The results of the yearly IDSA (Identity Defined Security Alliance) survey are out, revealing some surprising and insightful numbers. Let’s dive in!
Identity: a growing priority
Just how important is identity? The vast majority (73 percent) of respondents say it’s a top three priority, with 22 percent saying it’s the very top priority within their company’s security program. This shows a trend of increasing priority, as in the past two years, 16 percent and 17 percent of respondents named identity as their top priority.
When asked about managing identity sprawl, again, the vast majority of respondents say it’s a focus – 57 percent claiming it is a major focus, 36 percent saying it’s a minor focus and only 7 percent saying it’s not a focus at all.
Identity-related security incidents are surprisingly common
When asked about what kinds of identity-related security incidents they witnessed in the past year, experts cited various forms of phishing (including broad campaigns and spear phishing), with 69 percent experiencing it. This is followed by stolen credentials at 37 percent and brute force attacks (like password spraying and credential stuffing) at 35 percent. Compromised privileged identity – probably the single most dangerous incident type – stands at 33 percent.
A clear snapshot of the current identity threat landscape: only 10 percent of respondents claimed they had not had any identity-related incidents in the past year.
These incidents – while most of them are not full breaches – do have direct business impacts. The majority of respondents (52 percent) say these security incidents are a significant distraction from core business, closely followed by the cost of recovery (reparations, operational expenses) at 47 percent and reputational damage at 45 percent. All of these show major increases over last year (33 percent, 39 percent and 25 percent respectively). Again, it’s remarkable that only 16 percent of respondents say there was no direct business impact arising from these identity-related incidents, a very significant decrease from last year when 32 percent claimed no impact.
High-impact business outcomes like loss of revenue, customer attrition and legal action (lawsuits) stand at 26 percent, 24 percent and 17 percent respectively – very high numbers considering the stakes.
Incident response plans are the blueprints to follow in case of a major incident. The survey asked a very interesting question: “Just how many times did you invoke the incident response plan in the last year?” The answers are sobering. 48 percent say they invoked it more than three times, and only 6 percent say they didn’t have to touch the red envelope. Somewhat reassuring that only 3 percent say they don’t have an incident response plan.
The challenges of identity security
So, what are the biggest challenges in the IAM field? Sadly, nothing surprising in the answers. Most respondents say it’s complexity: “Our technology environment is very complex” was the selected answer for 38 percent of respondents. Insufficient funding is a close second at the same 38 percent. The checklist goes on with staffing issues (“not enough people” – 34 percent) and the related “lack of expertise” at 28 percent.
Two interesting answers stand out: “identity frameworks are complicated with multiple vendors and different architectures” at 30 percent. No wonder analysts and vendors are pushing hard for vendor consolidation in the IAM space – the customer is ready for a unified identity platform with simpler integration and better outcomes. The other notable response is that only 6 percent of respondents say that “nothing prevents us from doing more, we’re doing everything we need to do.” We’re envious.
Investment focus areas
What are these companies investing in? The clear leader is privileged access. A full 50 percent of respondents say they’ll invest in more timely review of privileged access, followed by 43 percent for timely review of access to sensitive data – an overlapping answer. The third major investment project is rolling out MFA at 37 percent. Understandable, as MFA is incredibly effective at countering brute-force attacks and it’s not the 90s anymore when an RSA hard token rivalled in prestige a Mercedes logo on a keychain.
Privileged access comes up again, with 30 percent saying they’ll invest in discovering all privileged access rights – enumerating all those accounts with raised privileges is critical to a hardened cybersecurity posture. The theme continues, with implementing Least Privilege at 24 percent (investing to “grant privileged access according to the principle of Least Privilege”).
How do the experts score their companies on the maturity scale? Only 8 percent get the highest grade (“optimized”), with the vast majority (69 percent) claiming one step down (“well managed”). A classic case of not great, not terrible.
For the complete survey results check the IDSA Trends in Identity Security report here.
Methodology
The IDSA study is based on a survey by professional market research firm Dimensional Research. The study invited independent security and identity professionals in the United States, who were asked questions focused on their current plans, identity and security history, and other topics. In total, 521 qualified individuals completed the survey. According to the research firm, all had deep knowledge of IT security and identity, and had experience with organizations over 1,000 employees.
