Expectations vs Reality: Going Back to Basics
Chris Owen: Companies come to us with aspirational goals. It may be that they hear the latest trends and industry buzzwords and are grappling with how to build requirements and implementation roadmaps to get to this PAM nirvana.
People are talking about the just-in-time access and zero standing privilege model. And they are asking about identity threat detection and response (ITDR), which suggests that companies are eager to embrace the promises of a reduced cyber attack surface, better intelligence, and more proactive security coming from their identity stack.
In reality, there is a large maturity gap between where organizations are and where they want to be. The majority of customers we speak to are still struggling to do the basics. So while we as an industry are thinking about next-level frameworks and feature innovations, we aren’t always keeping in mind what a hard slog it is for customers to get to that point. We might do better to reset people’s expectations in the conversations we’re having, which starts with mastering the basics.
Paul Fisher: You’re right. When I speak at industry events, I do feel sometimes I’m up there talking blue sky concepts or what’s happening tomorrow. A lot of customers that attend are not necessarily the CISOs, but they are people that are being entrusted with setting up some kind of PAM system. Basic PAM tends to be all they want. They don’t necessarily need session management straight away. They don’t necessarily need all the bells and whistles and analytics that come with some PAM packages.
While we do tend to talk about what’s new and cool, we should also talk about things like just-in-time and zero standing privilege because these are ultimately the goals that we should be trying to achieve. And those two things can be combined with a more simple approach to PAM anyway.
CO: If you think about companies’ main objective when they implement a PAM solution, there are different drivers. It may be compliance, maybe security, best practice, cyber insurance—but ultimately reducing risk is the number one thing that organizations want to do. If we look back over the last 20 years of the privileged access market, our approach was right at the time, but is perhaps wrong now because it tended to be about centralizing privilege. So we implement a PAM tool, discover everything, store it in a vault, and then control access to it. In reality, this mitigates certain risks, but it does not deliver widespread risk reduction.