{"id":281,"date":"2025-09-18T16:00:33","date_gmt":"2025-09-18T06:00:33","guid":{"rendered":"https:\/\/qld.cybersafebusiness.au\/index.php\/2025\/09\/18\/saas-deployments-why-security-must-be-a-priority-for-cisos\/"},"modified":"2025-09-18T16:00:33","modified_gmt":"2025-09-18T06:00:33","slug":"saas-deployments-why-security-must-be-a-priority-for-cisos","status":"publish","type":"post","link":"https:\/\/qld.cybersafebusiness.au\/index.php\/2025\/09\/18\/saas-deployments-why-security-must-be-a-priority-for-cisos\/","title":{"rendered":"SaaS Deployments: Why Security Must Be a Priority for CISOs"},"content":{"rendered":"<p><b>Is your organization truly secure when it comes to<br \/>\nSoftware-as-a-Service (SaaS) deployments?<\/b> Many Chief Information Security<br \/>\nOfficers (CISOs) face a troubling reality: they hold accountability for<br \/>\nsecurity breaches without having direct control over SaaS implementations. This<br \/>\ndisconnect between responsibility and control can lead to serious security<br \/>\nvulnerabilities.<\/p>\n<p>SaaS platforms are popular because they are easy to deploy<br \/>\nand enhance business efficiency. However, this simplicity can also lead to<br \/>\nsignificant security oversight. Often, the decision to implement SaaS<br \/>\napplications is made by business units without involving the security team.<br \/>\nThis lack of visibility into SaaS deployments creates potential risks.<\/p>\n<p>A recent survey by AppOmni, which analyzed 644 organizations<br \/>\nusing SaaS, reveals a startling trend: in 50% of organizations, securing SaaS<br \/>\napplications is left entirely to business owners or stakeholders. Only 15% of<br \/>\norganizations entrust their cybersecurity teams with full responsibility for<br \/>\nsecuring SaaS implementations. This fragmented approach to security can lead to<br \/>\nconfusion and vulnerabilities.<\/p>\n<p>One of the most concerning findings is that 34% of<br \/>\norganizations don\u2019t even know how many SaaS applications are in use within<br \/>\ntheir operations. For example, 49% of Microsoft 365 users believe they have<br \/>\nfewer than 10 applications connected to the platform. However, AppOmni\u2019s<br \/>\ntelemetry suggests the actual number is closer to 1,000. This gap in awareness<br \/>\npresents an attractive target for cybercriminals.<\/p>\n<p>SaaS platforms are particularly appealing to attackers<br \/>\nbecause they often present a one-to-many opportunity. If a SaaS provider\u2019s<br \/>\nsystem is breached, attackers can potentially access data from multiple<br \/>\ncustomers. The 2019 Capital One hack, which exposed personal information from<br \/>\nover 100 million credit applications, and the 2022 LastPass breach, which<br \/>\ncompromised millions of customer passwords and encrypted data, are clear<br \/>\nexamples of this risk.<\/p>\n<p>However, not all attacks follow this pattern. The 2024<br \/>\nSnowflake-related breaches, for instance, involved a more complex method.<br \/>\nMandiant\u2019s research suggests a single threat actor used many stolen credentials<br \/>\nfrom various sources to gain access to individual customer accounts and then<br \/>\ntargeted those customers.<\/p>\n<p>While SaaS providers typically have robust security<br \/>\nmeasures, customers often rely too heavily on the provider\u2019s security,<br \/>\nneglecting their own responsibilities. Shockingly, 8% of organizations don\u2019t<br \/>\nconduct security audits because they trust their SaaS providers completely.<br \/>\nYet, many SaaS breaches result from attackers using legitimate credentials to<br \/>\ngain access. This issue was a key topic at BlackHat 2024, where AppOmni<br \/>\ndiscussed how stolen credentials have turned SaaS applications into playgrounds<br \/>\nfor attackers.<\/p>\n<p>One of the underlying problems is a lack of understanding<br \/>\nwithin organizations regarding the SaaS principle of &#8220;shared<br \/>\nresponsibility.&#8221; The concept is straightforward: while SaaS providers<br \/>\nhandle infrastructure security, customers are responsible for access control.<br \/>\nUnfortunately, Mandiant\u2019s research indicates that many customers fail to engage<br \/>\nwith this responsibility, leading to breaches that could have been prevented<br \/>\nthrough better access management, such as using multi-factor authentication<br \/>\n(MFA) and regularly rotating passwords.<\/p>\n<p>The challenge is determining where this responsibility<br \/>\nshould reside within an organization. While security teams are best equipped to<br \/>\nmanage passwords and MFA, only 15% of organizations assign them full<br \/>\nresponsibility for SaaS security. Alarmingly, 50% of organizations leave this<br \/>\ncritical task entirely in the hands of non-security personnel.<\/p>\n<p>Brendan O\u2019Connor, CEO of AppOmni, underscores the severity<br \/>\nof the situation: \u201cOur report last year highlighted the disconnect between<br \/>\nsecurity self-assessments and actual SaaS risks. Now, despite greater awareness<br \/>\nand effort, things are getting worse. The number of SaaS exploits has reached<br \/>\n31%, up five percentage points from last year. Despite increased budgets and<br \/>\ninitiatives, organizations must do a far better job of securing SaaS<br \/>\ndeployments.\u201d<\/p>\n<p>The key takeaway is clear: SaaS security needs to be a top<br \/>\npriority. Regardless of how easy SaaS platforms are to deploy or how much they<br \/>\nimprove business operations, they should never be implemented without the<br \/>\ninvolvement and oversight of the CISO and the security team. Ensuring that SaaS<br \/>\nsecurity is continuously managed and monitored is essential for protecting your<br \/>\norganization from potential threats.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Is your organization truly secure when it comes to Software-as-a-Service (SaaS) deployments? Many Chief Information Security Officers (CISOs) face a troubling reality: they hold accountability for security breaches without having [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":280,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[],"tags":[],"class_list":["post-281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/posts\/281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/comments?post=281"}],"version-history":[{"count":0,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/posts\/281\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/media\/280"}],"wp:attachment":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/media?parent=281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/categories?post=281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/tags?post=281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}