With identity's emergence as the new perimeter, its role in supporting digital transformation, cloud adoption, and a distributed workforce is not being overlooked by today's enterprises. According to a recent report (registration required), 64% of IT stakeholders consider effectively managing and securing digital identities to be either the top priority (16%) of their security program or in the top three (48%). Despite this, businesses continue to struggle with identity-related breaches — 84% of the security and IT pros reported their organization suffered such a breach in the past year.
Getting buy-in for identity-centric security is vital, but making a case for investing in cybersecurity isn't about trafficking in FUD (fear, uncertainty, and doubt). Pushing identity further into strategic discussions requires the ability to demonstrate business value — to showcase how identity-based security aligns with and supports business objectives.
Almost all participants in the survey (98%) said the number of identities in their organization was increasing, with commonly cited causes including cloud adoption, more employees using technology, increasing third-party relationships, and growing numbers of machine identities. In this environment, many of today's enterprises have found themselves under immense pressure to ensure seamless and secure access to data and resources in an environment growing more distributed and complex.
This complexity, combined with motivated attackers and the increasing number of identities that must be managed, makes effective identity management a critical part of enabling business operations. Among the organizations that experienced an identity-related breach in the past year, the common threads were issues such as stolen credentials, phishing, and mismanaged privileges. The direct business impacts of a breach can be significant — with 42% citing a significant distraction from the core business, 44% noting recovery costs, and 35% reporting a negative impact on the organization's reputation. Loss of revenue (29%) and customer attrition (16%) were also reported.
Translating IT Needs into Business Needs
The case for focusing on identity is clear, but how do we begin translating IT needs into business needs? Step one is aligning the organization's priorities with where identity-centric security can fit in. Business goals tend to revolve around reducing costs, increasing productivity, and minimizing risk. Conversations about identity-based security, therefore, must demonstrate how that approach can advance some or all these points.
From the standpoint of productivity, for example, tight identity governance simplifies user provisioning and reviews of access rights. That means employees can be onboarded faster, and any departing employees will have their access revoked automatically. Eliminating manual efforts reduces the chance of error, including users with excessive privileges creating an unnecessary risk of exposure. The more streamlined and automated the processes around identity management are, the more efficient the business is — and the more secure.
As noted earlier, some of the driving forces for the growth in identities include cloud adoption and a spike in machine identities. The growth of machine identities is linked in part to Internet of Things (IoT) devices and bots. IoT and cloud are often parts of digital transformation strategies that can easily get hung up by concerns about access and the consistent enforcement of security policies. This reality presents an opportunity to frame discussions about security around how the business can adopt these technologies safely and without sacrificing compliance and security requirements.
Frame Security Discussions in Breach Context
Multifactor authentication (MFA), for example, was cited by many IT and security professionals as a measure that could have prevented or minimized the impact of the breaches they experienced. MFA is vital to enforcing access control, particularly for businesses with remote workers or those using cloud applications and infrastructure. Like them or not, passwords are ubiquitous. But they are also an attractive (and relatively easy) target for threat actors looking to access resources and gain a deeper foothold in your environment. Along with other identity-centric best practices that improve security posture, MFA provides another layer of defense that can bolster an organization's security.
In addition to MFA, IT and security pros commonly noted that more timely reviews of privileged access and continuous discovery of all user access rights would have prevented or lessened the effect of a breach. While many of these remain works in progress, overall, it appears organizations are starting to get the message.
When asked if during the past year their organization's identity program was included as an area of investment as part of any of these strategic initiatives — zero trust, cloud adoption, digital transformation, cyber-insurance investments, and vendor management — almost everyone chose at least one. Fifty-one percent said identity had been invested in as part of zero-trust efforts. Sixty-two percent said it was included as part of cloud initiatives, and 42% said it was part of digital transformation.
Getting started with identity-based security need not be overwhelming. However, it does require an understanding of your environment and business priorities. By focusing on how an identity-centric approach to security can support business objectives, IT professionals can get the leadership buy-in they need to implement the technology and processes that will raise the barrier of entry for threat actors.