Who’s Responsible for SaaS Security? Depends on Who You Ask

When JP Morgan Chase’s Global CISO, Pat Opet, issued a blunt open letter to technology suppliers earlier this year calling for stronger SaaS security or risk losing business, it struck a nerve in cybersecurity circles.

In the latest episode of The SaaS Security Show, we tackled the big question behind that letter: Who is actually responsible for securing SaaS? Host Andre Gaeta sat down with Grip Security CEO Lior Yaari and SecurityScorecard CPO Adam Bixler for a candid, sometimes tense, discussion that exposed the messy reality of SaaS risk ownership.

Watch the full discussion

Here are the big takeaways from their conversation, and why the SaaS security model may need more than just a “shared responsibility” mantra to evolve.

1. The JPMC Letter Was a Wake-Up Call, But Not a Clear Solution

Adam Bixler saw JP Morgan’s message as a necessary signal to raise expectations. Too many SaaS apps prioritize speed to market over secure-by-design principles. But Lior Yaari pushed back on feasibility: many of the most innovative SaaS vendors are tiny teams without the resources for full-blown security programs. “You can’t expect a 15-person startup to buy an MDR and hire a CISO,” Yaari said.

So, what happens when enterprise expectations meet startup reality? We’re left with a serious misalignment: enterprises want strong security guarantees, but many SaaS startups aren’t built to provide them. And unless you’re willing to walk away from the deal, there’s not much you can do to enforce those expectations.  

2. Supplier Risk Starts with How Employees Adopt SaaS

The conversation quickly turned to a more uncomfortable truth: many of the riskiest SaaS apps inside an enterprise weren’t formally procured; they bypassed security reviews as employees adopted them. Yaari described this as “grassroots adoption,” where tools enter the organization organically, often without security’s knowledge, and quietly gain traction.

Case in point: Grip Security added Monday.com for a specific purpose—collaborating with an external PR agency. Today, 30% of the company uses it across various internal workflows.  

It’s a familiar pattern: as SaaS adoption accelerates, teams gravitate toward tools that help them move faster. Usage grows organically, permissions accumulate, and sensitive data starts flowing through apps that were never fully vetted. This “SaaS permission creep” often goes unchecked because, while how an app is used evolves, the original risk evaluation usually doesn’t. If there was a security review at all, it’s now outdated. And that’s the real danger.

3. Security Posture Is Not a Snapshot—It’s a Living Thing

Bixler emphasized the need for continuous monitoring. Supplier assessments often rely on point-in-time questionnaires and first impressions, but environments change—apps get acquired, access patterns evolve, and threat models shift. “Security is a process, not a point-in-time check,” he said. The ability to track changes in a supplier’s posture, usage patterns, or even cloud configurations become essential to keeping enterprise risk in check.

“Security is a process, not a point-in-time check.” - Adam Bixler, SecurityScorecard

4. Most Enterprises Over-Invest in the Few and Ignore the Many

Both panelists highlighted a major blind spot: enterprises are diligent with high-profile or Tier 1 vendors, but neglect the thousands of smaller SaaS tools in use across the organization. Yaari put it plainly: “You’re verifying shared responsibility for a fraction of your vendors, and usually the wrong ones.”  

As Lior noted, it’s not that companies are negligent. It’s that they often prioritize what’s visible and familiar over what’s actually being used. As a result, companies overinvest in security controls for vendors already under tight management and underinvest in the apps that enter through shadow adoption, point solutions, or one-off team initiatives.

Without comprehensive visibility into their real SaaS footprint, security teams are left solving for perceived risk, not actual exposure. And when the next breach comes, it’s often from the corner no one was watching.

5. “Shared Responsibility Model” Sounds Good Until Things Break

The idea of a shared responsibility model sounds great in theory, but as both guests noted, it tends to collapse when there’s an incident. If a SaaS provider is breached, it’s the enterprise that deals with the consequences.

Yaari shared a sobering statistic: 87% of Grip customers had a SaaS app that was breached in 2024. That’s not a sign of failure; it’s the reality when enterprises rely on thousands of apps, many of which are adopted outside formal security channels. The differentiator isn’t whether breaches happen; it’s how contained they are when they do.

As Yaari explained, “Securing SaaS suppliers is like playing Russian roulette: one of your vendors will eventually be breached. And yes, they're responsible for not getting breached and not leaking your data and passwords, but you also have control over how far that breach goes. You can prevent password reuse, monitor OAuth scopes, revoke risky tokens, and ensure apps are configured correctly. Most SaaS risk doesn’t start in the vendor’s cloud; it starts with how your employees use it.

“Securing SaaS suppliers is like playing Russian roulette: one of your vendors will eventually be breached, but you have control over how far that breach goes.” -Lior Yaari, Grip Security

Once a breach occurs, what matters most is whether the enterprise took steps to isolate that app, monitor user access, and prevent lateral movement. And that’s the part only the enterprise can do, regardless of where “responsibility” lies.

6. What Needs to Change? Transparency and Realism

Asked what they’d change about today’s SaaS security culture:

• Bixler called for more transparency from SaaS vendors. Rather than relying on guesswork or passive scans, he advocated for vendors to publish verifiable, auditable security postures.

• Yaari urged enterprises to stop betting everything on supplier security controls. Most SaaS-related breaches stem from identity issues on the customer side: password reuse, risky OAuth connections, and lateral movement between connected apps.

In short: suppliers should do better, but enterprises can’t afford to assume they will.

Final Thought: Security as a Team Sport

Perhaps the most resonant line of the episode came from Bixler: “Security is a team sport. If you start doing this by yourself, you’re going to find yourself very alone.”

SaaS security doesn’t have a clean boundary. It’s not just about choosing “secure” vendors or enforcing policies. It’s about building a dynamic partnership between supplier and customer, where visibility, agility, and accountability are shared not just in principle, but in practice.

Watch the full episode and decide for yourself: Who’s really responsible for securing SaaS?

Taking the Next Step

SaaS security responsibility may be shared, but the next move is yours. Whether you’re rethinking your supplier evaluation process or trying to rein in shadow SaaS usage, here are a few ways to move forward:

• Download the free guide: Getting Started with SaaS Security – A practical primer for building a modern, risk-aware SaaS security program.

• Explore the Grip–SecurityScorecard integration – Strengthen your SaaS supplier and your SaaS security programs for cohesive risk management.

• Talk with our team – Our security experts can help you assess where your program stands and where to go next.

We're ready when you are. Let’s make SaaS security work—for everyone.

‍