Laptop Displaying the GigaOm Research Portal

Get your Free GigaOm account today.

Access complimentary GigaOm content by signing up for a FREE GigaOm account today — or upgrade to premium for full access to the GigaOm research catalog. Join now and uncover what you’ve been missing!

GigaOm Key Criteria for Evaluating SaaS Security Posture Management (SSPM) Solutionsv1.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Executive Summary
  2. SSPM Sector Brief
  3. Decision Criteria Analysis
  4. Analyst’s Outlook
  5. About Paul Stringfellow

1. Executive Summary

Software as a service (SaaS) has been a major boon to productivity, enabling business units and users to get exactly the functionality they need without IT teams having to reinvent the wheel. In turn, IT gets some heavily repetitive tasks—like email management—outsourced for a monthly fee, and the corporation is more productive as a result of both reduced time spent on those repetitive tasks and business units having specialized software that does not require day-to-day IT maintenance.

But this efficiency and convenience comes with a price because SaaS is largely unmanaged. Organizations often adopt it precisely because IT did not have the resources to solve a problem or because the problem was too small for an entire development or implementation project. So IT is unaware of what SaaS is out there in use—and there is a lot of it.

The lowest SaaS usage research number we were able to find was an average of over 100 SaaS applications per enterprise. This may sound high, but consider that it covers everything from massive SaaS solutions to occasional use SaaS products for simple tasks like file conversion or copyright image selection and detection. And every one of those SaaS applications contains information about your company. Many of them have information about your customers. If an organization uses software like Click-n-Ship to send customer rewards or products, then customers’ personally identifiable information (PII) is being shipped off.

It is high time all of these SaaS applications were secured as well as possible. To do this, the first step has to be discovery. Most enterprises will initially want to implement SaaS security posture management (SSPM) solutions to determine what their specific SaaS footprint is, both for security purposes and for accounting purposes. After that, the work of actually improving the security posture of those SaaS applications can begin.

Business Imperative
There is an abundance of SaaS in use at most organizations, and it contains information about the organization and often about its customers. It is uncontrolled and unmonitored. Often, employees who are terminated or moved to a new role are not removed as users from SaaS they should no longer have access to until a problem occurs or the user license is needed for another employee. This is not a sustainable situation.

SSPM is here to resolve these issues and to extend policy and compliance out to SaaS as much as possible. Some organizations track SaaS via accounting, while others do so via spreadsheets. But neither of these addresses the problem of “you don’t know what you don’t know.” If SaaS usage is billed one time via expenses, for example, it may not be caught in an accounting check. If a business unit does not tell IT it is using a given solution, the spreadsheet is out of date. SSPM tools offer multiple avenues to creating inventory and then enabling direct support for securing SaaS, whether it’s mission critical or for only occasional use.

Sector Adoption Score
To help executives and decision-makers assess the potential impact and value of an SSPM solution deployment to the business, this GigaOm Key Criteria report provides a structured assessment of the SSPM sector across five factors: benefit, maturity, urgency, impact, and effort. By scoring each factor based on how strongly it compels or deters adoption of SSPM, we provide an overall Sector Adoption Score for SSPM of 3.6 out of 5, with 5 indicating the strongest possible recommendation to adopt. This indicates that SSPM is a credible candidate for deployment and worth thoughtful consideration.

The factors contributing to the Sector Adoption Score for SSPM are explained in more detail in the Sector Brief section that follows.

Key Criteria for Evaluating SSPM Solutions

Sector Adoption Score







Figure 1. Sector Adoption Score for SSPM

This is the first year that GigaOm has reported on the SSPM space in the context of our Key Criteria and Radar reports. This GigaOm Key Criteria report highlights the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) for selecting an effective SSPM solution. The companion GigaOm Radar report identifies vendors and products that excel in those capabilities and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading SSPM offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.


The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.