Cloud Security Alliance issues SaaS AI-Risk for Mid-Market Organizations survey report

Mid-market organizations today are engaged in a unique balancing act, where they are required to manage and defend a growing digital footprint but lack the deep pockets and vast resources of their larger counterparts. To better help security teams at mid-sized companies remain resilient in an increasingly complex threat landscape, the Cloud Security Alliance (CSA) today released its SaaS and AI-Risk for Mid-Market Organizations survey report. The survey, commissioned by Wing Security, a leader in SaaS security, takes a deep dive into the strategies mid-sized companies are using to protect their high-value assets—from navigating SaaS security gaps to tackling artificial intelligence (AI)-related risks—and highlights the real-world challenges and priorities these companies face when managing their risk.

“Mid-market organizations are making progress in recognizing and addressing SaaS security risks, but significant gaps remain. To build a robust security posture, it's essential to prioritize specialized technologies that enhance visibility, automate processes, and close key vulnerabilities. By aligning priorities across IT, security, and business units, these organizations can better safeguard their assets and confidently navigate the evolving SaaS landscape,” said Hillary Baron, Senior Technical Research Director, Cloud Security Alliance.

The report explores how mid-market organizations are addressing SaaS security risks, from managing misconfigurations and AI-driven threats to overcoming budgetary constraints and limited tooling, and highlights the gaps in their current strategies while providing actionable insights for improving their security posture. Among the survey’s key findings:

• Security teams are struggling with a growing attack surface and tracking application use. Mid-market organizations are grappling with managing the large volume of SaaS applications, both sanctioned and unsanctioned, with actual numbers often exceeding expectations. Disconcertingly, less than half (44%) of organizations prioritize protecting all their sanctioned applications, and a mere 17% include unsanctioned ones in this priority. Given that limited visibility into these applications results in significant security gaps, specialized tools and automation are essential to securing this expanding digital footprint.

• Prioritizing “crown jewels” while leaving gaps. Many companies are concentrating their configuration management efforts on their most critical applications (e.g., Google Workspace and IDP/IAM service). While prioritizing these core systems is essential, broader SaaS environments should not be overlooked—a worrisome 28% of organizations plan to automate configuration management across all applications. To fully mitigate risks, organizations must expand automation and ensure comprehensive coverage across all applications, including those perceived as lower priority and application-to-application connections.

• AI risks without a formal plan. AI-related risks, particularly to data and intellectual property, are a growing concern. Whereas 55% of organizations reported being moderately concerned and another 20% stated they were highly concerned, only 51% of organizations have dedicated security teams to address AI-specific risks. The absence of a unified strategy and clear accountability leaves organizations vulnerable to evolving threats and compliance challenges.

• Reliance on manual processes and insufficient tooling. Smaller security teams often rely on manual processes (48%) and general-purpose tools like cloud access security brokers (CASB) (48%)—neither of which are sufficient for SaaS security needs. The good news is that many organizations are planning to adopt specialized solutions like SaaS Security Posture Management (SSPM) and Data Security Posture Management (DSPM)—52% and 56%, respectively—to enhance visibility and address critical risks.

• Growing SaaS security through current initiatives. Nearly 90% of organizations plan to expand IT budgets or enhance existing security initiatives—such as risk management, configuration management, and risk detection and response—to address SaaS security. While relying on general IT/security budgets or reallocating funds from other projects can lead to reactive, patchwork investments that fail to fully address the unique risks SaaS applications pose, only 3% have a dedicated line-item budget specifically for SaaS security. Dedicated funding and aligned priorities across teams remain critical for building an effective SaaS security strategy.

“Securing SaaS applications is a significant challenge for mid-sized companies, where limited resources meet an expanding attack surface. Yet, the importance of safeguarding these critical tools cannot be overstated. With the right strategies and technologies, mid-sized organizations can overcome these difficulties, ensuring the protection of sensitive data and maintaining business continuity in an increasingly SaaS-driven world,” said Galit Lubetsky Sharon, CEO, Wing Security.

Wing Security financed the project and co-developed the questionnaire with CSA research analysts. The survey was conducted online by CSA in October 2024 and received 406 responses from IT and security professionals from organizations of various sizes and locations. CSA’s research analysts performed the data analysis and interpretation for this report.

Download the full SaaS and AI-Risk for Mid-Market Organizations survey report.