2019 SaaS Trends: IT & Compliance Edition

At Blissfully, we’re constantly evaluating the trends that drive IT in the modern business. Our proprietary database and in-depth analysis have powered previous editions of SaaS Trends, as well as our guide to SaaS Management. We have seen increasing urgency around compliance from our customer base and across the entire market, and for this reason, this edition of SaaS Trends will take a deeper look at trends not only across IT but specifically SaaS Compliance Trends.

To gather insight, we conducted a survey of IT personnel, as well as deep-mining our own internal database to better understand trends around compliance for the top 1000 SaaS applications. This guide shares what we learned from the data, as well as takeaways you can apply to your own business.

Download the 2019 Compliance SaaS Trends Report

Receive a free PDF eBook of the entire 2019 Annual SaaS Trends Report.

About the Data

This report is based on direct and survey data from over 1,000 organizations, conducted through a combination of Blissfully’s customers and a third party research firm.

In Q3 of 2019, we conducted an IT and operations survey that collected data from over 1000 companies, inside and outside Blissfully’s customer base, through both direct surveys and live data.

We also conducted detailed compliance research for the top 1,100+ SaaS apps (based on our data regarding usage). To do this, we collected data on the vendors that make each of those apps to learn about which compliance certifications they’ve secured. The compliance mandates and laws we researched included:

  • SOC 2
  • ISO 27001
  • GDPR
  • CSA Star
  • EU Privacy Shield

Finally, we held a magnifying glass up to data relating to the companies who use and uphold certain compliance mandates and regulations. We looked at how attributes like company size and age related to compliance status, with the goal of gaining a deeper understanding of what drives compliance, where the gaps exist, and how businesses can improve going forward.

IT Trends from Operators

Let’s take a look at some of the most important findings from our data.

SaaS Growth Continues Unabated

In previous editions of SaaS Trends, we have explored the continuing growth of SaaS apps and the ever-increasing percentage of businesses who rely heavily or completely on these tools. As far as overall adoption in 2019, 68% of organizations say they are mostly or all SaaS-driven at this point, with nearly 23% saying they operate solely using SaaS apps today.

This lines up with other industry statistics and predictions, as a BetterCloud survey in 2017 found 38% of companies had moved most of their apps to SaaS, and another 73% of organizations said nearly all of their apps (more than 80%) would be SaaS by 2020. It’s clear that SaaS continues to reach its tentacles into all areas of businesses of all types and sizes, making it all the more important that companies gain visibility and insight into how their apps are being leveraged.

Companies Use 2x More Apps Than They Think

To this point, this year’s data demonstrates that most companies use significantly more apps that they realize. We asked survey respondents to guess how many apps their companies use, then compared this with actual data regarding SaaS app usage. While we expected that many businesses would underestimate this number, as we have seen this pattern previously, it was surprising to discover just how big the delta is between reality and belief. In fact, businesses use nearly two times as many apps as they think they do.

Number of Apps vs. Expectation

As you can see from the charts, the delta only grows as companies get bigger. This gap illustrates the importance of using a complete modern IT operating system like Blissfully that can both identify apps in use and help companies maintain visibility and control over those apps.

IT Struggles to balance Employee Empowerment vs Security and Control

Of course, balancing control and empowerment and, achieving truly Collaborative IT is tricky. While previous data has put this challenge in high relief, new data provides heartening proof that this is increasingly an area that businesses recognize as important.

Survey respondents said balancing control and empowerment is an area of high priority where significant improvement is required. In fact, 94% of IT practitioners say it is their top concern. On the operations front, 83% of professionals agree.

Why is this so hard? In many ways, the IT function today is the opposite of Spiderman. They have accountability and responsibility, but little to no power. This is due to the nature of SaaS apps, which employees can choose and implement without IT’s blessing at most organizations.

Security vs. Control Graph

Download the 2019 Compliance SaaS Trends Report

Receive a free PDF eBook of the entire 2019 Annual SaaS Trends Report.

On a similar note, 53% of respondents say balancing security with employee privacy is a high-priority issue and needs improvement. Laws like GDPR make it more important than ever to consider how to achieve security without sacrificing either employee or user privacy at the same time.

Another major challenge identified by the survey is providing employees with access to the apps they need when they come on board. Unfortunately, 50% of companies say new employees don’t automatically have access to all of the apps they need. However, given that businesses are dramatically underestimating the number of apps in use, there’s a good possibility that even those who believe they are fully onboarding their employees may not be doing this in a complete manner. It’s another area that highlights the importance of a complete modern IT operating system like Blissfully.

Remember that the number of apps in and of itself does not tell the full story. There is a complex relationship between people, vendors, and apps. Within an organization, each person is connected to multiple apps, and each app is connected to multiple people, and each vendor may be connected to multiple apps. The nature of these connections varies, and comprise access, usage, data sharing, role, and spend. As a whole, these relationships have implications for an organization’s security, compliance, budget, operations, and privacy.

SaaS Relationship Graph

The typical 200-to-501-person company uses 123 apps, which may not sound completely unmanageable. However, a simple app count doesn’t capture the full picture. That same company would have an average of 2,700 app-to-person connections. Every one of those relationships needs to be tracked, managed, and kept secure.

IT Tool Adoption: Automation Leads the Way

When it comes to managing rapid growth (and preventing SaaS chaos), IT and operations professionals themselves are employing tools and automation to help ease the burden. The top tools and categories, according to our survey, are IT automation, with 48% of businesses taking advantage of this category, and another 23% planning to adopt it. Single sign-on is also becoming increasingly common, with 49% of businesses indicating they are using this type of security tool to simplify access. IT asset management is also becoming more popular, with 27.4% currently using it, and another 23.3% saying they plan to use ITAM in the future.

ITAM Chart

Compliance Trends of the Top 1k+ Apps

This year, we dug further into compliance trends to find out how the top 1000 SaaS vendors are attempting to address security, privacy, and other compliance-related concerns for their customers. Many of the newer privacy and security regulations that are hitting the market apply to a wider swath of companies than ever before. This is an area that almost all businesses must build a plan to address, given how important compliance is to reducing risk profiles, winning new customers, and scaling over the long term. Here’s a look at what Blissfully’s compliance research unearthed.

GDPR Leads The Way, SOC 2 Trails

GDPR’s mandates extend not only to EU-based companies but to any company that handles EU citizens’ data in any way. This means that it applies to many U.S. companies and beyond.

So it’s no surprise that, of the top 1,000+ SaaS applications on the market, 71% are GDPR compliant. On the other hand, just 18% have either secured SOC 2 or ISO 27001, with 13% having both. Beyond these, 44% of apps have EU Privacy Shield.

Download the 2019 Compliance SaaS Trends Report

Receive a free PDF eBook of the entire 2019 Annual SaaS Trends Report.

Compliance Status Varies Widely by Type of App

Moreover, compliance adherence varies by category of app. For example, IT-related apps are likely to have different compliance certifications than marketing apps. Marketing apps generally have high adherence with GDPR (75% according to our research), even while lagging behind in SOC 2 compliance (around 15% of marketing apps). This makes sense given their purpose and customer base. In general, the more customer-facing an app is, the more likely it is to be GDPR compliant.

Chart: SOC2 Compliance by App
Chart: GDPR Compliance by App

Rapid GDPR Uptake

In general, SaaS companies have ramped up with GDPR quite quickly, even as they have ignored or taken their time with SOC 2. Given GDPR’s high fines and mandatory compliance, it makes sense that companies would prioritize it over SOC 2, which is an industry best practice (and often impacts who businesses are able to sell to), but is not required by law.
Of note, GDPR has two major parts. Customer privacy includes the right to delete, the mandate that all third-party data processors are compliant, and opt-in features for data usage. Customer privacy has garnered most of the publicity around GDPR. The security side, however, has more teeth. There is a clear expectation that businesses will use good SecOps baked into GDPR. Moreover, most of the large fines are related to the security side of GDPR. This is worth understanding as a business, since media coverage may mislead about the ultimate purpose and priorities of this compliance framework.

