Why Identity Teams Need to Start Reporting to the CISO

COMMENTARY

Data breaches dominate headlines weekly, spotlighting chief information security officers (CISOs), who are under immense pressure to keep their organizations secure. The Securities and Exchange Commission's (SEC's) new four-day breach disclosure requirements, and requirement to annually share information about cybersecurity risk, put more accountability on CISOs than ever before. As a result, CISOs find themselves overseeing, and having more influence over, the largest elephant in the room: identity management. 

While reporting structures vary by organization and industry, most often, identity management reports to the chief information officer (CIO). Historically, organizations classify the process of onboarding, offboarding, and maintaining identity as more of an "enablement service" rather than a core security function that is critical to protecting the enterprise. If recent history has shown us anything, it's that identity is the linchpin of security and often the primary reason great companies with great security tools and teams still get breached.

Below, I'll dive into ways organizations can better position their identity security teams regarding reporting structure, roles, and training. 

CISOs Need a Clear View of Present Risks

Identity and access management (IAM) has long existed as a framework of operational security policy, and tools such as Active Directory and Okta have enabled organizations to manage digital identities. However, these tools require identities to remain secure within an organization's network. Look at what happens when an attacker gets a hold of compromised credentials: They can use them to move laterally throughout an organization. We saw in the Okta breach in 2023 that a leaked service account with access to view all support tickets and read uploaded files was used to steal sensitive customer information. Organizations must understand the differences between management tools and identity security tools. A unified security layer is required to keep organizations — and their sensitive data — safe. 

Identity Should Report to CISOs

Historically, CISOs struggle to influence identity. This includes limited visibility into everything from the Identity management to the security of it. Yet, in today's modern enterprise, the fiduciary responsibility of the CISO requires them to shape all aspects of the secure tools and policy ecosystem within an organization, including identity management. Further, the security organizations reporting to the CISO often serve as the effective "second line of defense" under risk management, since they are uniquely positioned to provide effective checks and balances on IT power. Identity, unchecked and ungoverned by an effective counter-balancing cyber-risk function, often leads to the emergence of unmanaged and overprivileged accounts, and shadow identities hidden deep within the IT organization. The benefit of aligning reporting to achieve this separation and quality control cannot be understated. 

A separation of responsibility between IT and identity security gives security organizations the authority to review identity requests against the security best practices. They can force the concept of least privilege and proper segmentation. These are just a few of the benefits that pay huge dividends down the road and help contain the exposure of an identity breach. 

CISOs Need Visibility and Empowerment to Change the Status Quo

CISOs need a direct line, clear ownership, and organizational accountability of identity. While many argue that a CISO can use influence alone to change the status quo and to enforce the core principles of the security program, this is a far harder thing to achieve in practice, at times becoming almost elusive and unattainable. Often, this results in a CISO becoming a CINO (chief in name only), lacking the ability to enact change through organization mandate. If the SolarWinds debacle and subsequent SEC action showed us anything, it's that organizations and boards must shift toward empowering CISOs with true organization power and capability to implement the security program and address the security risks inherent within their companies.      

Certainly, the sharing of responsibility between IT and security teams is needed, and influence is still a critical skill of CISOs. Rather, the shift I propose is aligning both accountability and responsibility under the CISO as a primary authority, effectively changing the nonexistent or dotted line to identity and other core functions to a bold, solid line. 

Closing the Gap through Identity Protection and Microsegmentation 

The CDK Global breach is the most recent example of a high-profile identity-related breach. This follows several others, including Change Healthcare and Santander Ban.

Years ago, organizations defaulted to multifactor authentication (MFA), believing their identity box was "checked," but that is not sufficient. Even more, we still see many companies only use MFA on initial login, or worse, for select users, applications, and resources. They are finding out they are the victims of attackers because they failed to universally protect the systems and data with strong identity access controls. 

The focus must be on enabling and denying access to critical assets, especially from the most privileged accounts where the exposure is greatest. Organizations should deploy identity protection to every human identity and non-human identity (like service accounts) by:

Lastly, security and IT teams must apply the concept of network segmentation to identity segmentation. The fundamental flaw in network segmentation alone is that organizations often bridge the network segment with a singular identity, thus defeating the intent of segmentation in the first place. As a result, that identity becomes compromised, and network segmentation fails to protect the organization against lateral movement and malicious malware propagation. Only by combining network and identity segmentation into a unified identity security approach can firms truly achieve the benefits of segmenting off critical assets and data. 

Transformational change often requires a new leader with a different skill set to oversee a problem. Identity management sits with IT for good reason, but now that it is abundantly clear that identity is the common denominator in every attack, it's time identity security is owned by a leader with a security background, like the CISO, and done in close partnership with IT. 

By following the best security practices for identity — also commonly used for endpoints and networks — such as ensuring users have the least privilege, aligning on what the company defines as normal activity, and then quickly spotting and stopping abnormal activity, organizations will be better protected from future attacks.