How to Get ROI Out of Your SaaS Security Investment: 5 Steps

SaaS security is a multi-faceted initiative, delivering ROI in Security as well as across Finance, Legal, and other business departments that use applications. It’s not something you can implement in a silo. It requires collaboration and cooperation across departments if you want to generate value.

‍

As a seasoned veteran in the CISO world, I built a SaaS security program from the ground up via Reco implementation in my previous role. I learned a few things about what creating a successful program requires, how to make an impact, and how to measure progress.

‍

For those of you who are ready to dive into the vast universe of SaaS security, I offer this blog. Follow these steps to get ROI out of your SaaS security investment.

‍

How Do You Measure ROI in SaaS Security?

‍

It’s important to set clear goals and expectations in the beginning. So before we talk about how, let’s talk about what we’re trying to achieve. When I talk about ROI in cybersecurity, I define it in a few ways.

‍

1. Reduced Chance of Costly Breaches

‍

We know that the average cost of a data breach in 2024 was $4.88M, and the average cost per record was $169. So we can quantify it, based on the data that we know that we have in our systems, just how much a data breach would cost us financially if a particular system were to be breached. Plus, there’s legal and compliance costs that must be considered.

‍

There’s also soft costs. For example, reputational damage that comes with a data breach: long-term brand degradation, which leads to revenue reduction as the public becomes increasingly distrusting of your organization. 

‍

Then, there’s the productivity losses that accrue as your organization deals with the breach. Meetings, litigation activities, press conferences – data breaches are disruptive, distracting teams from their day-to-day jobs.

‍

2. Reduced Third-Party Risk

‍

Some vendors prioritize security more than others, so one of the goals of my SaaS security program was to improve the overall security posture of our vendor portfolio. The Reco platform provides a vendor risk score from A - F, so if we can bring up our average rating then that ROI we can measure.

‍

3. Increased Business Velocity

‍

Security has to envelop every department, however, every department is not necessarily concerned with security, as a first priority. If we discover a particular system is being used and it hasn’t been set up with Security, we’re going to go to those users and start asking questions and poking around. “Do you know who has access? Is MFA enabled?” and “When does access get revoked?” That doesn’t make anyone happy. It’s going to slow the business down.

‍

If we can implement processes that empower our users to be nimble and flexible, then we are delivering ROI by supporting the business to move quickly. Speed to market, productivity gains, along with employee satisfaction: this is the ROI of efficient security processes.

‍

4. Actual Dollars

‍

You’re not always going to realize quantifiable financial gains when implementing a cybersecurity tool, but in the case of our Reco implementation, we did. The ROI for us was around $200K (more on this later). 

‍

5 Steps to Get ROI From Your SaaS Security Investment

‍

You have to figure out how to “eat the elephant”. After implementing Reco, here are some things I recommend for increasing time to value.

‍

1. Start with Critical Assets

‍

We started with the apps that were most critical and the data that was most confidential. They have the biggest blast radius, yielding the most potential damage if breached. We used the Reco platform to direct our efforts here. Reco ranks alerts: critical, high, and medium severity. The platform identifies risky configurations and access issues, in context to how critical the data is likely to be.

‍

After that, we focused on core systems that everybody uses. Those are quick wins. Once you start fixing those you’re going to see the impact reflected in your posture score right away. Then people start to see, “Okay, this is easy.” And you’ll get some initial momentum on the project.

‍

2. Consolidate Where You Can

‍

Reco was uniquely positioned to meet our needs over other SaaS Security Posture Management (SSPM) vendors because of its ability to discover shadow applications. After Reco catalogued all our apps, we were able to have deeper discussions with our technology users around:

• Why do you need that tool and what is your use case?
• Did you know we have a different tool that offers the same functionality?
• Who is managing this app and how are we going to secure it?

We found that we could reduce our blast radius by reducing apps with overlapping functionalities and consolidating redundant instances of the same app. This also reduced costs and management overhead. We saved around $200K just by consolidating project management tools, and that doesn’t even account for the ROI of the time saved from not having to manage all of those tools.

‍

3. Get Buy in From App Owners

‍

One of the challenges of SaaS security is that SaaS ownership is so spread out, so you need buy-in from lots of different people to make changes. 

‍

Through Reco, we were able to see the security issues across all our SaaS apps, which allowed us to open up discussions with app owners about what needed to be done. Once we showed them, “you have all this data exposed,” they were very interested in cleaning this up. I found that most individuals want to do the right thing. You just have to explain to them the “why” and give them an easy path to remediation, and Reco allowed us to do that.

‍

We also gave app owners access to Reco so they could monitor drift and self heal, which increased our time to remediation.

‍

4. Build Processes for Change Management

‍

Remediating risks is one piece of the puzzle. The other piece is implementing processes that reduce security risk accumulation going forward. App sprawl, configuration sprawl, and identity sprawl – you can keep all of these in check with the right processes.

‍

Here are some of the processes we implemented driven by Reco findings:

1. Software request process: we created a process for requesting software through a ticketing system. By evaluating each app, we could make sure there was a business case for each one, get new apps under management, and reduce shadow IT. Do we need this app or do we have something else that will work? This had to be a quick process to support the business.
2. Third-party risk management: as part of our software request process, we evaluated the security posture of each app using Reco and BlackKite. We never accepted any app with a score below a “B”.
3. App configuration: Setting something up with default settings is never good enough. Once an app was approved, Security had to be involved in the deployment process from day one. We used Reco to validate that things were set up correctly.

‍

5. Pull in Finance and Legal

‍

What ends up happening is a bunch of people download the free version of an app. But once you get a certain number of users, there’s an enterprise license agreement that says that technically, you’re supposed to be paying for an enterprise account. So there’s a risk that those companies will backcharge you, if they find out.

‍

That’s why Finance and Legal should have a vested interest in the project. I pulled in those teams and we looked at each contract to figure out where we may be in violation of an eula. Then we created enterprise accounts where we needed them, which reduced our risk of unexpected financial losses and legal issues.

‍

Drive Measurable ROI, with Reco

‍

That’s how I tackled SaaS security with Reco: contain, mitigate, pull in relevant stakeholders, and implement processes that help you reduce exposure going forward.

‍

The Reco team was amazing to work with. They were in the trenches working with my team day to day. They were truly a partner in helping us achieve our goals.

‍

As I transition into a new role, the work I did with Reco has primed me to build a mature SaaS security program even more quickly the next time around. And I see another Reco implementation in my near future.

‍

Feel free to connect with me on LinkedIn if you have any questions about SaaS security or Reco.

‍