CIOs and CISOs have a tough job. They are juggling an overwhelming number of competing priorities—dwindling budgets, empowering efficiencies—all while evolving the digital ecosystem to match pace with the speed of innovation and change happening across the business.
In July 2022, Christina Langfus took over the position of Area Vice President Sales DACH at SailPoint, a leading provider of identity security for the modern enterprise. In order to meet customers’ expectations for added value, Langfus plans to expand both her team and partner relationships to strengthen SailPoint’s position in the region.
In the following article, Christina shares her thoughts on the challenges enterprise security faces and how viewing enterprise security through the correct lens is essential to a successful identity program.
Cybersecurity is one of the topics that companies are most concerned about right now. Almost every day, we read about attempted or successful attacks on companies. An increasingly complex component of this equation: Important business processes are more commonly taking place outside the company network through remote work and cloud services. This change in security boundaries makes employees, suppliers and bots a potential target for cybercriminals with increasing frequency. An effective enterprise security strategy must therefore also include an identity security strategy. Instead of having blinkers when it comes to the issue of enterprise security, companies should take a step back and check whether they are really on the right track to an effective enterprise security strategy.
A lot of this falls to CIOs and CISOs. Admittedly, they have a very tough job. They are juggling an overwhelming number of competing priorities—dwindling budgets, empowering efficiencies—compounded with more information than ever all while evolving the digital ecosystem to match pace with the speed of innovation and change happening across the business.”
So, it’s not all that surprising that some CIOs and CISOs do not look at enterprise security holistically but rather fragmented. Enterprise security is much more than just protecting the perimeter. It is no longer enough to protect the enterprise from attackers by building a – metaphorical – moat. Today, identities are the core to securing your enterprise. For hackers, they are the most straightforward and easiest way to compromise an organization: Target just one identity and one point of access and you’re in. It’s that simple.
Taking it a step further – once you build a cyber security strategy that starts with identity security at the core, make sure you’re looking at it through the correct lens. While identity security has been around for many years, many organizations still view Identity as an efficiency play alone and, to that end, acquire inadequate solutions to secure their enterprise. More often than not, this “minimum viable” or “good enough” option – often owned by the IT team and not supported and backed by the management – tends to be centred around gaining access for the employees “I have to get my people access to the technology they need to work efficiently.” We saw this in quantum leaps during the pandemic, as companies immediately went to a “virtual workforce” that needed “access.” Companies quickly learned that providing access does not always mean secure access. While it’s great to ensure your workforce has access to key technologies, data, and cloud resources, all that access must be protected. With the right level of security controls in place to ensure that the access being granted is based on job need and role, and if/when that access is no longer required, it’s shut down. It’s the latter piece that’s hard to get right the larger the enterprise – access needs can change quickly and often, so keeping up with that rate of change is critical and calls for a strategic approach that goes beyond the IT department. Successful implementation needs the support of management, the HR department and – at least in Germany – sometimes even the “Betriebsrat” (works council) to ensure that this type of process change is also accepted by the workforce.
Enterprise security is no longer about the so-called perimeter. It’s not just about access. Nor is it just about efficiency. It IS about security and, ultimately, cyber risk mitigation. It IS about identities.
And when you’re talking about a large, complex enterprise, companies with thousands and thousands of identities, employees joining the company, moving within the company, and leaving the company daily, an inadequate identity security programme adds up to a lot of potential risk for your company. What most companies are not aware of is that it really only takes one. One compromised identity. One compromised access point, and hackers have access to your—and your customer’s—data. That’s the lens companies need to be looking through – one of risk mitigation. And that requires quite a bit of effort.
As described above, the fluctuation of employees, and therefore the permissions and access points that need to be adjusted, quickly exceeds human capacities. To keep up with the rate of change and scale of identity and access decisions at the enterprise level, companies need to rely on AI/ML to automate identity decisions. AI can never replace human expertise. But it can complement it by using algorithms as a multiplier to support IT and security teams in allocating the available resources in the most efficient way.
To have a holistic picture of every identity and every access point, you need an AI-enabled platform that infuses identity intelligence into every security decision, and that connects to all your other technology investments. This is the secure path forward to grant access quickly and autonomously while dynamically addressing and managing identity decisions – at scale.
When you start to look at enterprise security through this “identity security lens,” everything gets a lot clearer. Now, you’re looking at your business the right way, focusing on securely enabling your modern enterprise. Even though the people are the ones who are responsible for the company’s success and make it a valuable workplace in the first place, they are also the greatest points of risk and provide the biggest gateway for cybercriminals. It’s about efficiency, security, AND cyber risk mitigation. You can’t pick and choose – your identity strategy must deliver all three.
As we face a macroeconomic environment where CIOs and CISOs are questioning every single dollar spent, ruthless prioritization will be critical for success. Additionally, no CISO or CIO wants to be on the hook for a significant breach that causes their company potentially millions of dollars and significantly damage the company’s reputation. The CIOs or CISOs—and their enterprises— that will be successful are the ones who will look at their enterprise security programme in its entirety and ruthlessly prioritize that investment, getting buy-in across the business to ensure all access and all identities are secure.