizing efforts in SaaS security. The integration of SSPM emerges as a factor in enhancing an organization's SaaS security. The survey highlights the importance of revisiting and refining SaaS security strategies within organizations to include tools that specifically address SaaS security. This can help shore up the current difficulties and address security gaps they are currently facing, thus reducing the likelihood of a SaaS security incident in the future.
Read the full SaaS security survey report now