Identity-based challenges are becoming increasingly complex. As organizations seek to mitigate identity-based risks, CISOs may confront notable obstacles. 

Here, we talk to Alex Bovee, Co-Founder and CEO of ConductorOne, about the difficulties CISOs are facing with the modern identity security landscape. 

Security magazine: Tell us about your title and background.

Bovee: I’m the Co-Founder and CEO of ConductorOne, which provides a modern identity governance platform. My career has been largely focused on building products at the intersection of identity and security. After several years overseeing enterprise device security products at Lookout, I went on to serve as a product leader at Okta. While there, I was responsible for the company’s authentication, security, and privileged access management product lines, as well as Okta’s overarching zero trust product strategy.

It was during my time at Okta that I met Paul Querna, who would eventually become my fellow Co-Founder at ConductorOne. Paul and I were able to see first hand that the traditional approaches to identity governance (IGA) and privileged access management (PAM) were no longer sufficient for the way modern businesses operate. That’s why we founded ConductorOne — to give businesses the visibility, automation, and access controls they need to meet their compliance and security goals.

Security magazine: What are the top challenges CISOs face in identity security? 

Bovee: Every company has their own unique challenges, especially when it comes to identity security. However, we recently surveyed several hundred security leaders to find out what the most common obstacles are today. The results of the 2024 Identity Security Outlook Report found the top three identity security challenges were system complexity, organizational complexity, and limitations of existing tools.

The first issue, system complexity, probably comes as no surprise. Most businesses today operate with an intricate mix of SaaS, cloud, on-prem and homegrown systems. This complexity is compounded by external entities like contractors, as well as non-human identities (NHIs) like service accounts, API keys, and OAuth tokens. Actually being able to see and control access for all of these disparate systems can be a major hurdle.

Organizational complexity can further complicate matters. Because access management has been so closely tied to productivity, there can often be some resistance to change. Employees may also disregard policies and bring on new software applications without the knowledge of the IT or security team. These “shadow apps” pose a security risk, since they are not under management. 

The third most common challenge in identity security is inadequate tooling. In fact, a third of security leaders expressed dissatisfaction with the tools they’re currently using. Most of the legacy IGA tools haven’t changed much over the years, so businesses are struggling with long implementation times, high service costs, and poor user experiences — which can bring identity security programs to a grinding halt. 

Security magazine: How can CISOs combat these challenges?

Bovee: Addressing these challenges requires a lot more than just finding the right tool. It’s about creating a fundamental shift in the way we think about identity. 

For years, businesses have viewed identity as more of an IT and productivity issue. When new employees joined the company, it was about getting them access to the right systems as quickly as possible. It was about not slowing down engineering teams, so allowing them to keep standing access to critical systems. And when an employee changed roles or left altogether, businesses didn’t worry too much about permissions that were no longer in use. 

These practices left the door open for identity-based attacks, and cybercriminals wasted no time wedging that door open even further. As the saying goes, attackers are no longer breaking in, they’re logging in — using legitimate credentials to gain a foothold in the company’s systems. 

The most important thing CISOs can do is to address these challenges is to treat identity for what it really is — a security issue. That doesn’t mean that security has to come at the expense of productivity. In fact, the right identity security protocols can actually make it easier for employees to get access to the systems they need. 

Security magazine: In your opinion, what are the most prevalent identity-based risks or attacks organizations face today?

Bovee: Phishing is still one of the biggest issues that businesses face. With the advent of generative AI, attackers can produce very sophisticated phishing messages that look almost authentic — at a fraction of the cost and in a fraction of the time previously required to carry these attacks out. Beyond text and email scams, phone- and even video-based phishing attacks are now becoming commonplace. 

Another attack method that is far too common (and far too effective) is using stolen credentials to gain access to a company’s systems. This points to a larger issue of password reuse, as well as a lack of multi-factor authentication (MFA). Take, for example, the recent attacks targeting Snowflake customers. The only businesses that were impacted were those that did not have MFA in place, which goes to show just how important it is to have even the simplest protections in place. 

Security magazine: What are some best practices for preventing identity-based attacks?

Bovee: Preventing identity-based attacks starts with visibility — being able to see what permissions are in use across all of a company’s systems and applications. Once visibility has been established, companies should look for and remediate any security issues within their system, including addressing any unprotected access to critical applications or data.

After immediate security risks have been dealt with, the next step is to apply the principle of least privilege. This ensures that users only have access to the resources that are necessary for their role and nothing more. Regular access reviews should be conducted to ensure privileges aren’t being escalated over time.

Finally, businesses should ensure they are managing the lifecycle of identities well. This involves making sure that permissions are removed promptly when employees change roles or leave the company, which will reduce the potential for exposure if a company experiences a breach.

Security magazine: Anything else you’d like to add?

Bovee: As every CISO knows, there are no silver bullets when it comes to security. Instead, it’s all about reducing risk wherever possible to minimize the impact and severity of a security incident. 

Strong identity security is rooted in simple, foundational protocols that — when executed consistently — have a compounding impact on a company’s overall security posture. By getting these basics right, businesses can significantly reduce the potential blast radius of any attack.