SaaS Apps Are Less Compliant Than You Think: An Analysis of The Top 1,000 SaaS Apps

Today’s IT and operations professionals might find themselves feeling like the opposite of Spiderman. With great responsibility comes … no power? The stakes are higher than ever to ensure that their organizations are protected from a security and compliance perspective, but new survey data from Blissfully shows that the most popular SaaS applications are less compliant than you’d think.

App Compliance

Some key compliance statistics of the top 1,000+ SaaS applications on the market include:

• 71% are GDPR compliant.
• On the other hand, just 18% have either secured SOC 2 or ISO 27001, with 13% having both.
• GDPR shows faster adoption than SOC 2.
• Adoption follows size: companies with < $1 million in funding have ~7% compliance with SOC 2, while companies with > $100 million or more in funding have about 45% compliance.

One promising signal that the SaaS industry has mobilized around data privacy and compliance is their responsiveness to EU’s GDPR regulations. SaaS companies have taken these regulations seriously, with 71% of the top 1000 apps achieving GDPR compliance since May 2018 (when GDPR fully kicked into effect).

While some SaaS companies may be concerned about the financial penalties of non-compliance, others may find that achieving GDPR compliance can become a major selling point (especially for enterprise and customer-facing apps).

A major part of any compliance effort is ensuring that internal security controls are in place within a SaaS organization, and that customer data is handled properly. Many SaaS apps have extended their compliance commitment beyond GDPR, with 44% achieving EU Privacy Shield compliance.

Some of the more optional compliance frameworks, such as SOC 2 or ISO 27001, have lower adoption, with 18% penetration among the top 1000 apps for each. However, once a SaaS company achieves SOC 2 or ISO 27001 compliance, it’s easier to achieve future compliance milestones.

The type of app itself may dictate which compliance certifications the SaaS company secures. For example, the SOC 2 compliance framework has a stringent focus on an organization’s internal security controls and processes. Perhaps unsurprisingly, IT and Security apps had the highest percentage of SOC 2 penetration (33%), while Marketing apps had the lowest (15%).

On the flip side, since GDPR focuses on customer data privacy, externally focused Customer Support apps had the highest penetration (85%), while inwardly focused HR apps had the lowest (68%).

Compliance by Size and Funding

In addition, company size and amount of funding received seemed directly correlated to SOC 2 and ISO 27001 penetration -- the larger the company and more funding received, the more likely the company is to have achieved compliance. However, GDPR compliance is relatively consistent across the board, regardless of company size or funding received. This data shows that organizations don’t view GDPR as optional, and are prioritizing their customer security and privacy.

All this compliance data is by turns concerning and comforting; Top apps are lagging far behind in SOC 2 compliance. They are largely GDPR compliant, but almost 1/3rd aren’t. But all of this gets more concerning when you realize that IT and ops pros underestimate the number of SaaS apps their organizations use by half.

When you don’t even know what your business is running, how can you stay compliant?

SaaS Visibility

Visibility Statistics Include:

• 68% of organizations run on mostly or all SaaS.
• Almost 1/4 operate solely on SaaS.
• Businesses use nearly two times as many apps as they think they do. And the gap is worse at larger orgs.
• 94% of IT practitioners say that balancing data control and employee empowerment is their top concern.
• 80% of businesses are likely to need a SaaS management platform.

The rapid adoption of SaaS only compounds visibility concerns. According to 2017 data, only 38% of companies were operating on mostly SaaS. Just two years later, new Blissfully survey numbers show that the majority of organizations (68%) operate on mostly or all SaaS.

With fast app growth and limited visibility into the SaaS stack, nearly half (42%) of IT and ops pros surveyed said that balancing security and employee empowerment was a top priority which needs improvement.

Users and Apps: A Complex Relationship

One of the biggest blind spots IT and ops teams face is the complex relationship between apps and people, otherwise known as the “SaaS Graph.” Data from Blissfully’s 2019 SaaS Trends report shows that the average 200-500 person organization uses 123 apps, which doesn’t sound too unmanageable, until you learn that the same sized company has 2,700 SaaS graph relationships! Each of these connections to an app represents a potential point of vulnerability for the organization, if not managed appropriately.

To cope with this SaaS Graph sprawl, teams are relying on automation and external tools to take care of these concerns for them. For example, 82% of companies use IT automation or will use it in the future, while 71% already use single sign-on technologies to secure their application stack or plan to do so. More and more tools, such as Blissfully, have cropped up to ease the burden on IT teams who may not have full control over how their employees interact with technology.

Key Takeaways: Organizations Facing SaaS Sprawl Can Still Have Control

One of the key takeaways from Blissfully’s 2019 IT and Operations survey is that teams are getting creative about retaining control in the face of increased responsibility. The role of IT and ops has changed from a centralized, command-and-control style to more of a “collaborative IT” approach -- where IT, ops, employees, team leads and other key stakeholders share responsibility for budgeting, procurement, security, and more.

The Collaborative IT operational model will become even more crucial as apps become a key driver of employee productivity. Shockingly, nearly half (45%) of organizations say that employees don’t have access to all of the apps they need to do their jobs when they join a company. A Collaborative IT approach can help ensure that new employees are onboarded and trained on their critical apps, and can get productive on day one.

Finally, as organizations get more sophisticated about automating IT and security processes, the onus will fall more heavily on SaaS companies themselves to comply with the latest regulations to protect their customers against data breaches and privacy violations. On the positive side, this new era of automation will ease the burden on lean IT and ops teams, and make security a seamless part of every employee’s workflow.

This report is based on direct and survey data from more than 1,000 organizations, conducted through a combination of Blissfully's customers and a third party research firm. For more information on these trends and more, get the full Blissfully SaaS Trends 2020: IT & Compliance Edition.