The stakes are higher than ever to ensure that their organizations are protected from a security and compliance perspective, but new survey data from Blissfully shows that IT and ops pros underestimate the number of SaaS apps their organizations use by half. With that big of a visibility gap, how are these teams coping?
The rapid adoption of SaaS only compounds visibility concerns. According to 2017 data, only 38% of companies were operating on mostly SaaS. Just two years later, new survey numbers show that the majority of organizations (68%) operate on mostly or all SaaS.
With fast app growth and limited visibility into the SaaS stack, nearly half (42%) of IT and ops pros surveyed said that balancing security and employee empowerment was a top priority which needs improvement.
Users and apps: A complex relationship
One of the biggest blind spots IT and ops teams face is the complex relationship between apps and people, otherwise known as the “SaaS Graph.”
The report shows that the average 200-500 person organization uses 123 apps, which doesn’t sound too unmanageable, until you learn that the same sized company has 2,700 SaaS graph relationships! Each of these connections to an app represents a potential point of vulnerability for the organization, if not managed appropriately.
To cope with this SaaS Graph sprawl, teams are relying on automation and external tools to take care of these concerns for them. For example, 82% of companies use IT automation or will use it in the future, while 71% already use single sign-on technologies to secure their application stack or plan to do so.
More and more tools have cropped up to ease the burden on IT teams who may not have full control over how their employees interact with technology. Luckily, SaaS companies themselves have risen to the challenge of alleviating security concerns for their customers by doubling down on data privacy and compliance initiatives.
Nearly three-quarters the top 1000 SaaS apps are GDPR compliant
One promising signal that the SaaS industry has mobilized around data privacy and compliance is their responsiveness to EU’s GDPR regulations. SaaS companies have taken these regulations seriously, with 71% of the top 1000 apps achieving GDPR compliance since May 2018 (when GDPR fully kicked into effect).
While some SaaS companies may be concerned about the financial penalties of non-compliance, others may find that achieving GDPR compliance can become a major selling point (especially for enterprise and customer-facing apps).
A major part of any compliance effort is ensuring that internal security controls are in place within a SaaS organization, and that customer data is handled properly. Many SaaS apps have extended their compliance commitment beyond GDPR, with 44% achieving EU Privacy Shield compliance.
Some of the more optional compliance frameworks, such as SOC 2 or ISO 27001, have lower adoption, with 18% penetration among the top 1000 apps for each. However, once a SaaS company achieves SOC 2 or ISO 27001 compliance, it’s easier to achieve future compliance milestones.
The type of app itself may dictate which compliance certifications the SaaS company secures. For example, the SOC 2 compliance framework has a stringent focus on an organization’s internal security controls and processes.
Perhaps unsurprisingly, IT and security apps had the highest percentage of SOC 2 penetration (33%), while Marketing apps had the lowest (15%). On the flip side, since GDPR focuses on customer data privacy, externally focused Customer Support apps had the highest penetration (85%), while inwardly focused HR apps had the lowest (68%).
In addition, company size and amount of funding received seemed directly correlated to SOC 2 and ISO 27001 penetration — the larger the company and more funding received, the more likely the company is to have achieved compliance.
However, GDPR compliance is relatively consistent across the board, regardless of company size or funding received. This data shows that organizations don’t view GDPR as optional, and are prioritizing their customer security and privacy.
Organizations facing SaaS sprawl can still have control
One of the key takeaways from the survey is that teams are getting creative about retaining control in the face of increased responsibility.
The role of IT and ops has changed from a centralized, command-and-control style to more of a “collaborative IT” approach — where IT, ops, employees, team leads and other key stakeholders share responsibility for budgeting, procurement, security, and more.
The Collaborative IT operational model will become even more crucial as apps become a key driver of employee productivity. Shockingly, 45% of organizations say that employees don’t have access to all of the apps they need to do their jobs when they join a company.
A Collaborative IT approach can help ensure that new employees are onboarded and trained on their critical aps, and can get productive on day one.
Finally, as organizations get more sophisticated about automating IT and security processes, the onus will fall more heavily on SaaS companies themselves to comply with the latest regulations to protect their customers against data breaches and privacy violations.
On the positive side, this new era of automation will ease the burden on lean IT and ops teams, and make security a seamless part of every employee’s workflow.