To curb SaaS sprawl, CISOs should think like entrepreneurs

CISOs used to be advised to “think like a hacker.” Now, facing mounting risks associated with SaaS sprawl and shadow IT, CISOs must learn to think like SaaS entrepreneurs.

Recently, I spoke with a CISO who lamented that a popular file-sharing provider wouldn’t disclose the number of accounts created by employees in his organization. If he wanted that information, he would have to upgrade to the enterprise edition. 

This type of hostage sales tactic is hardly unique. Have you ever tried to ask Amazon Web Services for a list of accounts created by your employees? I have. They won’t. It goes against the modern growth strategy for cloud and SaaS companies, which centers largely on user-led viral adoption. 

Going viral, usually associated with the world of would-be TikTok influencers, is also the goal for today’s growth-stage cloud and SaaS companies. Spend enough time with tech entrepreneurs and venture capitalists and you’ll hear about the “viral coefficient,” a measure of how many new users an existing user generates. These folks have had more than a decade to refine the playbooks on going viral, with the blogs of a16z, OpenView, and Unusual Ventures required reading for any aspiring SaaS startup founder today.

But why should CISOs—with everything else demanding their attention—care about these bully pulpits that extend out over the Valley? Because the same strategies that SaaS companies use to create a groundswell of loyal users have completely disrupted conventional enterprise security and governance processes, making it nearly impossible to monitor and manage SaaS use. The traditional governance processes involve vendor security questionnaires and top-down buying committees that cause “friction” that slows down adoption and consumes precious startup resources. Meanwhile, SaaS entrepreneurs have figured out that by selling directly to end users, they can avoid, or at least defer, this friction within the sales process.

Today, B2B SaaS adoption looks and feels more like the consumer mobile app experience we’ve all been trained on since the invention of the smartphone: create an account with your email address, start your free trial, invite your friends (or colleagues), enter your credit card info to continue use. This motion allows SaaS providers to deliver value quickly and gain sales leverage after they’ve reached a critical mass of users within the organization. 

It’s also led to unprecedented levels of shadow IT and SaaS sprawl, which increases risk and dramatically expands the enterprise’s attack surface. User-created SaaS resources are more difficult for security organizations to detect and monitor, especially in today’s hybrid and remote environments. And, they’re being introduced at a rate that far eclipses a security team’s ability to manually track down and remediate. Even at a mid-sized enterprise of 1,000 employees, a new SaaS account is created roughly every 20 minutes, according to Nudge Security data.

What’s a CISO to do?

Unfortunately, I too often meet with CISOs who still believe they can close the floodgates of user-led SaaS adoption through an arsenal of network and endpoint protection and monitoring technologies, IT policies chiseled into employee handbooks, and training ad nauseam. We’ve had well over 20 years to make this approach work, and yet, shadow IT and SaaS sprawl has never been so pervasive. Blocking SaaS access only makes the shadow IT problem worse—in fact, our research shows that 67% of workers say they would work around such security blockades. It’s time for a new way of thinking.

CISOs used to be advised to “think like a hacker” in order to thwart cyberattacks. Now, to curb the risks of SaaS sprawl, CISOs need to think like a SaaS entrepreneur. They need to understand this new normal of user-led viral SaaS adoption, what makes it so compelling for their users and SaaS providers alike, and how it erodes conventional IT security and governance processes. 

If you can’t beat them (and, you can’t) join them.

I don’t know who needs to hear this, but SaaS isn’t going away. And, trying to stop employee-led SaaS adoption is not a hill to die on. Rather, CISOs must focus on how to secure SaaS at the pace of adoption. To get there, CISOs can use the SaaS playbook to their advantage:

Stay ahead of SaaS go-to-market trends.

Just as CISOs stay on top of the tools, tactics, and procedures (TTPs) that threat actors use as they evolve, it’s important to keep an eye on emerging trends in SaaS growth strategy. For example, SaaS startups want their products to be “sticky” and critical to business operations. Whereas business process integration used to require custom development work, SaaS providers are now focused on enabling low-code/no-code integration through the use of OAuth. This makes it quick and easy for any user to grant third-party permissions to corporate data and business-critical systems. It also makes OAuth grants critical corporate assets that require continuous security monitoring. 

Be obsessive about UX. 

I can’t overstate how much SaaS entrepreneurs obsess over the user experience (UX) of their products. Those of us who build SaaS products go to the extreme to care for every interaction, to understand the user’s motivations and emotions at every step, and to look for ways to remove barriers and help them achieve their goals faster. 

Conversely, I can’t overstate how little the cybersecurity industry has considered the UX of cybersecurity for the general workforce. Until recently, the “employee experience” of cybersecurity wasn’t well-researched or understood. Yet, as 82% of data breaches continue to involve the human element, forward-thinking organizations are starting to understand the active and critical role their workforce plays in the success of their security programs. As such, security teams are looking for new ways to improve user experience, aligning it with employees’ work goals rather than standing in their way. 

Go viral with user-led SaaS security. 

Finally, CISOs can steal a chapter from the SaaS growth playbook to expand their SaaS security programs. Just as SaaS startups can gain massive scale and efficiency by directly reaching end users, CISOs can go viral by directly engaging end users (their workforce) in SaaS security and governance. SaaS security often runs a mile wide and an inch deep: basic administrative controls like enabling MFA, following the principle of least privilege, and conducting regular access reviews are hard to centralize over hundreds of apps, but not terribly complex for end users to do with the right oversight from the security organization. In short, work with your employees, not against them.

How Nudge Security can help

Nudge Security was built to help mitigate and manage SaaS sprawl. Not only can you see every cloud and SaaS account as it’s created, but we also provide insight into how your SaaS apps are connected with detailed visibility of OAuth grants, including scopes and who granted access. And with automated nudges, you can gain valuable context by asking how and why employees will use apps as they adopt them, reduce SaaS sprawl by guiding employees to use preferred alternative apps, and encourage employees to transfer ownership or delete accounts they no longer need. Sign up for a trial today to see your organization’s SaaS footprint in a few minutes.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors