Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
Business-led IT Becomes Mainstream
By Lior Yaari, Co-founder and CEO, Grip Security
SaaS has become the de facto
method of acquiring software and tools across every
industry. Though many companies still rely on internally developed apps,
anything new is usually acquired as a SaaS app or leverages SaaS in some way
whether it is for integrations, automation, analytics, or storage. What is
remarkable about SaaS is that it has enabled people outside of IT to become
their own CIOs. They no longer need to rely on a technical expert to identify, install and manage the apps they need to get
their job done. All they need is an email address to create an account.
Business-led IT is the term that is used to describe the
trend of decentralized technology acquisition. Though it encompasses hardware
and software, the vast majority of business-led IT is SaaS and even most
hardware today has a SaaS component to it. SaaS has
changed the IT landscape for good.
The trend will continue into 2023 and even accelerate as
more SaaS apps are created and become available. Five predictions based on this
trend are discussed in more detail below. One interesting data point is that
enterprises see a 60% turnover of SaaS apps over a two-year period. What that
means is that people rotate their apps and adopt new ones as better apps become
available. This is completely logical given one of the values of SaaS is to reduce
switching costs for the company. There may be some data migration issues, but
there is no hardware or infrastructure to upgrade or change. All that is needed
is an email address.
Shadow IT Goes from a Negative to a Positive
Shadow IT has long had a negative connotation and means
hardware, software, or services acquired outside of
the ownership or control of IT. For SaaS specifically, the term "unsanctioned
apps," is sometimes used to describe SaaS used without IT approval. However,
times have changed and the taboo of using technology that is useful, but not
officially approved, has largely diminished. This
and the industry rebranding of shadow IT to business-led IT will result in
people focusing on the positives of empowering employees to use the best technology
they need to do their jobs: productivity, job satisfaction, reduced time to
market, faster reactions to changing market conditions.
90% of Employees Will Use Unsanctioned Apps
This prediction may seem outrageous to many, but if you look
at where we are starting from, 90% is quite reasonable. Microsoft estimates
that 80%
of employees already use non-sanctioned apps, which is consistent with what
we have seen when working with companies. Multiple discovery methods exist to
detect unsanctioned SaaS app usage, and the challenge is to determine what risk these apps pose to the company and
the proper remediation, which can include (but is
not limited to) shutting down the account, blocking access, or adding to SSO. As
more apps become available, this number is likely to increase to 90% or even
higher.
Business-led IT Spend Increases to over 50%
Most CIOs will readily acknowledge that technology spending
occurs outside of the formal IT budget. In many companies, functions such as
sales and marketing now have specific budget line items for SaaS subscriptions.
IT is aware of some of the purchases, but many are purchased
and expensed. A Gartner analysis found that business-led IT spend averages up
to 36% of the total formal IT budget already. As companies become more
disciplined and focus on detecting and managing business-led IT, they will
discover that there are many apps that IT never knew about. Through a
combination of more apps being used and the IT discovering app purchases that
were previously untracked, companies could see business-led IT reach 50% of the
total IT budget.
SaaS Security Breaches Will Become Worse
Cybersecurity is always top of mind for companies today.
2022 included several high-profile SaaS security breaches that made major
headlines. These breaches include hackers using the communication app Slack to
break into EA games. Hackers gain unauthorized access to the password manager
company LastPass's development environment. 0ktapus targeting identity security
company Okta's customers to gain access to internal systems. Uber was also
breached, and the hacker had access to internal accounts and systems. As
business-led IT gains momentum, companies will start to use more SaaS which
means the attack surface for hackers will increase. Inevitably, 2023 will have
a SaaS security breach whose damages surpasses what we saw in 2022.
Companies Will Implement a SaaS Security Architectural
Layer
SaaS security is one of the hottest categories in
cybersecurity and it was one of the biggest categories funded by venture
capital firms in 2022. There is no shortage of problems to be solved by the
explosion of SaaS usage and the security challenges it has created for
companies. The good news is that companies are evaluating their SaaS security
strategy and actively investing in modern technology.
The problem is that today, most solutions only solve a part of the problem, and
a holistic SaaS security framework is required. The
Cloud Security Alliance's recent guide SaaS
Governance Best Practices for Cloud Customers points out that nature of
SaaS requires a different approach. Companies will start designing their
security architectures with a specific layer that focuses on the unique
governance requirements of SaaS that are not fulfilled by existing solutions
today.
Conclusion
SaaS has transformed enterprise IT in a positive way and
there are no doubts about the benefits of using SaaS. It allows companies to
respond to market conditions more quickly, increases employee productivity and
improves job satisfaction. Companies will need to adapt to embrace the employee
CIO, and the ones that can implement effective SaaS security programs will see
business benefits far greater than what they invested.
##
ABOUT THE AUTHOR
Lior
Yaari is the
Co-founder and CEO of Grip
Security. Lior has
significant experience in the cybersecurity domain as the former CTO of YL
Ventures, a leading cybersecurity VC, and as the former Chief of Cyber Training
in an elite intelligence unit of the Israel Defense Forces. Among his previous
positions, Lior was a Vulnerability Researcher and Project Lead at Cymotive, an
automotive cybersecurity company, and co-founded Imperium Security, an embedded
devices Secure Development Life Cycle (eSDLC) company.