A case study on how a $10B global media firm significantly improved
SaaS security posture
Media firms in the business of image and reputation don’t want to get bad publicity. With regulations requiring companies to report data breaches, information companies handling personal data must take extra cybersecurity caution.
Take for example the case study of a European-headquartered global media and information services company with an annual revenue of over $10 billion. The growing adoption of cloud-based SaaS collaboration tools was making it a challenge for security teams to stay on top of emerging data leakage threats.
More of the organization’s sensitive and valuable data was moving to the cloud with business-critical SaaS applications being used across teams and departments. The firm was also acquiring small enterprises. Every acquisition increased the number of applications and geographically distributed SaaS tenants added even more complexity.
After discovering a series of internal data breach incidents involving data stored in SaaS applications, the company decided to look for an automated SaaS security posture management solution that would enable its security team to monitor and manage risk in its SaaS stack, efficiently and effectively.
The firm evaluated multiple SaaS Security Posture Management (SSPM) solution vendors, choosing the Adaptive Shield solution considering among other things that it supported the industry’s widest portfolio of SaaS applications.
Forrester Consulting conducted a Total Economic Impact™ (TEI) study commissioned by Adaptive Shield to assess the ROI and benefits of the organization’s SSPM investment. In the cost-benefit analysis, the company achieved benefits worth $2.18 million over three years with a 201% ROI, and a return on investment in less than six months.
The study, as follows, covers the customer journey, starting from the SaaS challenge to the successful implementation of an SSPM solution.
Challenges of Protecting Data in SaaS Applications
Before the adoption of Adaptive Shield’s SSPM, the case study found that the media company’s security team lacked the necessary knowledge and skills to identify and mitigate risk in the controls and settings of SaaS applications. Since the security team had limited familiarity with each application, they could not oversee each application’s configuration. As a result, they could not ask the business unit application owners the right security configuration questions. On the other hand, with their newfound SaaS independence, app owners with “the keys to the kingdom” were reluctant to participate in new initiatives brought by the security team. Moreover, they were neither educated nor equipped enough to exercise security.
“We started seeing some small incidents resulting from SaaS misconfiguration, so we needed to do something about it… [It] was a wake-up call for us that we really need to look at all the configurations at scale,” the chief security officer of the company said in an interview to Forrester for the study.
So clearly the traditional manual approach to managing SaaS security was failing, leading the firm to search for an automated solution that could provide visibility and control into its SaaS applications throughout the organization.
Quick Improvement in Overall Security Posture
During the SSPM acquisition and rollout process, the company experienced a quick and significant improvement in its SaaS security posture score.
An immediate benefit was the quick reduction in the number of data breach incidents. Before implementing SSPM the firm had experienced six incidents in a year. With the launch of the solution, the number began to decline rapidly, going down to 3 in the second year, and projected to be one or less by the third year.
Before implementing Adaptive Shield, the company’s SaaS security posture score was 40%. During the proof-of-concept (POC) phase, the security team found issues in their SaaS configurations and fixed them.
“When we look at the security score trends, we observed a significant increase over time,” the CSO said.
The score improved rapidly to 70% in the first year, 85% in the second year, and was on track to reach 95% after three years. The total projected improvement in the overall score was 55%.
The substantial improvement in the overall security posture score was attributed to SSPM capabilities to deliver visibility, remediation guidance, and ongoing monitoring.
Improvement in Misconfiguration Management Efficiency
A major contribution to overall security posture was improvement in misconfiguration detection efficiency. Automating the traditional manual approach to SaaS configuration management and remediation improved the efficiency of the process. The combined effort by the security and business teams spent on configurations for each application’s traditional annual risk assessment was reduced by 70 percent, from 100 hours to 30 hours per application.
By deploying Adaptive Shield, the organization was also able to significantly expand the number of monitored applications over three years from 20 to 60.
An additional benefit was a savings of 90% in labor efforts in managing the firm’s compliance goals and priorities. Before the adoption of Adaptive Shield, the security team spent 2400 hours a year implementing compliance rules, with the time spent decreasing to 240 per year, for a 90% savings.
The study also found the SSPM opened conversations between security and business owners, enhancing collaboration and trust between business and security teams that saved company time.
Gaining a Holistic View of SaaS App Management
In addition to quantifiable improvements, the company was interested in understanding the qualitative results of its investment in SSPM.
The study found that the solution helped the organization overcome the overall challenges introduced by the democratization of SaaS security and secure SaaS data. It enabled it to maintain a holistic view of SaaS-related inventory.
The security team gained a powerful tool to manage the inventory of SaaS applications, connected applications, users, and user devices, and track the status of SaaS subscriptions.
SSPM helped the organization achieve continuous compliance, avoiding any interruptions to business operations, and staying ahead of any SaaS security trends.
The Adaptive Shield solution also detected suspicious activities from new devices and new IP addresses.
Why SaaS Security Matters
The frequency of SaaS attacks is only growing and SaaS incidents are continuously exposing organizations to data leaks, breaches, compliance failures, and other potential disruptions in business operations.
This case study presents how Adaptive Shield helped a media organization improve SaaS security and streamline security operations.
According to the conclusion of the study, Adaptive Shield enabled the organization’s security team to “gain complete control and increased visibility of the security posture of all business-critical applications.”
SSPM is therefore making it possible for organizations to secure SaaS data while harnessing the growth potential of collaboration tools.