Mid-market organizations are grappling with managing the large volume of SaaS applications, both sanctioned and unsanctioned, with actual numbers often exceeding expectations, according to Cloud Security Alliance.
Security teams are struggling with a growing attack surface
Disconcertingly, 44% of organizations prioritize protecting all their sanctioned applications, and a mere 17% include unsanctioned ones in this priority.
Given that limited visibility into these applications results in significant security gaps, specialized tools and automation are essential to securing this expanding digital footprint.
“Mid-market organizations are making progress in recognizing and addressing SaaS security risks, but significant gaps remain. To build a robust security posture, it’s essential to prioritize specialized technologies that enhance visibility, automate processes, and close key vulnerabilities. By aligning priorities across IT, security, and business units, these organizations can better safeguard their assets and confidently navigate the evolving SaaS landscape,” said Hillary Baron, Senior Technical Research Director, Cloud Security Alliance.
Many companies are concentrating their configuration management efforts on their most critical applications (e.g., Google Workspace and IDP/IAM service). While prioritizing these core systems is essential, broader SaaS environments should not be overlooked — a worrisome 28% of organizations plan to automate configuration management across all applications.
To fully mitigate risks, organizations must expand automation and ensure comprehensive coverage across all applications, including those perceived as lower priority and application-to-application connections.
AI-related risks, particularly to data and intellectual property, are a growing concern. Whereas 55% of organizations reported being moderately concerned and another 20% stated they were highly concerned, only 51% of organizations have dedicated security teams to address AI-specific risks. The absence of a unified strategy and clear accountability leaves organizations vulnerable to evolving threats and compliance challenges.
Reliance on manual processes and insufficient tooling
Smaller security teams often rely on manual processes (48%) and general-purpose tools like cloud access security brokers (CASB) (48%) — neither of which are sufficient for SaaS security needs.
The good news is that many organizations are planning to adopt specialized solutions like SaaS Security Posture Management (SSPM) and Data Security Posture Management (DSPM) — 52% and 56%, respectively — to enhance visibility and address critical risks.
90% of organizations plan to expand IT budgets or enhance existing security initiatives — such as risk management, configuration management, and risk detection and response — to address SaaS security.
While relying on general IT/security budgets or reallocating funds from other projects can lead to reactive, patchwork investments that fail to fully address the unique risks SaaS applications pose, only 3% have a dedicated line-item budget specifically for SaaS security. Dedicated funding and aligned priorities across teams remain critical for building an effective SaaS security strategy.
“Securing SaaS applications is a significant challenge for mid-sized companies, where limited resources meet an expanding attack surface. Yet, the importance of safeguarding these critical tools cannot be overstated. With the right strategies and technologies, mid-sized organizations can overcome these difficulties, ensuring the protection of sensitive data and maintaining business continuity,” said Galit Lubetsky Sharon, CEO, Wing Security.