Combining identity and security strategies to mitigate risks
Last week, the Identity Defined Security Alliance (IDSA), a nonprofit that provides vendor-neutral resources to help organizations reduce the risk of a breach by combining identity and security strategies, announced Jeff Reich as the organization’s new Executive Director.
This was the perfect opportunity to talk with Jeff. In this Help Net Security interview, you can learn more about identity security and the evolving threat landscape.
Identity-related breaches have increased significantly. How do you expect the threat landscape to evolve this year?
Identity-related breaches are now part of our lives. I cannot name anyone I know who has not been affected by at least one identity-related breach. We can never ignore the social engineering aspect that remains the most common threat used by threat actors to cause breaches at all scales. This means that each of us needs to be aware of the risks whenever we are faced with a question or challenge that requests or requires personal information.
I expect to see some threat actors beginning to use artificial intelligence to drive their attacks even more. Predictive analysis and artificial intelligence can enable threat actors to rapidly adapt to our defenses and reach more victims through customized, regional, and more focused attacks. Combining that with more sophisticated ransomware and phishing attacks, I only see the threat landscape becoming more complex and challenging.
The lines of demarcation between identities at work and home are beginning to become blurry. If the past three years have taught us anything it’s that people will adapt to the situation presented to them. That often means bypassing traditional controls—and all it takes is one mistake to let the threat actors thrive. When something like ransomware takes hold, it’s more than just a loss of operational data, it often means that access controls are locked as well because user identification and authentication data are locked.
The downstream effect of ransomware in this manner means that mechanical safety controls in manufacturing, patient outcomes in hospitals, and life safety response in emergency management are brought to a standstill. When you cannot authenticate to access the controls, they don’t work. Worse, they may continue to function, out of control. All of this is on top of the financial losses that can occur. I believe that this is what we may be looking at in 2023 unless we stay on top of our environments.
What advice would you give to CISOs that are struggling managing risk while making technology investments to boost their identity and security strategies?
When you are managing risk, life should be simple. Never spend more avoiding, mitigating, or transferring risk than you might lose by accepting risk. This is a critical component of your risk appetite. When you cannot quantify your risk appetite, you are flying blind and you will spend more than you need while risking losing more than you can afford.
The best advice that I can give regarding technology investments is to not spend anything until you determine what you need. Although it may seem like we always try to do that, it’s very easy to be attracted to shiny new features and functionality. There are a lot of great tools and services available in the market and more new ones by the day. Consider avoiding the budget question of “Do I need this?” after seeing the tools and, instead, ask, “What features do I need?” BEFORE looking at any tools or services. Those requirements should drive your tool acquisition behavior. Don’t be another enabler of shelfware.
As cited in the IDSA’s 2022 Trends in Securing Digital Identities, based on the realities of more than 500 individuals responsible for IT security or identity at companies with more than 1000 employees, 97% will be investing in identity-focused security outcomes, the same as the previous year. That is excellent news because it means that most larger organizations see the importance of identity security. Determine where your vulnerabilities are, what threats, and threat actors can exploit them, and spend your money wisely.
How do you plan to prioritize and manage your time and resources as Executive Director? What are your priorities?
My number one priority for the IDSA is serving our Members. I intend to deliver this service through:
- More webinars and learning opportunities
- Greater reach into the Identity Vendor community
- More visibility into the general technology provider space so more organizations can take advantage of IDSA benefits
- Increased membership to have more diverse solutions and participation
I look forward to hearing from all current and future IDSA constituencies to enable them to #BeIdentitySmart!