Corey Elinburg, Field CTO of Obsidian Security, has spent 25+ years helping industry giants from all verticals secure what matters most.
Salesforce launched its SaaS platform in 1999. ServiceNow followed in 2004, Workday followed in 2006 and in 2008, Microsoft introduced the Business Productivity Online Suite, which later evolved into Office 365 and is now known as Microsoft 365—a platform many of us rely on today.
Despite our accelerated adoption of and increasing reliance on SaaS, many enterprises still struggle to secure these platforms effectively. SaaS-related security incidents are on the rise, yet most organizations suffer from blind spots driven by a combination of technical, organizational and cultural challenges.
Below are the most common reasons I’ve seen why SaaS security is often overlooked:
1. Misunderstanding The Shared Responsibility Model Or Underestimating Residual Responsibility
Many organizations mistakenly believe that SaaS vendors are solely responsible for security. In reality, while vendors secure the infrastructure and core application, customers are responsible for securing how the service is used—this includes user access, data sharing, MFA enforcement and more. That responsibility can extend across hundreds or even thousands of configuration settings.
Failure to understand this model often leads to neglected security tasks like access controls, audit logging or configuration hardening. Notably, the 2023 Snowflake-related breaches were attributed to customer-side misconfigurations—not vendor failures—impacting even large enterprises with mature security teams.
2. Shadow IT And Lack of Visibility
Employees frequently adopt SaaS tools without going through IT or security, leading to “shadow IT.” These unsanctioned tools often handle sensitive data but remain invisible to security teams.
A 2025 study found that 55% of employees adopt SaaS without security’s involvement, and 57% report fragmented administration—making consistent oversight a challenge for many organizations.
This lack of visibility makes it difficult to enforce policies, manage risk or even know where critical data resides. As more teams adopt SaaS apps for convenience and speed, this problem continues to grow unchecked.
3. Security Teams Are Understaffed And Overburdened
SaaS security often gets deprioritized because security teams are stretched thin. A 2024 report from ISACA found that 61% of European security teams lack sufficient staff, and nearly half report budget constraints.
With limited resources, security teams focus on more traditional and well-known threats—like malware or network attacks—while SaaS security falls by the wayside. Without dedicated SaaS tools or staff, tasks like access reviews to uncover local SaaS accounts and third-party integration audits that would be considered “standard modus operandi” for traditional IT are neglected.
4. SaaS Adoption Outpaces Governance
SaaS tools can be deployed as quickly as the swipe of a credit card. Often, IT is not the “owner” of the SaaS application. Line-of-business teams prioritize agility and productivity, not security oversight. As a result, governance processes can’t corral or keep up with SaaS adoption.
In fact, 65% of unsanctioned SaaS apps are adopted without IT’s involvement, and 59% of IT leaders say SaaS sprawl is hard to manage. Security teams are left playing catch-up, trying to enforce controls after deployment, which is often too late.
5. Overreliance On Vendor Security Claims
Enterprises often assume that if a SaaS vendor claims to be secure (e.g., with SOC 2 or ISO certifications), then no further action is needed. This misplaced trust creates a false sense of security.
While SaaS vendors may protect infrastructure, they can’t control how customers use their platforms. Misconfigured permissions, unsecured data sharing or unvetted integrations can still lead to breaches—even on compliant platforms.
6. Compliance Over Risk Management
Many companies focus more on achieving compliance checkboxes than addressing actual risk. Regulatory frameworks like HIPAA or GDPR may mandate certain practices, but they don’t cover every SaaS-specific risk.
This compliance-centric mindset can lead to security complacency. Organizations may pass audits but still be vulnerable to evolving SaaS threats like OAuth abuse, insider risk or third-party API exploitation.
7. Poorly Managed Integrations And APIs
SaaS apps rarely work alone—they connect to other tools via APIs or integrations. These third-party connections often have broad permissions and can serve as attack paths if not properly secured.
A recent report found that 64% of active third-party SaaS integrations in enterprises are over-permissioned. And 68% had unknown or unmonitored third-party APIs, leaving them open to abuse or misconfiguration.
Conclusion
SaaS security isn’t neglected because organizations don’t care—it’s neglected because of visibility gaps, cultural misunderstandings, rapid adoption cycles and strained security resources.
To close these gaps, enterprises need to:
• Gain visibility into SaaS usage and integrations.
• Clarify roles under the shared responsibility model.
• Dedicate resources to SaaS posture management.
• Adopt a risk-based approach, not just compliance.
• Continuously monitor configurations, access and third-party connections.
• Ensure their SOC and incident response teams are empowered with tooling to respond to SaaS-related incidents.
With the right focus, SaaS security can become a strength rather than a blind spot.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
