There is no doubt cybersecurity has become a board-level issue in recent years. The proliferation and severity of attacks on organisations has led to executives taking greater responsibility around cybersecurity decision making.
Ultimately, this has changed the CISO role. CISOs are no longer technical subject matter experts and have, instead, become executive risk managers who share a responsibility matrix with the board, CEOs, and other executives. At the highest level, CISOs care about the organisation’s revenue, mission, risk and costs, leading to strategic questions about assurance, compliance and security practices.
Exec perception doesn’t match reality
With the CISO role changing, security measures which secure businesses from modern-day threats and attacks are vital. This is where the need for a robust identity security strategy comes to the fore. Our latest research, Identity Security State of the Market Survey, indicates, that in 2023, 81% of 1,500 respondents will exponentially increase their spending on identity security as part of their cybersecurity budget. This will drive varied perceptions across C-level executives.
The research also finds that C-level executives are bullish about their organisation’s ability to mitigate identity security-related risk – more so than other personnel deemed technically astute and aware of the complexities of their organisation’s IT environment. It’s a concerning trend, with this disconnect one of the catalysts of identity-related cyber incidents.
Consequences of the changing role
Executive perception that is tangential with reality, especially around cybersecurity, is damaging. The proof comes from our aforementioned research, which indicates that, in 2022, 58% of exec respondents believed they made the right identity security decisions. This didn’t reflect the facts though, with 63% indicating they suffered at least one successful identity-related attack that year.
This perception gap could indicate a significant problem: a lack of understanding around what a robust identity security strategy means beyond investment into tools and solutions. While allocating line-item budgets to procure identity tools is the first step in stopping these attacks, additional measures need to be implemented.
The real-world impact
Of the 63% of respondents who fell victim last year to an identity-related cyberattack, 27% experienced more than one attack. The impact of this is multi-fold.
The short-term impact includes delayed projects due to the significant manpower and time allocated to resolving the issue. Alongside this, products and services are affected, causing issues such as customer experience degradation and potentially lost revenues, compliance fines, and extensive audits.
With cybersecurity being a board-level issue then, security teams can’t afford for these impacts to come to fruition. The best way to stop this is through securing identities correctly.
Identity Security’s four tenets IDC predicts that by 2025, 45% of CEOs - fatigued by security spending without predictable ROI - will demand security metrics and results measurement to access and validate investments made by their security program. When looking at our research in conjunction with this forecast, we believe this situation has the potential to materialise sooner.
The proliferation of identities and endpoints and increased vulnerabilities from inadequately secured identities are significant cause for concern, especially in conjunction with the fact that respondents reported the use of over 70 security vendors on average. This is a bleak picture.
Much like Zero Trust, identity security is a strategy rather than a set of point tools or solutions. Our research identifies four key tenets that are foundational to a robust identity security strategy. They include tools, integration, automation, and continuous threat detection and response. Organizations adopting this holistic approach will mature their identity security strategies while collapsing the perception vs. reality gaps that exist across their executive leadership team as well as security decision makers and practitioners.