Navigating Systemic Cyber Risk: Why SaaS Ecosystems Demand a New Paradigm
David Moskowitz – Founder Member and Chief Content Architect, at the DVMS Institute
Pat Opet, JPMorgan Chase’s CISO, recently warned the cybersecurity community that the SaaS industry’s focus on speed and market dominance is creating systemic risks that threaten global economic stability. This isn’t about isolated vulnerabilities or single points of failure; it’s about cascading failures in interconnected systems where a breach in one provider can destabilize entire industries. As Opet notes, “The current trajectory is unsustainable for the economic system” (SecurityWeek, 2025).
The Systemic Risk Equation
Systemic risks emerge from three factors:
- Interconnected Dependencies: SaaS platforms often share APIs, authentication systems, and third-party services. A flaw in one component can propagate across ecosystems.Example: The SolarWinds supply chain attack (2020) spread malicious code to thousands of organizations through a trusted update mechanism, demonstrating how interconnected dependencies can lead to widespread compromise.
- Concentrated Power: Hyperscale providers dominate critical infrastructure, creating “too big to fail” scenarios where a breach could paralyze millions of organizations simultaneously.Example: The Microsoft Exchange (ProxyLogon) vulnerabilities (2021) affected tens of thousands of organizations worldwide, showing how concentrated reliance on a single provider can amplify the impact of a breach.
- Incentive Misalignment: Vendors prioritize feature velocity over security-by-design, while buyers accept vague SLAs in exchange for convenience.Example: The Equifax breach (2017) resulted from a failure to patch a known vulnerability, exposing the personal data of 147 million people and illustrating how misaligned incentives can lead to catastrophic outcomes.
These risks mirror findings from the DVMS Institute, emphasizing that cybersecurity is not a technical problem but a strategic business risk requiring systemic solutions (Why Adaptive Cyber Resilience Must Be Baked Into ALL Digital Service Providers (DSP) Offerings).
The Strategy-Risk Imperative
Opet’s call for “richer authorization models” and “provable controls” aligns with the DVMS Institute’s Digital Value Management System (DVMS) approach, which treats strategy and risk as inseparable entities. Key principles include:
- Decentralized Resilience
- Diversify Critical Dependencies: Avoid over-reliance on single providers. For example, multi-cloud architectures and zero-trust segmentation can limit blast radii.
- Demand Transparency: Require vendors to disclose breach response plans and third-party audit results, a practice the DVMS ties to governance workflows (Why Adaptive Cyber Resilience Must Be Baked Into ALL Digital Service Providers (DSP) Offerings).
- Adaptive Authorization
- Replace static role-based access controls (RBAC) with context-aware policies considering user behavior, device posture, and real-time threat intelligence.
- Implement Opet’s “read-only as a service” concept, where access is dynamically granted based on need, not predefined roles.
- Resilience as a Service (RaaS)
- Treat downtime and breaches as inevitabilities. Conduct “failure rehearsals” to test recovery workflows, leveraging AI to simulate adversarial campaigns.
Beyond AI Hype: Systemic Defense in Depth
While RSA 2025 buzzes with AI-powered tools, systemic risks demand human-centric solutions:
- Culture Over Code: 85% of breaches involve human error (How a NIST Cybersecurity Framework Digital Value Management Overlay System Uses Culture to Drive Resilient Digital Business Outcomes). The DVMS emphasizes cultural assessments to identify gaps in accountability, psychological safety, and cross-team collaboration.
- Feedback Loops Matter: Embed lessons from incidents into strategy. For example, Microsoft’s “Secure Future Initiative” ties executive bonuses to vulnerability reduction metrics.
A Call to Action
Systemic risks require collective responsibility:
- Vendors: Build security into pricing models. Offer tiered SLAs with penalties for control failures.
- Buyers: Treat SaaS contracts as risk agreements. Require third-party attestations aligned with NIST CSF 2.0 outcomes (How The NIST-CSF-DVMS and SCF Work Together To Enable Regulatory and Maturity Model Outcomes).
- Regulators: Mandate cyber resilience stress tests for critical infrastructure providers, similar to financial sector requirements.
- Internal: Adopt and adapt the NIST-CSF in phases using the DVMS overlay approach to support creating and concurrently protecting the delivery of digital value (Why Digital Service Providers Need the NIST Cybersecurity Framework and a Digital Value Management System® To Enable Cyber Resilience)
The Bottom Line
As Opet warns, we’re playing a high-stakes game of Jenga. The DVMS provides a blueprint for rebuilding the tower with reinforced blocks, but only if we abandon the myth of “perfect security” and embrace systemic resilience.
Explore systemic risk strategies: Dive into the DVMS Institute’s free resources and blog posts on cyber-resilient architectures at dvmsinstitute.com.
About the Author
David Moskowitz – Founding Member and Chief Content Architect, at the DVMS Institute
David is a Founding Member and Executive Director of the DVMS Institute LLC. He is the lead author of the “Digital Value Management System®” publication series which include the *Fundamentals of Adopting the NIST Cybersecurity Framework* and *A Practitioner’s Guide to Adapting the NIST Cybersecurity Framework*, and Thriving on the Edge of Chaos published by TSO.
The DVMS Institute’s NIST-CSF-DVMS Certified Training and Assessment Programs teach Leadership and Frontline Employees the knowledge, skills, and Capabilities to build a Holistic, Adaptive, and Culture-Powered overlay system designed to enable Cyber Operational Resilience in a complex, multi-vendor digital ecosystem.
Achieving cyber operational resilience demands a unified, organization-wide approach that bridges diverse vendor systems, business silos, and personnel across the Strategy, Governance, and Operational (SGO) layers of today’s complex digital enterprise.
The NIST-CSF-DVMS Create, Protect, and Deliver (CPD) Model and the 3D Knowledge Model bring this effort to life through a structured and actionable approach that aligns workflows, communication, innovation, and continuous feedback across SGO layers.
This adaptable and forward-thinking approach to Cyber Operational Resilience empowers organizations to maintain continuous digital business operations amid daily digital disruptions and satisfy regulatory (SEC, DORA, NIS2, etc.), and maturity model (SCF, HITRUST, CMMC, etc.) requirements for compliance and certification.
® DVMS Institute 2025 All Rights Reserved