Sign in Subscribe

A Welcome Warning on SaaS and Security: Reflections on JP Morgan’s Open Letter

Ewan MacLeod

Ewan MacLeod

2 min read
A Welcome Warning on SaaS and Security: Reflections on JP Morgan’s Open Letter

I posted this last night on LinkedIn and thought it was worth re-posting here:

I think it’s really, really good that the team at J.P. Morgan have sounded a public note of caution in their “Open Letter to Suppliers” on the broad topic of SaaS and the surrounding ecosystems (including AI).

Penned by Pat Opet, the Global CISO at the bank, the letter outlines a series of issues that need significant attention from the executive suite (and beyond) of the suppliers to JP Morgan — and, by extension, much of the ecosystem.

Key Points Highlighted

Some key points I picked out:

“Fierce competition among software providers has driven prioritization of rapid feature development over robust security.”
“SaaS models are … a subtle yet profound shift eroding decades of carefully architected security boundaries.”
“This architectural regression undermines fundamental security principles that have proven durability.”
“Opaque fourth-party vendor dependencies silently expanding this same risk upstream.”
“Traditional measures … may no longer be viable today in a SaaS integration model.”

If you haven’t read the letter yet, I’d recommend a quick read — it’s about 12 short paragraphs.

You can find it here: Read the letter.

It’s Not Just the Vendors

The major issue here is not necessarily the vendors themselves.

I’d suggest much responsibility also lies with those acquiring and deploying the services — in this case, those in the banks who are busy waving through technologies and approaches that they don’t necessarily fully comprehend.

Or, for example, approving version 9 for production and suddenly finding that version 10 is now live, with AI turned on by default.

How It Happened

It’s a difficult one, because in many cases the change effectively happened ‘overnight’.

One day, executives were signing off on-premise Microsoft Windows licenses delivered via CDROM.

The next, they’re told that ‘on premise’ is a second-class citizen — and now it’s Cloud-First. Or, in some cases, Cloud-Only.

Governance Matters More Than Ever

Governance matters.

I see the challenges every day when I’m working with clients in and around Financial Services.

All of a sudden, the Chairperson, the Board Committees, and the CEOs are having to get involved with aspects they used to easily export (correctly) to the “IT Director.”

If you’re the person (as I have been) whose job is to sign off 100% compliance to the regulator every quarter (complete with a copy of your passport and dated signature), this is absolutely an issue you should be looking at in-depth.

A Final Thought

Patrick’s letter is a good reminder to get your arms around the challenge.

It’s not just security (although security in financial services is more or less everything); it’s also about your organisational approach to building, deploying, managing, and delivering services to your customers in this new world.

It’s also a good reminder for the SaaS vendors.

While there’s been a lot of good work done — for example, through regulations like DORA (who’s supplying your supplier’s supplier?) — there’s a lot, lot more to do.

Visit Patrick's Letter right here.

Read more