Identity-First Security–Are You Ready?

11/03/23 • 31 min

CISO Edge, The Gartner Cybersecurity Podcast

In this episode of the CISO Edge podcast series, Gartner experts Mary Ruddy and Chris Mixter explore what cybersecurity leaders across the spectrum of identity and access management maturity need to do to accelerate their progress to an identity-first cybersecurity program. Decentralization of computing resources, channels, entities and devices makes traditional perimeter-based security strategies and tools insufficient. Security and risk management leaders must put identity at the core of cybersecurity strategy and invest in continuous, context-aware controls. However, getting to a level of IAM program maturity where you are able to deliver continuous, context-aware identity and access controls at scale feels like a massive leap to many CISOs, whose IAM programs struggle to deliver their basic capabilities at a consistent level of quality. This conversation will provide guidance to CISOs to enable their IAM teams to rapidly advance down the path to identity-first security.

Previous Episode

Stop Phishing Your Workforce!

Savvy cybersecurity leaders must look to new approaches to training employees to combat social engineering. While phishing tests are seen by cybersecurity leaders around the world as essential in the fight against email-based attacks, abundant evidence exists that the outcomes do not justify the investment. Phishing testing’s lessons are not extensible to other behaviors, the exercise foments a culture of distrust between cybersecurity and the workforce (name one other function that deliberately tries to to trick employees in the name of training), and, combined with the reality that it only takes one employee clicking to generate the worst-case outcome, phishing testing is more an exercise in security theater than a contributor to a secure culture.

Andrew Walls is a vice president and distinguished analyst in Gartner’s cybersecurity practice. Prior to joining Gartner in 2007, Andrew held cybersecurity leadership posts in industries from chemical/pharmaceutical R&D to banking.

Next Episode

Wrangling Third Party Cybersecurity Risk

Despite CISOs making meaningful increases in time, money and technology to third-party cyber risk management (TPCRM), enterprises continue to be plagued by disruptive third-party-originating cyber incidents. Chris Mixter and Rahul Balakrishnan use Gartner’s latest global benchmarking to debunk the conventional wisdom around TPCRM, which drives cybersecurity leaders to increase effort without improving outcomes. Chris and Rahul also provide three practices that CISOs can implement immediately to improve TPCRM effectiveness.

This episode explores:

Why cybersecurity should stop customizing due diligence questionnaires (06:20)
How to increase the likelihood that accepted third-party cyber risks become managed risks (13:30)
Making contingency planning a core element of third-party cyber risk management (21:45)