The New State of Enterprise Identity Research Report Reveals Surprising Insights into How Companies Use Risk Data
An essential part of defining a comprehensive identity and access management (IAM) strategy involves prioritizing cybersecurity initiatives. In the new Saviynt and Ponemon Institute State of Enterprise Identity research report, more than 1000 IT and IT security practitioners in the United States (627) and EMEA (416) weigh in on their organizations’ programs and the solutions used to mitigate cybersecurity, identity & access, and compliance risks.
Let’s take a closer look at how they are (or are not) using risk data to inform priorities in their cybersecurity programs.
Risk Data is the Missing Piece
Based on the premise that you can’t protect against everything all the time, prioritizing risk efforts is essential. The threat landscape is constantly changing as attackers outpace technological advances. If you try to cover everything all the time, you might miss high-priority tasks that leave critical parts of your organization vulnerable. This is why collecting, examining, prioritizing, and responding to risk management data are so important.
One of the key benefits of cyber risk management is facilitating appropriate resource allocation. It answers the questions: where do I have the most exposure, and how can I better protect my organization from attacks? When you know these answers, you can address the risks that matter most for maximum risk reduction, achieving a more efficient allocation of people, processes, and budget.
Risk data is the missing piece. Ignore it at your peril.
Risk Assessment Frameworks: An Important Part of Risk Management
Cybersecurity Risk Assessment Frameworks (RAFs) are well-known and come in many forms. A few examples are:
They may each take a different approach, but they can all be characterized by providing organizations with a methodology to identify, measure, and prioritize security risks. Using an RAF helps companies assess, organize, and share risk information. They also provide consistent methods of assessment, reporting, and documentation.
However, the State of Enterprise Identity report found that organizations are not using risk data effectively, if they are using it at all. When asked to name their organization’s primary challenges in using risk data to inform cybersecurity initiative prioritization and decision making, 54% of respondents say they lack a defined risk assessment framework.
This finding is cause for concern. Risk assessments help an organization identify systems at high risk for attack. Without a consistent framework in play, organizations suffer from a lack of common vocabulary to discuss risks, a lack of consistent assessment methods, and either a lack of a uniform reporting system or no reporting system at all.
A possible reason for this is that risk assessments are subjective, and therefore may not meet their objectives consistently. This subjectivity may prevent them from being used as documentation for verification audits and compliance reviews. Organizations that don’t have an RAF in place – or have one but don’t use it– are missing a significant opportunity to address threats proactively, along with being able to hone their budgets accordingly and establish a risk-aware culture within their organizations.
Another issue with risk assessment frameworks is that many organizations have more than one in play. The Ponemon report found that 44% of respondents have multiple risk assessment frameworks in use. Because of this, respondents say they have trouble using their data to prioritize cybersecurity initiatives. Correlating risk assessments from multiple frameworks is complicated and open to interpretation and debate, which may contribute to this finding.
Some Don’t Use Risk Data to Prioritize Cybersecurity Initiatives
While organizations struggle to prioritize cybersecurity initiatives because of problems in collecting and assessing risks, the report also found that 44% of respondents say their organizations collect risk data but do not use it to prioritize cybersecurity initiatives. These organizations are missing an opportunity to boost security in the areas that matter most, possibly leaving the door open for cyber attackers.
And perhaps most risky, 26% of respondents say their organizations do not currently map risks at all.
Cybersecurity Should Not Be a Gamble
Identity is one of the favorite attack vectors for bad actors. The Ponemon report found that more than half (56%) of respondents claim their business had an average of three data breaches or other access-related security incidents in the last two years. Further, 52% of these respondents claim the breach was due to a lack of comprehensive identity controls or policies. These results highlight the need for organizations to manage digital, workforce, and consumer identities across modern ecosystems with high-quality identity governance and administration (IGA) solutions.
Most organizations have a Governance, Risk, and Compliance (GRC) program relying on patchwork technologies to reduce risk. These technologies range from multi-factor authentication (MFA) to user and entity behavior analytics (UEBA), and security information and event management (SIEM). IGA supports deeper risk reduction because modern solutions can ingest data from other tools for more holistic security.
Many identity platforms promise – but don’t deliver – lower risk profiles, improved decision making, reduced compliance violations, and Zero Trust. But the right IGA platform is central to coordinated risk reduction and provides a framework for ongoing security effectiveness.