Navigating Systemic Cyber Risk: Why SaaS Ecosystems Demand a New Paradigm

David Moskowitz – Founder Member and Chief Content Architect, at the DVMS Institute

Pat Opet, JPMorgan Chase’s CISO, recently warned the cybersecurity community that the SaaS industry’s focus on speed and market dominance is creating systemic risks that threaten global economic stability. This isn’t about isolated vulnerabilities or single points of failure; it’s about cascading failures in interconnected systems where a breach in one provider can destabilize entire industries. As Opet notes, “The current trajectory is unsustainable for the economic system” (SecurityWeek, 2025).

The Systemic Risk Equation

Systemic risks emerge from three factors:

1. Interconnected Dependencies: SaaS platforms often share APIs, authentication systems, and third-party services. A flaw in one component can propagate across ecosystems.Example: The SolarWinds supply chain attack (2020) spread malicious code to thousands of organizations through a trusted update mechanism, demonstrating how interconnected dependencies can lead to widespread compromise.
2. Concentrated Power: Hyperscale providers dominate critical infrastructure, creating “too big to fail” scenarios where a breach could paralyze millions of organizations simultaneously.Example: The Microsoft Exchange (ProxyLogon) vulnerabilities (2021) affected tens of thousands of organizations worldwide, showing how concentrated reliance on a single provider can amplify the impact of a breach.
3. Incentive Misalignment: Vendors prioritize feature velocity over security-by-design, while buyers accept vague SLAs in exchange for convenience.Example: The Equifax breach (2017) resulted from a failure to patch a known vulnerability, exposing the personal data of 147 million people and illustrating how misaligned incentives can lead to catastrophic outcomes.

These risks mirror findings from the DVMS Institute, emphasizing that cybersecurity is not a technical problem but a strategic business risk requiring systemic solutions (Why Adaptive Cyber Resilience Must Be Baked Into ALL Digital Service Providers (DSP) Offerings).

The Strategy-Risk Imperative

Opet’s call for “richer authorization models” and “provable controls” aligns with the DVMS Institute’s Digital Value Management System (DVMS) approach, which treats strategy and risk as inseparable entities. Key principles include:

1. Decentralized Resilience

• Diversify Critical Dependencies: Avoid over-reliance on single providers. For example, multi-cloud architectures and zero-trust segmentation can limit blast radii.
• Demand Transparency: Require vendors to disclose breach response plans and third-party audit results, a practice the DVMS ties to governance workflows (Why Adaptive Cyber Resilience Must Be Baked Into ALL Digital Service Providers (DSP) Offerings).

2. Adaptive Authorization

• Replace static role-based access controls (RBAC) with context-aware policies considering user behavior, device posture, and real-time threat intelligence.
• Implement Opet’s “read-only as a service” concept, where access is dynamically granted based on need, not predefined roles.

3. Resilience as a Service (RaaS)

• Treat downtime and breaches as inevitabilities. Conduct “failure rehearsals” to test recovery workflows, leveraging AI to simulate adversarial campaigns.

Beyond AI Hype: Systemic Defense in Depth

While RSA 2025 buzzes with AI-powered tools, systemic risks demand human-centric solutions:

• Culture Over Code: 85% of breaches involve human error (How a NIST Cybersecurity Framework Digital Value Management Overlay System Uses Culture to Drive Resilient Digital Business Outcomes). The DVMS emphasizes cultural assessments to identify gaps in accountability, psychological safety, and cross-team collaboration.
• Feedback Loops Matter: Embed lessons from incidents into strategy. For example, Microsoft’s “Secure Future Initiative” ties executive bonuses to vulnerability reduction metrics.

A Call to Action

Systemic risks require collective responsibility:

• Vendors: Build security into pricing models. Offer tiered SLAs with penalties for control failures.
• Buyers: Treat SaaS contracts as risk agreements. Require third-party attestations aligned with NIST CSF 2.0 outcomes (How The NIST-CSF-DVMS and SCF Work Together To Enable Regulatory and Maturity Model Outcomes).
• Regulators: Mandate cyber resilience stress tests for critical infrastructure providers, similar to financial sector requirements.
• Internal: Adopt and adapt the NIST-CSF in phases using the DVMS overlay approach to support creating and concurrently protecting the delivery of digital value (Why Digital Service Providers Need the NIST Cybersecurity Framework and a Digital Value Management System® To Enable Cyber Resilience)

The Bottom Line

As Opet warns, we’re playing a high-stakes game of Jenga. The DVMS provides a blueprint for rebuilding the tower with reinforced blocks, but only if we abandon the myth of “perfect security” and embrace systemic resilience.

Explore systemic risk strategies: Dive into the DVMS Institute’s free resources and blog posts on cyber-resilient architectures at dvmsinstitute.com.

About the Author

David Moskowitz –  Founding Member and Chief Content Architect, at the DVMS Institute

David is a Founding Member and Executive Director of the DVMS Institute LLC. He is the lead author of the “Digital Value Management System®” publication series which include the *Fundamentals of Adopting the NIST Cybersecurity Framework* and *A Practitioner’s Guide to Adapting the NIST Cybersecurity Framework*, and *Thriving on the Edge of Chaos* is scheduled published by TSO.

The DVMS Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach Service Providers of any type the skills to build a Holistic, Adaptive, and Culture-Powered Cyber Resilience Overlay System capable of proactively identifying and mitigating the systemic risks that could impact cyber business operations.

The NIST-CSF-DVMS positions cyber resiliency not as a technical function but as a strategic, enterprise-wide responsibility. This systems-based approach mandates engagement from top Leadership to Frontline Employees , each fulfilling distinct duties.

Enabling Resilience requires coordinated action across an organization’s Strategy, Governance, and Operations business layers. Each of these layers contains unique roles that, when aligned and functioning cohesively, enable the organization to protect cyber business assets and adaptively manage cyber business risks while delivering sustained cyber business operations and resilience.

Enabling this unique and innovative approach to Adaptive Governance, Resilience, and Assurance service providers can now comply with any government-mandated cyber regulation (SEC, DORA, NIS2 etc.) or maturity model program (SCF, HITRUST, CMMC etc.).

® DVMS Institute 2025 All Rights Reserved