• United States



Contributing Writer

Identity management to-do list aligns with cybersecurity

Nov 07, 20172 mins
Identity Management SolutionsSecurity

Large organizations want to monitor user activities, move to multi-factor authentication, and get security more involved with IAM decisions.

2 token authentication locks
Credit: Thinkstock

My colleague Mark Bowker just completed some comprehensive research on identity and access management (IAM) challenges, plans and strategies at enterprise organizations. As a cybersecurity professional, I welcome this data. Identity management should be a major component of an enterprise risk management strategy, yet IAM technology decisions are often treated tactically or left to application developers or IT operations staff who don’t always prioritize security in their planning.

Security becomes a priority in IAM strategies

The ESG data suggest a change in the IAM weather — large organizations seem to be prioritizing security as part of their IAM strategies. ESG asked 273 cybersecurity and IT professionals to identify the initiatives that will be part of their IAM strategies over the next 24 months. The data reveals:

  • 29% say they will monitor user activities more comprehensively. In other words, they will be on the lookout for account compromises and insider attacks. This may also be linked with UEBA deployment.
  • 26% say they will replace user name/password authentication with multi-factor authentication (MFA) wherever possible. While monitoring users can be seen as threat detection, MFA is clearly part of a threat prevention and a sound risk management strategy. MFA proliferation may also be related to GDPR or other compliance mandates.
  • 23% say they will increase the participation of the security group in IAM decisions. This supports the move toward threat prevention and detection described above. That’s not surprising, since user accounts are often compromised using phishing attacks, social engineering or keyloggers. 
  • 20% say they will hire more IAM specialists in the cybersecurity department. Good idea — if you can find them. The global cybersecurity skills shortage may make it difficult to make this happen.

I was talking to a CISO a few years ago about the proliferation of cloud and mobile computing. In describing his security response to these two trends, he said: “When I lose control of devices and servers, I need to make sure to establish as much control as I can in two areas — identity management and data security.” So henceforth, my CISO friend plans to treat identity management (and data security) as new security perimeters. 

The ESG data demonstrates that some organizations are following this sagacious advice. It’s a good start. Mark and I will be tracking how this trend progresses. 

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author