More than 70 percent of enterprises have prioritized SaaS security by establishing dedicated teams to secure SaaS applications, a trend identified for the first time in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities.
In an era where SaaS platforms power a wide spectrum of industries and the threat of SaaS breaches looms large, this is one of many aspects of SaaS security that is taking precedence now more than ever, according to the new survey, released this month by the Cloud Security Alliance (CSA) and commissioned by Adaptive Shield.
Download the full SaaS security survey report
Here are the key findings:
- 70% of Organizations Have Dedicated SaaS Security Teams
Despite economic instability and major job cuts in 2023, organizations drastically increased investment in SaaS security. In fact, the survey found, enterprises added headcount to SaaS security in 2023, with 56% increasing SaaS security staff.
The emergence of SaaS-specific security roles was identified for the first time in the annual survey: 57% percent reported having a SaaS security team of at least two full-time staffers, while another 13% said they had one person dedicated to securing SaaS applications.
SaaS security budgets are also increasing. The survey found that 39% of organizations increased SaaS cybersecurity budgets in 2023 compared to the previous year.
[Figure 1: How investment in SaaS security has shifted from 2022 to 2023]
“For years, SaaS security has been an afterthought. However, the landscape depicted in this year’s survey paints a dramatically different picture, one where SaaS security has surged to the forefront of corporate agendas,” the CSA says in the report.
This trend is confirmed in the survey findings where 80% of respondents now classify SaaS security as a moderate or high priority.
[Figure 2: Security professionals rate the priority level of SaaS security in their organization]
2: Organizations Have Improved Key SaaS Security Capabilities
Organizations have also significantly improved key SaaS security capabilities in the past year, the survey found. In fact, 19% percent of organizations now consider their SaaS security posture to be highly mature, with another 43% deeming it moderately mature.
[Figure 3: How organizations perceive their SaaS security maturity]
Thanks to acquiring SaaS security capabilities, visibility into the SaaS stack is increasing. Today, 70% of organizations have moderate (47%) to full visibility (23%) into their SaaS applications, with those achieving full visibility having more than doubled over the past year, the report said.
[Figure 4: Security professionals rate their visibility into SaaS applications]
Detection capabilities surrounding multi-factor authentication (MFA) attacks have also improved from to 62% from 47% a year ago. In threat detection, 62% percent of respondents state their ability to detect abnormal user behavior, compared with 44% a year ago.
“This enhanced oversight is pivotal for effective configuration and user management. It also plays a crucial role in identifying mistakenly or unwanted publicly shared data resources, such as documents and repositories,” the report notes.
3: Organizations Are Still Facing Challenges, Due to Using the Wrong Tools
While organizations have improved SaaS security oversight, 73 percent surveyed pointed to achieving visibility into business-critical apps as their biggest challenge.
According to respondents, the top 10 most difficult apps to secure include business-critical apps such as Microsoft 365, GitHub, Microsoft Teams, Jira, Salesforce, and Google Workspace.
[Figure 5: Top 10 most challenging applications to manage from a security perspective]
Additional challenges include tracking and monitoring security risks from third-party connected apps (65%); locating and fixing SaaS misconfigurations (65%); ensuring data governance and privacy (63%); and aligning SaaS application settings with compliance standards (61%).
[Figure 6: Security professionals rate the biggest challenges in SaaS security]
Survey data indicates a widespread utilization of tools such as CASB and manual audits, among others, for securing the SaaS stack. These organizations indicated they had significantly greater challenges securing their applications than those organizations that used SSPM.
Despite their utility, these tools lack the ability to address the full spectrum of requirements essential for robust SaaS security, the report notes, making them misaligned with SaaS attack vectors.
4: Despite Challenges, SaaS Security Investment is Paying Off
The investment the survey identified clearly demonstrates that organizations are taking SaaS security seriously. In fact, the survey identified a positive trend: 25% of respondents experienced a SaaS security incident in the past two years, compared with 53% last year.
[Figure 7: Thanks to investment in SaaS security, the number of breaches declined over the past year]
The most common security incidents reported were data breaches (52%) and data leakage (50%), followed by unauthorized access (44%) and malicious applications (38%).
[Figure 8: Most common types of SaaS security incidents in 2023]
Companies who have adopted SaaS Security Posture Management (SSPM) are faring better than those using other tools such as CASB, Cloud Security Posture Management (CSPM), and SASE, among others, for securing the SaaS stack.
Organizations that reported using SSPM as their SaaS security strategy enablers show a marked improvement in their ability to scale and monitor a larger portion of their SaaS stack, the report notes.
Those using SSPM are more than twice as likely to have full visibility into their SaaS stack — 62% of these organizations are able to oversee over 75% of their SaaS environment compared to those who utilize other tools and manual processes in their strategy (31%).
SSPM users were also more likely to find key SaaS Security tasks to be easy, while non-SSPM users found them to be very hard.
Conclusion
In conclusion, the CSA says the survey demonstrates a positive momentum in SaaS security strategy. In particular, the integration of SSPM emerges as a factor in enabling an organization’s SaaS security.
The survey highlights the importance of revisiting and refining SaaS security strategies within organizations to include tools that specifically address SaaS security, thus reducing the likelihood of a SaaS security incident in the future.
Download the full SaaS Security Survey: 2025 CISO Plans and Priorities report
About the Author
Hananel Livneh is head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political Science and Philosophy (PPE). Oh, and he loves mountain climbing.
Hananel can be contacted on linkedin and at adaptive-shield.com.