Grow, Scale, Get Compliant

Another finding from the research highlights the reality that companies are more likely to take on compliance efforts as they grow and scale. For example, companies with less than $1 million in funding have about 7% compliance with SOC 2, while companies with $100 million or more in funding have about 45% compliance. The more funding a company has raised, and the longer it has been in existence, the more compliance regulations it is likely to be in adherence with. This is not entirely surprising, but heartening in many ways for the world of data security.

At Blissfully, we were in the top 5% when pursued our SOC 2 compliance certification just one month after raising a seed round. As we have shared previously, it is our belief that businesses who envision themselves needing SOC 2 compliance to grow and scale are better off undertaking this effort at an earlier stage, as it will enable them to develop processes and tools that simplify compliance from the outset.

Download the 2019 Compliance SaaS Trends Report

Receive a free PDF eBook of the entire 2019 Annual SaaS Trends Report.

Chart: SOC 2 Compliance by Funding
Chart: ISO 27001 Compliance by Funding
Chart: GDPR Compliance by Funding

Similarly, company size is a strong predictor of compliance status. As companies increase employee headcount, they are more likely to add layers of security and conduct external audits.

Chart: SOC 2 Attainment by Company Size
Chart: ISO 27001 Attainment by Company Size
Chart: GDPR Attainment by Company Size

When it comes to compliance, we did not see strong correlation based on product adoption. In other words, more commonly used apps were not necessarily likely to be more compliant—which is somewhat surprising. This is likely due to the quick adoption of new products. Given how quickly tools can be adopted and businesses’ underestimation of their app usage, the likelihood of having an app in your stack that is not, for example, GDPR compliant, is very high. Businesses who are beholden to this mandate should carefully review their entire SaaS stack for compliance with this in mind.

Time for Action: Takeaways from the Data

Often when data reports come out, it’s not clear how companies and individuals should respond to the information and incorporate it into their own business strategies. Is it just an FYI, or should it directly inform planning and roadmapping?

Here are two major takeaways that are applicable to many businesses—and actionable in nature—from our survey and research, and how to apply them.

Map Your Maturity

First of all, take a look at industry benchmarks and map your business based on funding, size, and founding decade. This is particularly useful with compliance. Are you ahead of the curve or behind the curve? In an age of GDPR and SaaS, being ahead of the curve on security practices and compliance can differentiate you from competitors.

Plan Ahead for Compliance: Embracing the New Reality

Next, pay attention to trends in compliance. While this is our first year conducting this deep-dive—thus making it hard to see long-term trends in the data—there is no question that compliance, especially as an indicator of privacy and security maturity, is critical in this day and age. The speed of GDPR compliance adoption within a relatively short time period (about 18 months to date) is impressive. This shows the ability for SaaS companies to mobilize in the face of key legal frameworks. For many businesses, proactively embracing compliance mandates like SOC 2 is also in their best interest, and we always recommend taking these steps sooner rather than later given their power to reduce risk, win new business, and future-proof companies.
With new frameworks like the California Consumer Privacy Act and international laws in places like Australia and Korea on the horizon, it’s an important time to make sure you are staying abreast of changes as they evolve. Staying competitive and protecting your business from serious risks of fines and negative publicity is key to both surviving and thriving in the long term.

Blissfully: A Complete Modern IT Operating System

According to our survey, 80% of businesses are likely to need/recommend a product like Blissfully, which provides a complete modern IT operating system. Blissfully simplifies the compliance process for mandates like SOC 2 and GDPR by enabling the business to automatically create and maintain a provisioning record for all of your SaaS applications. Blissfully also provides a dashboard that gives you the visibility and tools necessary to take control of SaaS across your organization.
These features empower businesses to address many of the challenges described in this report, including achieving that tricky balance of employee empowerment vs. IT control.

Do you know how many SaaS apps your business uses today?

Take our SaaS app audit to find how you stack up Audit Me Now

Download the 2019 Compliance SaaS Trends Report

Receive a free PDF eBook of the entire 2019 Annual SaaS Trends Report.