IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
SaaS
#
Data Protection
#
Cloud Security

Organisations ramp SaaS security spend but gaps persist

Today
Author image
By Catherine Knowles, Journalist

New research from the Cloud Security Alliance (CSA) has found growing concerns about the effectiveness of current approaches to Software-as-a-Service (SaaS) security amidst increasing adoption and investment by organisations.

The State of SaaS Security Report: Trends and Insights for 2025-2026, commissioned by Valence Security, surveyed 420 information technology and security professionals at large organisations. The findings highlight a disconnect between increased budgets and the ability to manage risks effectively, revealing persistent gaps in data protection, access control, and identity management within SaaS environments.

The report notes that SaaS security is now a high priority for the vast majority of organisations. Survey data shows 86% consider it a top priority, with 76% planning budget increases for SaaS security this year. However, despite the allocation of additional resources, fundamental issues persist.

Hillary Baron, lead author and AVP for Research at Cloud Security Alliance, said: "SaaS has become a core part of modern business operations, but securing it remains a moving target. Despite growing investment in and prioritisation of SaaS security, there remains an overconfidence in current SaaS security strategies. The reality is that distributed adoption, inconsistent tools, and fragmented processes leave critical gaps in visibility, identity management, and third-party access."

The research indicates that risks such as data oversharing and inadequate access control remain prevalent, with 63% and 56% of respondents respectively citing these as ongoing issues. This suggests that growing resource commitments have not yet translated into the comprehensive protections needed to secure sensitive data.

A significant proportion—79%—expressed confidence in their organisations' SaaS security programmes. However, the report cautions that this may reflect misplaced confidence, as 55% indicated employees are adopting SaaS tools without security team involvement, and 57% acknowledged struggles with fragmented SaaS security administration.

Identity and Access Management (IAM) emerged as a persistent challenge. According to the survey, 58% found enforcing suitable privilege levels difficult, and 54% reported lacking automation for lifecycle management. These gaps, the report notes, can directly result in breaches, complicate incident response, and increase exposure to risks.

The expansion of the SaaS ecosystem, including SaaS-to-SaaS integrations and generative AI tools, has also widened the attack surface. Nearly half of organisations (46%) are finding it difficult to monitor non-human identities such as service accounts and bots. Fifty-six per cent are concerned about over-privileged application programming interface (API) access, which can increase vulnerability to attacks.

Current strategies employed for SaaS security were largely described as fragmented. Sixty-nine per cent rely on vendor-native tools, 43% use general-purpose solutions like Cloud Access Security Brokers (CASBs), and 46% conduct manual audits. The report suggests that reliance on such mixed approaches leads to critical gaps, particularly as SaaS systems become more complex and interconnected.

Yoni Shohet, Chief Executive Officer and Co-Founder of Valence Security, commented: "The report's findings reveal a clear shift: SaaS security is no longer an afterthought. Organisations are not just recognising its importance—they're taking action to improve shadow SaaS discovery, posture management, and threat detection. As SaaS adoption accelerates, it's critical to ensure security strategies evolve in step with increasingly complex and interconnected SaaS ecosystems."

The survey, undertaken online in January 2025, included respondents from a range of industries and geographic locations. CSA research analysts were responsible for data analysis and interpretation. Project sponsors had no influence over the content or editorial direction of the report.

The State of SaaS Security Report underscores the need for a unified, purpose-built approach to SaaS security that moves beyond ad hoc, application-specific controls and addresses challenges such as discovery, posture management, threat detection, and risk remediation.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Gurucul launches self-driving SIEM to automate security ops
Kiteworks & Wasabi partner to lower cloud storage costs
SnapLogic unveils next-gen API management with advanced tools
SnapLogic debuts AgentCreator 3.0 for no-code AI creation
Inriver unveils new vision to guide brands in digital commerce
Top stories
Lloyds Banking Group leverages FICO to support GBP £7 billion lending
Lisa Ergun appointed to lead Dell’s UK channel PC strategy
GitLab unveils AI-driven DevSecOps integration with Amazon Q
Exclusive: Abhas Ricky on how Cloudera is powering the AI revolution
AI revolutionises seasonal pricing for retail & eCommerce