Navigating Systemic Cyber Risk: Why SaaS Ecosystems Demand a New Paradigm

Share This Post

Navigating Systemic Cyber Risk: Why SaaS Ecosystems Demand a New Paradigm

David Moskowitz – Founder Member and Chief Content Architect, at the DVMS Institute

Pat Opet, JPMorgan Chase’s CISO, recently warned the cybersecurity community that the SaaS industry’s focus on speed and market dominance is creating systemic risks that threaten global economic stability. This isn’t about isolated vulnerabilities or single points of failure; it’s about cascading failures in interconnected systems where a breach in one provider can destabilize entire industries. As Opet notes, “The current trajectory is unsustainable for the economic system” (SecurityWeek, 2025).

The Systemic Risk Equation

Systemic risks emerge from three factors:

  1. Interconnected Dependencies: SaaS platforms often share APIs, authentication systems, and third-party services. A flaw in one component can propagate across ecosystems.Example: The SolarWinds supply chain attack (2020) spread malicious code to thousands of organizations through a trusted update mechanism, demonstrating how interconnected dependencies can lead to widespread compromise.
  2. Concentrated Power: Hyperscale providers dominate critical infrastructure, creating “too big to fail” scenarios where a breach could paralyze millions of organizations simultaneously.Example: The Microsoft Exchange (ProxyLogon) vulnerabilities (2021) affected tens of thousands of organizations worldwide, showing how concentrated reliance on a single provider can amplify the impact of a breach.
  3. Incentive Misalignment: Vendors prioritize feature velocity over security-by-design, while buyers accept vague SLAs in exchange for convenience.Example: The Equifax breach (2017) resulted from a failure to patch a known vulnerability, exposing the personal data of 147 million people and illustrating how misaligned incentives can lead to catastrophic outcomes.

These risks mirror findings from the DVMS Institute, emphasizing that cybersecurity is not a technical problem but a strategic business risk requiring systemic solutions (Why Adaptive Cyber Resilience Must Be Baked Into ALL Digital Service Providers (DSP) Offerings).

The Strategy-Risk Imperative

Opet’s call for “richer authorization models” and “provable controls” aligns with the DVMS Institute’s Digital Value Management System (DVMS) approach, which treats strategy and risk as inseparable entities. Key principles include:

  1. Decentralized Resilience
  1. Adaptive Authorization
  • Replace static role-based access controls (RBAC) with context-aware policies considering user behavior, device posture, and real-time threat intelligence.
  • Implement Opet’s “read-only as a service” concept, where access is dynamically granted based on need, not predefined roles.
  1. Resilience as a Service (RaaS)
  • Treat downtime and breaches as inevitabilities. Conduct “failure rehearsals” to test recovery workflows, leveraging AI to simulate adversarial campaigns.

Beyond AI Hype: Systemic Defense in Depth

While RSA 2025 buzzes with AI-powered tools, systemic risks demand human-centric solutions:

A Call to Action

Systemic risks require collective responsibility:

The Bottom Line

As Opet warns, we’re playing a high-stakes game of Jenga. The DVMS provides a blueprint for rebuilding the tower with reinforced blocks, but only if we abandon the myth of “perfect security” and embrace systemic resilience.

Explore systemic risk strategies: Dive into the DVMS Institute’s free resources and blog posts on cyber-resilient architectures at dvmsinstitute.com.

About the Author

David Moskowitz –  Founding Member and Chief Content Architect, at the DVMS Institute

David is a Founding Member and Executive Director of the DVMS Institute LLC. He is the lead author of the “Digital Value Management System®” publication series which include the *Fundamentals of Adopting the NIST Cybersecurity Framework* and *A Practitioner’s Guide to Adapting the NIST Cybersecurity Framework*, and *Thriving on the Edge of Chaos* is scheduled published by TSO.

The DVMS Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach Service Providers of any type the skills to build a Holistic, Adaptive, and Culture-Powered Cyber Resilience Overlay System capable of proactively identifying and mitigating the systemic risks that could impact cyber business operations.

The NIST-CSF-DVMS positions cyber resiliency not as a technical function but as a strategic, enterprise-wide responsibility. This systems-based approach mandates engagement from top Leadership to Frontline Employees , each fulfilling distinct duties.

Enabling Resilience requires coordinated action across an organization’s Strategy, Governance, and Operations business layers. Each of these layers contains unique roles that, when aligned and functioning cohesively, enable the organization to protect cyber business assets and adaptively manage cyber business risks while delivering sustained cyber business operations and resilience.

Enabling this unique and innovative approach to Adaptive GovernanceResilience, and Assurance service providers can now comply with any government-mandated cyber regulation (SECDORANIS2 etc.) or maturity model program (SCFHITRUSTCMMC etc.).

® DVMS Institute 2025 All Rights Reserved

More To Explore

It's Time to Protect Your digital business value & resiliency

Publications, Certification Training, Enterprise Solutions & Community