…Who Owns Identity and Access Management (IAM)?

Mobility and cybersecurity. While those two areas may have very different roles inside an IT organization and business, they both play integral parts in identity and access management. Given that, I’m always getting asked, “Who owns IAM?” Today, IAM is touched by multiple IT roles, such as app developers, IT operations, and security. CISOs are getting involved as well, at least in oversight roles. That’s because where there are identity and access, or identity repositories, you also have security risks, and need common oversight and common policy. What’s more, it’s important for all of these IT groups to be able to communicate about these policies amongst themselves in order to help keep the company safe and protect against potential threats. In this video, my colleague Jon Oltsik and I sit down to talk more about who owns IAM, and how IT professionals are leaning in to protect the company. To read the complete article, CLICK...

Read More

Cybersecurity Past to Predict the Future

As part of the recently published research report from ESG and the information systems security association (ISSA) titled, The Life and Times of Cybersecurity Professionals, 343 infosec pros were asked to identify the cybersecurity actions their organizations have taken over the past few years. This list serves as a good foundation for what we can expect in 2018. The top responses were as follows: To read the complete article, CLICK...

Read More

2018: The Year of Advanced Threat Prevention

A few years ago, the cybersecurity industry adopted a new mindset that went something like this: Cybersecurity controls are not very effective. Therefore, sophisticated cyber-adversaries can easily circumvent them, compromise networks, and execute data breaches. Hence, trying to prevent attacks is essentially a fool’s errand, so organizations should concentrate on incident detection and response. This line of reasoning was supported by an overly simplistic axiom that spread like wildfire in the industry: “There are two types of organizations. Those that have been breached and those that have been breached and don’t know it.” Now, I admit there was and still is some truth to these assumptions. Lots of security technology staples were porous in the past as they were designed to address known rather than zero-day threats. Furthermore, networks tended to be relatively flat and wide open for attack. With these shortcomings, many organizations shifted spending and focus to new technologies designed for threat detection like malware sandboxes, UEBA, EDR, network security analytics, etc.  So, what happened? Firms were soon overwhelmed by disconnected technologies, mountains of new security data, and a cacophony of security alerts. Alas, many organizations realized then that they had neither the staff nor the skills to fully utilize this threat detection technology. Oh, and the pervasive cybersecurity skills shortage probably means that this situation won’t change anytime soon. To read the complete article, CLICK...

Read More

Cybersecurity, Mobility, and the Expanding Perimeter

As businesses lose control of devices and rapidly adopt cloud consumption models, identity and data have become the new perimeter for IT operations and information security teams to secure and protect. My colleague Jon Oltsik and I sit down together to highlight how mobility, identity, and security are creating technology challenges, organizational barriers, and business risks as the security perimeter expands at a faster pace than business can keep up with. The discussion sparks attention towards the IT vendors that are attempting to enhance security postures from within a silo as opposed to the new purview business are dealing with today. To read the complete article, CLICK...

Read More

Identity Management To-Do List Aligns…

My colleague Mark Bowker just completed some comprehensive research on identity and access management (IAM) challenges, plans, and strategies at enterprise organizations. As a cybersecurity professional, I welcome this data. Identity management should be a major component of an enterprise risk management strategy, yet IAM technology decisions are often treated tactically or left to application developers or IT operations staff who don’t always prioritize security in their planning. The ESG data suggest a change in the IAM weather – large organizations seem to be prioritizing security as part of their IAM strategies. ESG asked 273 to identify the initiatives that will be part of their IAM strategies over the next 24 months. The data reveals: To read the complete article, CLICK...

Read More