JPMorgan Chase CISO Names SaaS Security as Top Priority. Here's Why.

This article was originally posted on Forbes as part of their Forbes Technology Council series.

‍

In an article, Pat Opet, chief information security officer (CISO) at JPMorgan Chase, underscores the importance of securing software as a service (SaaS) applications in today’s digital landscape.

‍

As companies embrace remote work, the adoption of SaaS applications enables them to facilitate collaboration, drive efficiencies, and foster innovation while maintaining a distributed workforce. And while SaaS applications play an essential role in empowering companies to thrive today, they introduce new risks.

‍

“All these changes in technology create the opportunity for weakness or failure if companies aren’t diligent in how they mature these capabilities to make them available to employees,” Opet says.

‍

Since it’s almost certain your company is using SaaS applications, there’s a good chance you’ve introduced security risks. But don’t be alarmed. Nearly every company today could benefit from enhancing its SaaS security capabilities with the latest solutions.

‍

Here’s why you should prioritize SaaS security in 2025.

‍

SaaS Ecosystems Are Constantly Changing

‍

Companies rely on hundreds, if not thousands, of apps to support business operations. From service management systems to enterprise resource planning to email and communications platforms, the average enterprise is using 490 SaaS applications—and that number is steadily increasing.

‍

On top of that, SaaS apps are constantly being updated with new features. This allows businesses to stay up to date with the latest technologies, but the dark side of this is that constant updating means constant change and potential misalignment.

‍

Recommendations

‍• Prioritize SaaS application discovery: Maintain a dynamic inventory of all SaaS applications in use across the organization.

• Continuously monitor for shadow IT: Deploy tools to detect unauthorized SaaS applications.

• Automate security updates and configuration reviews: Track changes in SaaS applications and flag vulnerabilities introduced by updates.

‍

You Need To Know Who Is Who, And Who Is Doing What

‍

Onboarding with SaaS is as simple as sending someone a username and password. But this ends up generating so many identities that you can’t possibly know who is who and who is doing what. Many apps keep their own activity logs, but sifting through those for hundreds of apps just isn’t realistic—until something goes wrong. And by that point, it’s probably too late to prevent a breach.

‍

Recommendations

‍• Implement centralized IAM tools: Deploy IAM platforms that centralize user provisioning, authentication and access control.

• Integrate zero-trust principles: Assume no user or device is trustworthy by default.

• Monitor user activity with centralized logs: Aggregate activity logs from all SaaS applications into a centralized logging or SIEM tool.

‍

Your Apps Connect To Apps, Which Connect To Other Apps

‍

When we store data in third-party apps we’re trusting these third parties to keep our information safe. Often those vendors are relying on other vendors to do the same, creating an interconnected mesh that is practically impossible to track. These app-to-app integrations increase the value of SaaS, but the downside is that a flaw in one app could open up a backdoor into another app.

‍

Recommendations

‍• Enforce least privilege access: Limit app permissions to only the data and functions required for their intended purpose.

• Enable real-time monitoring and alerts: Deploy tools that monitor for anomalous behavior.

• Monitor app-to-app integrations: Provision tools that provide visibility into app-to-app integrations and their actions.

‍

You Need To Know How Many Shadow Apps Are Being Used

‍

Our research report found that shadow SaaS applications—unapproved apps used without IT or security’s knowledge—account for 26% of all SaaS usage within organizations. With an average of 129 shadow SaaS apps per company, these apps bypass established security controls and significantly increase the risk of data exposure.

‍

Recommendations

‍• Implement SaaS discovery tools: Leverage tools that discover all SaaS applications and rank their level of risk.

• Restrict data sharing to approved apps: Set policies that restrict API integrations or data sharing with unknown applications.

• Include shadow IT in compliance audits: Integrate shadow app detection into regular compliance workflows.

‍

Over 60% Of Ransomware Attacks Are Sourced Through SaaS

‍

Along with SaaS security, Opet named increasing ransomware threats as a key trend driving his cybersecurity strategy. Ransomware usually starts from a phishing scheme: Users are tricked into clicking a malicious link. Then, they’re taken to a website where they’re asked to input login credentials, which attackers then steal and use to access the enterprise network.

‍

One recent report found that 61% of ransomware attacks were sourced through SaaS applications. Organizations wishing to strengthen defenses against ransomware should prioritize SaaS security.

‍

Recommendations

‍• Strengthen email security: Deploy solutions to detect and block phishing emails before they reach users.

• Codify and enforce cybersecurity best practices: Implement multifactor authentication (MFA), IAM security and least privilege access policies.

• Perform regular security awareness training: Conduct frequent phishing simulations and train employees to report suspicious emails.

‍

No Matter How Tight Your Security, Vendors Will Still Have Exploitable Flaws

‍

In many recent breach cases, a threat actor broke in through a SaaS provider environment that wasn’t protected with MFA. This initial access was then used to gain a foothold into other organizations using that application.

‍

Recommendations

‍• Limit application permissions: Implement least privilege principles for third-party applications.

• Continuously monitor for threats: Deploy tools to detect and respond to anomalous application behavior.

• Zero-trust architecture: Continuously verify access based on identity, device and location.

‍

Overcoming SaaS Security Challenges With Modern Solutions

‍

Organizations are finding that legacy solutions like cloud application security broker (CASB), which can apply policies from outside the application like a firewall, create visibility gaps in SaaS and a new wave of SaaS security solutions is upon us. These solutions can discover all applications, identify misconfigurations, and detect and respond to signs of compromise.

‍

The adoption of SaaS security is growing. The recent CrowdStrike announcement has brought SaaS security to the forefront of the security conversation, and at Reco we are hearing more and more urgency from CISOs who are prioritizing SaaS security to fill in critical gaps, like Opet from JPMorgan Chase.

‍