According to a Gartner® Press Release, “by 2027, 75% of employees will acquire, modify, or create technology outside IT's visibility, up from 41% in 2022.”1 Much of this trend is driven by the accelerated adoption of SaaS applications by business owners without the involvement of IT or cybersecurity teams, especially due to the rise of remote work following the COVID pandemic.
This trend places a greater burden on CISOs to reconsider their cybersecurity strategies. It’s necessary to take into account wider business needs beyond just security concerns. By including the input of the business users who are adopting and using SaaS applications, security decision making can be more aligned with the business.
And what if the sprawling mesh of SaaS applications, integrations, data and users isn’t addressed by CISOs? As more employees adopt or manage SaaS applications outside of IT's purview, the risk of malicious attacks, insider threats and unintended exposure increases. Employees are increasingly introducing risks by consenting to unauthorized third-party integrations via OAuth and third-party apps, sharing data with external collaborators, and creating new accounts without proper authentication such as SAML or MFA.
These risks can leave organizations vulnerable to the types of SaaS breaches that have occurred multiple times over the past year. This includes the Jan. 23 CircleCI breach of GitHub customer data that occurred due to a compromised GitHub OAuth token.
To address these challenges, IT organizations must shift their role from owning risk remediation to risk remediation advisors. The role of the CISO is evolving from ensuring compliance through security policies to becoming more of a risk management advisor. CISOs must work closely with business owners to identify and manage risks associated with the adoption of SaaS and develop a cybersecurity strategy that aligns with the organization's broader goals and objectives.
As per a Gartner Press Release, “90% of employees who admitted undertaking a range of unsecure actions during work activities knew that their actions would increase risk to the organization but did so anyway”.2 This compounds the prediction that kicked off this post - that 3 out of every 4 employees will adopt technology without IT or security in the loop.
So, to recap: 75% of employees are predicted to adopt technology without telling IT, and 90% of employees regularly take risks they know they shouldn’t. That’s a recipe for something, but it isn’t success.
There are ways to bring employees in the loop without taking away their ability to make the most productive technology choices. By automating security policies, starting a conversation between employees and security is easy. Rather than blocking employee choices, an automated policy can act as guardrails by asking for context and business justification before taking any action. If the employee doesn’t respond in a pre-defined timeframe, the automated policy can remediate the risk.
Once employees become part of the risk decision-making process, perhaps a future where 75% of employees make choices on their own won’t be a foregone conclusion. Employees can’t be faulted for trying to get their jobs done with the tools and the knowledge they have. By equipping business users with the necessary knowledge and skills to improve security posture, security teams won’t be on their own either.
In conclusion, by combining SaaS Security Posture Management (SSPM), with automated policy enforcement, security teams can enforce zero-trust security principles, least privilege access, and other security best practices, across their business critical SaaS applications like GitHub, Salesforce, Slack, Microsoft 365, Atlassian, and Google Workspace. This can reduce the risk of SaaS misconfigurations, third-party integrations, oversharing of data, unmanaged users, and privilege creep. This combination can educate users on SaaS security best practices while enhancing business productivity.
1Gartner Press Release, Gartner Unveils Top Eight Cybersecurity Predictions for 2023-2024, March 28, 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved
2Gartner Press Release, Gartner Unveils Top Eight Cybersecurity Predictions for 2023-2024, March 28, 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved