Software as a Service (SaaS) powers much of today’s enterprises, but it raises a pressing issue: who is responsible for securing these systems? As IT governance becomes more decentralized, the lines between responsibility and accountability blur, leaving organizations vulnerable.

AppOmni’s 2024 State of SaaS Security Report surveyed security decision-makers and managers from 644 organizations, nearly half being large enterprises with over 2,500 employees, spanning several countries and security roles, on this concerning issue.

The findings reveal a growing gap in ownership of security, hidden risks from SaaS-to-SaaS connections, and a notable decline in confidence surrounding the security of sanctioned apps.

Accountability vs. Responsibility

One of the most significant findings in the report is the growing disconnect between accountability and responsibility in SaaS security.

With the decentralization of IT and security governance, various business units within organizations have gained the autonomy to independently adopt and implement SaaS solutions that meet their specific needs. While this can enhance productivity and agility, it also creates a fragmented security environment where the Chief Information Security Officer is often held accountable for breaches in systems they do not fully control.

The survey findings note that only 15% of organizations have centralized responsibility for SaaS security within their cybersecurity teams, highlighting the gap between who is responsible for securing these applications and who is held accountable when things go wrong.

The State of SaaS Security 2024 Report

A Lack of Awareness

Another key issue identified is the widespread lack of awareness regarding the risks associated with SaaS-to-SaaS connections.

As organizations continue to integrate more third-party apps with their core SaaS platforms, the complexity and risk of their IT environments grow. However, the report reveals that many organizations are not fully aware of how many SaaS applications are in use, let alone the potential vulnerabilities these connections introduce.

For instance, 34% of respondents admitted they didn’t know how many SaaS apps were deployed in their organization, and 49% of frequent Microsoft 365 users believed they had fewer than 10 applications connected to the platform. However, the aggregated data shows that there are, on average, over 1,000 SaaS-to-SaaS connections per Microsoft 365 deployment.

This lack of visibility can lead to severe security gaps, as organizations may not fully grasp the extent of their attack surface.

Inconsistent Enforcement & Dwindling Confidence

The study also highlights the concerning trend of inadequate enforcement of SaaS security policies.

While 90% of respondents claimed their organizations had policies to allow only sanctioned apps, 34% believed these policies were not strictly enforced. This represents a 12% increase from the previous year, indicating that the practical implementation of these policies is lagging.

The failure to enforce security policies consistently can lead to significant vulnerabilities, as unsanctioned apps may not undergo the same rigorous security checks as those approved by the IT department.

In addition to these challenges, the survey points out a decline in confidence regarding the security of sanctioned SaaS applications. The number of respondents who felt confident in the security of these apps dropped from 32% in 2023 to 27% in 2024. This decline is likely driven by the increasing number of high-profile data breaches, which have eroded trust in the security of even those applications that have undergone a traditional security vetting process.

Despite the increasing number of breaches, 24% of respondents reported that their organization hadn’t experienced any known SaaS security incidents. This reflects a broader pattern seen in previous years, where organizations tend to overestimate their cybersecurity preparedness and remain unclear about their responsibilities in securing SaaS applications.

Meanwhile, 31% of organizations acknowledged suffering a cyberattack resulting in a data breach, up from 26% in 2023, emphasizing the disconnect between perceived security and the actual risks they face.

The State of SaaS Security 2024 Report

A Call for Proactive Measures

The report concludes with a call for organizations to adopt a more proactive and holistic approach to security. This includes implementing strong policy controls, continuously monitoring SaaS environments, and ensuring that security principles such as Zero Trust are applied not only to app access but also within the applications themselves.

As SaaS adoption continues to grow, the need for a well-structured and comprehensive security program becomes increasingly urgent. By addressing the challenges identified, organizations can better protect their sensitive data, maintain compliance, and reduce the risk of costly data breaches.

The Wrap

The 2024 State of SaaS Security Report reveals the critical importance of improving SaaS security practices as these applications become more integral to modern business operations.

The decentralization of security responsibilities, lack of visibility into SaaS-to-SaaS connections, and insufficient enforcement of security policies all contribute to growing risks that organizations and security executives must navigate with care.

As the report makes clear, it’s imperative for organizations to start giving SaaS security more attention and take practical steps to protect their digital assets as our world becomes more interconnected.