In the world of cybersecurity, persuading employees to adhere to software-as-a-service (SaaS) and other cybersecurity policies is crucial in preventing incidents and breaches. According to Gartner, 99% of cloud breaches are caused by preventable misconfigurations or mistakes made by end users.
With the average cost of a breach now exceeding $4.4 million, it is clear why Chief Information Security Officers (CISOs) recognize the importance and urgency of boosting compliance with SaaS security protocols. However, security leaders can hinder their own efforts to increase companywide adherence to these policies when they impose excessive requirements on employees, especially during the procurement stages.
The idea behind mitigating the risk of onboarding insecure SaaS platforms is to intervene before a purchase or trial begins. This requires implementing audits and checklists such as vendor questionnaires, SOC2 audits, and penetration test reviews as part of the procurement process. These activities, which fall under the domain of third-party risk management, aim to proactively address potential SaaS cybersecurity risks that often arise during vendor onboarding and operationalization.
While it may seem like implementing approval stage gates or blockers is a gatekeeping mechanism that hampers innovation and process improvement, what is really needed is a cultural shift based on employee behaviors, usage metrics, and a clearly communicated SaaS procurement strategy.
However, it is important to note that the greatest risks to a business often occur after a new SaaS application has been implemented. The lack of configuration and attack surface assessment once a SaaS application goes live creates a blind spot for organizations, leading to a heightened risk profile that is often overlooked. To address this, companies should work with line-of-business owners to define risk guardrails that go beyond the initial procurement phase and implement continuous monitoring processes for SaaS applications.
It is commonly understood that organizations assess SaaS vendors before or during the procurement phase of an application or technology. However, SaaS risk does not end at onboarding or launch. SaaS environments go through continuous changes that can create critical security gaps and unintentional configuration drift over time. Additionally, vendors frequently push updates that can impact security settings, which do not conform to universal standards. This requires the CISO’s organization to learn and interpret each SaaS application’s unique security settings and create policies to protect the business and its data assets. Considering that the average organization uses between 50 and 100 sanctioned SaaS applications, developing this level of expertise in-house is challenging and unlikely.
Furthermore, the decentralized and extensible nature of SaaS presents another risk in the form of permission drift. Overprovisioning significantly increases the likelihood of leaks or compromise of sensitive data. If an employee with an over-permissioned account connects an unsanctioned SaaS app to an enterprise system, they unknowingly provide threat actors with another entry point to sensitive data. This was exemplified by a case witnessed by the AppOmni team, in which a CISO’s multimillion-dollar identity provider investment was essentially negated by SaaS applications with multifactor authentication (MFA) set to “optional” by mistake.
Considering the risks introduced downstream in terms of configuration drift and data exposure, it is crucial for CISOs and their teams to emphasize the importance of vigilance in keeping the entire SaaS estate secure. This can be achieved by establishing relationships and guardrails and developing a dedicated SaaS security program, rather than obstructing and imposing excessive gatekeeping exclusively during procurement.
To address these challenges, it is recommended to opt for guardrails rather than policies that threaten budgets. These guardrails should clearly outline what activities are within bounds and which require a discussion. It is also important to proactively engage with business leaders to understand their goals and explain the risks of breaches and leaks in terms of financial losses, productivity, and potential liabilities. Additionally, the security team should view their mission as helping the business achieve its goals securely and quickly, being the first to propose alternative solutions if a desired SaaS app poses unmitigable risks.
While finance and procurement are crucial allies in the procurement process, they are not responsible for securing SaaS on a day-to-day basis. Therefore, clear guardrails and positive relationships are the smarter approach for long-term adherence to SaaS security.
Harold Byun, Chief Product Officer at AppOmni, brings over 25 years of experience in the security industry to the table. With his extensive background in security domains such as security orchestration and automated response (SOAR), cloud access security broker (CASB), and data loss prevention (DLP), Byun understands the challenges organizations face in securing their SaaS applications. He emphasizes the need for a shift in culture, leveraging relationships and guardrails, and developing a dedicated SaaS security program to effectively mitigate SaaS risks and protect business assets and data.
In conclusion, persuading employees to adhere to SaaS and cybersecurity policies is crucial in preventing incidents and breaches. However, it is important to find a balance between enforcing necessary security measures and implementing excessive requirements that hinder innovation and process improvement. By focusing on relationships, guardrails, and a dedicated SaaS security program, organizations can effectively mitigate the risks associated with SaaS applications and protect their data.