Large organizations want to monitor user activities, move to multi-factor authentication, and get security more involved with IAM decisions. Credit: Thinkstock My colleague Mark Bowker just completed some comprehensive research on identity and access management (IAM) challenges, plans and strategies at enterprise organizations. As a cybersecurity professional, I welcome this data. Identity management should be a major component of an enterprise risk management strategy, yet IAM technology decisions are often treated tactically or left to application developers or IT operations staff who don’t always prioritize security in their planning.Security becomes a priority in IAM strategiesThe ESG data suggest a change in the IAM weather — large organizations seem to be prioritizing security as part of their IAM strategies. ESG asked 273 cybersecurity and IT professionals to identify the initiatives that will be part of their IAM strategies over the next 24 months. The data reveals:29% say they will monitor user activities more comprehensively. In other words, they will be on the lookout for account compromises and insider attacks. This may also be linked with UEBA deployment.26% say they will replace user name/password authentication with multi-factor authentication (MFA) wherever possible. While monitoring users can be seen as threat detection, MFA is clearly part of a threat prevention and a sound risk management strategy. MFA proliferation may also be related to GDPR or other compliance mandates.23% say they will increase the participation of the security group in IAM decisions. This supports the move toward threat prevention and detection described above. That’s not surprising, since user accounts are often compromised using phishing attacks, social engineering or keyloggers. 20% say they will hire more IAM specialists in the cybersecurity department. Good idea — if you can find them. The global cybersecurity skills shortage may make it difficult to make this happen.I was talking to a CISO a few years ago about the proliferation of cloud and mobile computing. In describing his security response to these two trends, he said: “When I lose control of devices and servers, I need to make sure to establish as much control as I can in two areas — identity management and data security.” So henceforth, my CISO friend plans to treat identity management (and data security) as new security perimeters. The ESG data demonstrates that some organizations are following this sagacious advice. It’s a good start. Mark and I will be tracking how this trend progresses. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe