Have identity professionals lost their perspective on risk mitigation? – Security Boulevard | Region & Cash

It’s a fact: most major cybersecurity incidents are related to identity compromise. However, most identity professionals do not identify themselves as experts in risk mitigation and instead focus on operational efficiency and business process management. So…why the split?

We asked David Lee, Director of Product Management at SecZetta, a simple question: Have identity professionals lost their perspective on risk mitigation?

David’s reply was quick. “Yes, they’ve lost their perspective, and that’s because organizations historically have viewed risk, identity, and security as entirely separate functions. As digital identities really took off and became more common, it became an IT function. That made sense at the time – identity was often categorized as managing all these different applications, and that’s how it worked to settle under IT.” Because of this, identity became more focused on operational efficiency, and the primary responsibility of identity professionals was to ensure that everyone got the access they needed in a timely manner.

Over time, identity teams have got used to asking themselves questions like: How many accounts do we give? Are our users getting the access they need? Are we preparing properly? But they did NOT ask questions like: What is our true identity security control? What does our general security architecture look like? Are we doing enough to ensure our identities are protected from misuse?

There were a few identity veterans who yelled about risk from the mountaintop for years, but with identity buried in IT, identity risk just wasn’t a priority for most organizations.

“Identity teams have moved further away from risk and continued to focus on efficiency,” David said, sharing that while almost all identity products on the market include some risk tools, he estimates that only 10% of customers actually use them. “Even today, after all these identity-related breaches, because of this IT background, identity professionals just don’t identify themselves as risk mitigation professionals,” David claimed.

In fact, identity professionals don’t consider risk, and security professionals don’t consider identity in their risk work.

“I recently spoke to a mate of mine who is in a security role. He wanted to know more about what identity and access management teams are doing because he didn’t know much about it (which is insightful in itself),” said David. “When I explained to him what identity access controls are, a lightbulb went out!”

David began by explaining what his friend already knew, “that many security measures try to prevent someone from hacking into a network and gaining access to a system. But once a hacker breaks in, the first thing they try to do is move sideways… The hacker tries to access an account that has higher privileges. What my friend didn’t know until I broke it down is that identity and access controls can prevent the hacker from getting the access they want. Even if someone breaks into your system, the hacker cannot move sideways and gain access to another account if you have proper identity controls in place. You can prevent them from gaining access to the privileged access they are looking for, where the real damage is done.”

When a proper provisioning system is in place, and a governance and privileged access system is in place and communicating with each other, there is no chance of someone outside the network suddenly gaining access to a privileged account. This request would come through Privileged Access Management (PAM), the IAM request would be triggered, and your organization would see someone trying to gain access to an account with higher privileges.

But when that identity structure isn’t in place, it’s incredibly easy for a hacker to move around. David described: “When I told all of this to my security friend, he was overwhelmed. He had no idea… no idea. So this separation goes beyond identity – the separation exists in identity, in security, in risk. A lot of teams don’t think about the other functions outside of their own… and that’s a big problem.”

“I’ve noticed some changes here,” David noted, “I’ve heard of more cases where identity teams have been moved among the CISOs, which gives me encouragement. Some CISOs get it — they’re working more with their identity teams to take risk mitigation more seriously. But many organizations still have a long way to go.”

As an identity professional, are you concerned about risk? Then spend 3 minutes answering questions to assess your organization’s maturity level in managing third-party identity lifecycle and risk, and instantly receive a custom maturity score.

About SecZetta

SecZetta offers third-party identity lifecycle management solutions that are easy-to-use and purpose-built to help organizations automate risk-based identity lifecycle management processes for non-employee groups.

With our solution, organizations are uniquely able to collect collaborative and continuous third-party data throughout the third-party lifecycle, coming from both internal and external resources. This creates an identity authority for individual third-party user data that organizations can use to automate key identity processes and improve operational efficiency and accuracy in onboarding, streamline compliance audits, provide identity verification, and revoke access in a timely manner. Take a self-guided product tour now.

Leave a Comment