Like other as-a-Service solutions, SaaS applications are a tool to supercharge business agility. Further, these tools are a force multiplier. This was especially true during the pandemic as organizations were forced to make significant IT changes to move the business forward. SaaS adoption and utilization were at an all-time high. However, there remains a rather significant hurdle for regulated companies to ensure data access security, maintain compliance, and prevent admin misconfigurations. This is because each new SaaS application requires IT and security teams to learn, set up, and maintain dozens of different security controls and policies. Today, it should be well understood that security can never be an afterthought when introducing new tools and technologies to advance business enablement. Doing so creates technical debt that becomes a challenge for the organization to overcome fully.
As we edge into 2023, modern enterprises will demand a platform that upholds their end of the shared responsibility model in the SaaS estate. There are numerous market indicators pointing towards consolidation in the SaaS segment of security. I'm confident that this new year will see the various SaaS security markets - SaaS security posture management (SSPM), shadow IT, data loss protection (DLP), service mesh, and many others - combining into what will become a foundational security platform.
Consider the average organization that leverages SaaS apps for needs such as content collaboration, communication, workflows, etc. On average, the standard enterprise has approximately 200 applications in use, with internal and external collaborators reaching into the hundreds or thousands. Now consider the data and files that are accessed, manipulated, and shared between the aforementioned users. It becomes an enterprise-scale problem for the IT and security teams responsible for providing secure data access. In the broader context of SaaS security, this is the hardest problem to solve.
Enterprises recognize that data security is paramount, and many have adopted solutions to reduce their exposure. However, the early adopters have discovered that the dozens of point solutions fail to solve the problem comprehensively. For example, DLP tools can help prevent unauthorized access to sensitive data, but their shortcomings include excessive false positives, management complexity, limited coverage, and more. Similarly, SSPM tools can be useful for identifying and addressing vulnerabilities and misconfigurations, but they are incomplete solutions and require significant resources to implement and maintain effectively.
The lack of comprehensive solutions forces companies to adopt multiple tools to protect their SaaS estate, which comes with its own set of downsides. Multiple security tools can be expensive, especially for small or medium-sized businesses. In addition, each tool may require a separate subscription or licensing fee, adding to the overall cost. Another downside is the complexity of managing multiple security tools. Each tool may have its own set of features and configurations, requiring technical expertise and time to set up and use properly. Additionally, integrating multiple security tools can be challenging, as they may not work seamlessly together and may require additional effort to integrate and maintain the integration over time. Finally, having multiple security tools may not necessarily provide better security, as they may have different coverage and capabilities, potentially leaving gaps in an organization's security posture.
Another factor driving the consolidation of security providers is the promising market landscape. When you analyze the market and compare it to IaaS or PaaS, it's more extensive, more fragmented, and without a doubt more subject to human error and data exfiltration. SaaS is and will continue growing rapidly as hybrid work, collaboration, and productivity tools emerge to meet the needs of the new economy. Security considerations will not dissipate, meaning the market opportunity for SaaS security is substantial. Whoever can provide a comprehensive platform to meet enterprise needs will reap a large portion of those benefits. In short, the market is ripe for consolidation.
Survival is not a birthright.
The SaaS market is greenfield. As mentioned, the current marketplace consists of many point solutions and niche players. Crucially, history has shown us that vendor and market consolidation is inevitable (i.e., Cloud Native Application Protection Platform (CNAPP) and Secure Service Edge (SSE)). Organizations are looking to consolidate vendors and cut complexity and costs as contracts renew, and vendor consolidation will help drive that change in the security market. There will be more pressure on vendors to provide a comprehensive platform that will enable modern businesses to go forward with confidence.
Moving forward, the smaller players will either get scooped up by a larger portfolio company or focus on establishing themselves as a platform provider. Ultimately, it is natural for markets and vendors to consolidate - survival is not a birthright, especially for the bigger players in the security market. Companies evolve or die - and I foresee a lot of evolution in the SaaS security market in 2023.