Sixty percent of IT Security decision makers believe their overall security strategy does not keep pace with the threat landscape and that they are either lagging behind (20%), treading water (13%), or merely running to keep up (27%), according to a Delinea survey. 

The report, which surveyed 2,100 IT security decision makers in more than 20 countries, also highlights differences between the perceived and actual effectiveness of security strategies. While 40% of respondents believe they have the right strategy in place, 84% of organizations reported that they had experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.

The report explores three main key findings:

1. Despite good intentions, over 60% of companies have a long way to go to protect privileged identities and access. 

Most organizations recognize that protecting privileges and identities is a top priority to reduce risk. Ninety percent of respondents agree that identity security is important to meeting business goals. Eighty-seven percent agree that securing identities is a top priority for the next 12 months.

While most organizations talk the talk, they aren’t walking the walk. Only 40% of respondents say their security strategy is keeping pace with the threat landscape. The bulk is falling behind, treading water, or running to keep up. Most haven’t adopted best practices and solutions in their privileged access management (PAM) journey. 

2. Human accounts are getting security attention, while machine identities are vulnerable.

The research found that most organizations implementing privileged access security measures have prioritized the human side. In fact, 63% of organizations have deployed privileged access security measures for user identities. Among the types of human accounts most protected by these measures are IT admins and security teams, followed by developers. Typically, these types of accounts involve people logging onto web applications, databases, and other infrastructure for configuration, troubleshooting, and hands-on operational support.

However, organizations have been slower to protect non-human privileged identities, leaving them exposed and vulnerable to attack. Just about half are protecting application and service identities, and less than half include DevOps and machine identities in their PAM strategy. 

3. Plans for next year focus on incremental security controls, but are missing the big picture to drive real change.

Organizations are looking ahead and making plans to invest in additional measures to improve security. Almost 90% recognize the importance of identity security as a top priority to help achieve business goals, and 87% plan to act to secure privileged identities within the next 12 months. 

However, 75% of organizations believe they will fall short of protecting privileged identities because they won’t get the support they need, and it really comes down to budget and executive alignment. Only 37% say that identity security is well understood by their company’s board and viewed as an enabler for better business operations.

While organizations have made progress toward a more secure future, they have a long way to go. Delinea Chief Security Scientist and Advisory Chief Information Security Officer (CISO) Joseph Carson says the most important takeaway from the research is that the security gap is continuing to get larger.

“While many organizations are on the right path to securing and reducing cyber risks to the business, the challenge is that large security gaps still exist for attackers to take advantage of. The security gap is not only increasing between the business and attackers but also the security gap between the IT Leaders and the business executives. While in some industries, this is improving, the issue still exists, Carson explains. Until we solve the challenge on how to communicate the importance of cybersecurity to the executive board and business, IT leaders will continue to struggle to get the needed resources and budget to close the security gap.”  

So, how can organizations improve their identity management? Carson recommends organizations start with an IAM plan on how to federate their existing identities and what risks they expose to the business, including following a privileged access management checklist to help map out a plan and a journey to secure privileged identities.

 For more information, insights and guidance, download a copy of the full report at