CSA report aids mid-market firms in SaaS security strategy

The Cloud Security Alliance (CSA) has released a report aimed at helping mid-market organisations manage the growing complexities of their Software as a Service (SaaS) environments amidst limited resources.

In a survey commissioned by Wing Security, the CSA examined the strategies used by mid-sized companies to protect valuable assets from SaaS-related vulnerabilities and artificial intelligence (AI) risks. The report, named "SaaS and AI-Risk for Mid-Market Organisations," seeks to highlight the challenges and priorities faced by these companies.

Hillary Baron, Senior Technical Research Director at the Cloud Security Alliance, commented, "Mid-market organisations are making progress in recognising and addressing SaaS security risks, but significant gaps remain. To build a robust security posture, it's essential to prioritise specialised technologies that enhance visibility, automate processes, and close key vulnerabilities. By aligning priorities across IT, security, and business units, these organisations can better safeguard their assets and confidently navigate the evolving SaaS landscape."

One of the significant findings of the report indicates that mid-market organisations are experiencing difficulties in managing a large number of SaaS applications, with less than half prioritising protection of their sanctioned applications. Only 17% consider unsanctioned applications a priority, revealing substantial security gaps due to limited visibility.

The report also highlights that while many companies focus on protecting their most critical applications, broader concerns exist such as automating configuration management across all applications. Only a minority plan to extend automation efforts beyond core applications to include lower priority systems and application-to-application connections.

Concerns surrounding AI risks are becoming more pronounced; however, only 51% of organisations have dedicated teams to deal with AI-specific threats. This lack of a unified strategy often leaves these organisations open to potential risks and compliance issues.

Many security teams within mid-market firms continue to depend on manual processes and general-purpose tools such as cloud access security brokers, which are insufficient for comprehensive SaaS security needs. Notably, upcoming plans among these companies involve adopting specialised tools like SaaS Security Posture Management and Data Security Posture Management to better address visibility and critical risks.

There is also a positive trend towards increasing IT budgets and enhancing security initiatives, with nearly 90% of organisations aiming to do so. Still, only a small fraction maintains a dedicated budget line specifically for SaaS security, potentially leading to less effective, patchwork security strategies.

Galit Lubetsky Sharon, CEO of Wing Security, said, "Securing SaaS applications is a significant challenge for mid-sized companies, where limited resources meet an expanding attack surface. Yet, the importance of safeguarding these critical tools cannot be overstated. With the right strategies and technologies, mid-sized organisations can overcome these difficulties, ensuring the protection of sensitive data and maintaining business continuity in an increasingly SaaS-driven world."

Wing Security played a significant role in the project, co-developing the survey with CSA's research analysts. The survey gathered responses from 406 IT and security professionals in October 2024, which were then analysed by CSA's research team.