SaaS

What SaaS Vendors Can Learn from the JPMorgan CISO's Open Letter

JPMorgan’s CISO issued a clear warning to vendors: visibility, accountability, and fast response are now table stakes. Here’s what every SaaS provider should take from the letter—and how to close the gaps before your biggest customer calls you out.

Oskars Vientiess

May 19, 2025 — 3 min read

In early May 2025, JPMorgan Chase’s Chief Information Security Officer published an open letter that sent ripples through the cybersecurity industry. This wasn’t a marketing play or vague reassurance. It was a firm and urgent message directed at every supplier and vendor in their digital ecosystem:

Take security seriously—or risk being left behind.

At the core of this message is a growing expectation that vendors—particularly SaaS providers—offer not just secure tools, but real-time transparency and accountability.

The letter is especially relevant for security teams managing sprawling SaaS environments, where blind spots are plentiful, and misconfigurations can quickly escalate into breaches.

A Closer Look at the Letter

Let’s unpack the key takeaways—and what they mean for SaaS vendors.

“Visibility is the foundational requirement for any security program.”

This is how the letter opens—and it sets the tone for everything that follows. JPMorgan makes it clear: they are no longer satisfied with black-box vendors, delayed reports, or static certifications. What they expect instead is continuous, contextual, and real-time visibility.

Visibility means knowing:

Which apps are active in your environment
Who has access to them
How those access levels were granted
What data is flowing between systems

Without this context, no vendor can honestly claim to be secure.

“The ability to detect, isolate,, and recover from a cyber incident is critical.”

Here, JPMorgan highlights a harsh truth: breaches are inevitable. The differentiator is how fast and effectively you respond.

For SaaS platforms, this means:

Monitoring for OAuth token abuse
Detecting drift in admin settings or permission sprawl
Identifying excessive privileges before they’re exploited
Enforcing least privilege and flagging unusual logins

Static, checklist-based security programs are no longer enough. Enterprises want vendors who can detect anomalies in real-time and take corrective action—before risk snowballs.

“A shared responsibility model doesn’t mean shared visibility.”

This part of the letter strikes a nerve. Many vendors lean on the shared responsibility model to offload risk, but without offering their customers the visibility to manage it.

JPMorgan is effectively saying: if you don’t give us insight into your environment, we can’t trust you to manage risk. It’s not enough to say, “We’ve got it covered.”

They want proof:

Logs
Alerts
Change histories
Identity maps

Why This Letter Matters

For years, CISOs and security teams have struggled with the disconnect between security certifications and real-world risk. This letter puts that frustration into words.

What it validates:

🔥 The firewall is no longer the main battleground—SaaS is.
🕵️‍♂️ Shadow apps and integrations pose constant risk.
📉 SOC 2 doesn’t tell you what changed last week.
⚠️ Excessive permissions and misconfigurations are silent threats.

Most importantly, it signals a shift from periodic assessments to live posture monitoring.

What SaaS Vendors Should Do

For SaaS providers and vendors handling enterprise data, the message is clear: build visibility into your product—and your processes.

That includes:

Offering real-time access and identity reports
Flagging drift in settings, tokens, or access scopes
Integrating with customers’ SIEM and posture tools
Building support for continuous compliance

And for vendors using third-party SaaS tools themselves (as nearly all do), this visibility needs to extend inward—because you can’t outsource responsibility for the tools you use.