Have Identity Professionals Lost Their Perspective on Risk Mitigation?
It’s a fact: The majority of larger cybersecurity incidents are related to an identity compromise. Yet most identity professionals don’t identify as risk mitigation professionals and are instead focused on operational efficiency and business process management. So…why the disconnect?
We asked David Lee, SecZetta’s Director of Product Management, one simple question: Have identity professionals lost their perspective on risk mitigation?
David’s response was swift. “Yes, they’ve lost their perspective and the origin of that is because organizations historically keep risk, identity, and security as completely separate functions. When digital identities started to really take off and become more prevalent, it was turned into an IT function. That made sense at the time— identity was often categorized as the administration of all these different applications, and so settling under IT worked.” For that reason, identity became more focused on operational efficiency, and identity professionals’ primarily responsibility was to ensure everyone got the access they needed in a timely fashion.
Over time, identity teams got used to asking themselves questions like: How many accounts are we giving? Are our users getting the access they need? Are we provisioning properly? But they were NOT asking questions like: What’s our true identity security control? What’s our overall security architecture? Are we doing enough to make sure our identities are safeguarded against breaches?
There were a few identity vets that were screaming about risk from the mountaintop for years, but because identity was buried in IT, identity risk just wasn’t a priority for most organizations.
“Identity teams drifted further away from risk and continued to be laser-focused on efficiency,” David said, and shared that although almost all identity products in the marketplace have some risk tools included, he estimates that only 10% of customers are actually using them. “So even today, after all these identity-related breaches, because of that IT background, identity professionals just don’t identify as risk mitigation professionals,” David asserted.
In fact, identity professionals don’t consider risk, and security professionals don’t consider identity in their risk work.
“I was speaking recently with a buddy of mine that’s in a security role. He wanted to know more about what identity and access management teams do, because he didn’t have much of a concept of it (which is itself telling),” David said. “When I explained to him what identity access controls were, a lightbulb went off!”
David started by explaining what his friend already knew, “that a lot of security is trying to stop someone from breaking into a network and gaining access to a system. But once a hacker does get in, the first thing he’ll do is attempt to move laterally…the hacker will attempt to access an account that has higher privileges. What my friend didn’t know until I broke it down is that identity and access controls can prevent the hacker from gaining the access he’s looking for. Even if someone gets into your system, if you’ve established proper identity controls, the hacker won’t be able to move sideways and take over access of another account. You’ll be able to stop them from gaining access to the privileged access that they’re looking for, where the real damage is done.”
If a proper provisioning system is established and a governance and privileged access system is in place and communicating with each other, there is no way that someone off the network will be able to suddenly get access to a privileged account. That request would come through Privileged Access Management (PAM), the IAM request would be triggered, and your organization would see that someone is trying to gain access to a higher privileged account.
But when that identity structure isn’t there, it’s incredibly easy for a hacker to move around. David described, “When I laid all of this out to my security friend, his mind was blown. He had no idea…no clue. So, this disconnect goes beyond identity – the disconnect exists in identity, in security, in risk. A lot of teams don’t think about the other functions outside of their own…and that’s a huge problem.”
“I’ve noticed some winds of change here,” David observed, “I’ve heard more instances of identity teams being moved underneath the CISO, which I’m encouraged by. Some CISOs get it— they’re working more with their identity teams to get more serious about risk mitigation. But a lot of organizations still have a long way to go.”
Are you an identity professional worried about risk? Then spend 3-minutes answering questions to evaluate your organization’s level of maturity in managing third-party identity lifecycle and risk and instantly receive a custom maturity assessment.
SecZetta provides third-party identity lifecycle management solutions that are easy-to-use, and purpose-built to help organizations automate risk-based identity lifecycle management processes for non-employee populations.
With our solution, organizations are uniquely able to collect third-party, non-employee data in a collaborative and continuous manner, from both internal and external resources, throughout the lifecycle of the third party. This creates an identity authority for third-party individual user data that organizations can use to automate key identity processes and improve operational efficiency and accuracy in onboarding, streamline compliance audits, provide identity verification, and deprovision access in a timely manner. Take a self-guided product tour now.