A new year brings with it new opportunities; a fresh start!
Having recently taken some time to reflect on the past year in a previous post – Looking Back: Identity & Access Management in 2022 – it’s time we look ahead at the rest of the year to come (it’s already the end of January?! Maybe this is more of a Lunar New Year kickoff?).
The prior post has already covered some topics you might expect to be here as predictions for 2023, yet we’re already seeing in the IAM and greater Security/Risk spaces (Zero Trust + Identity, Authorization ventures, and more).
We may not know exactly what the future holds, but it sure is fun to think about, and predict: imagine the possibilities!
Without further ado, here are 5 Predictions in IAM for 2023:
The Future of IAM Is Continuous and Contextual
In constant attempts to better get their arms around - and manage - identities and access, organizations are discovering that previous approaches have not kept pace with the needs of today. In prior times, validating that an identity could log-into a service – or an account – seemed adequate to then move on to another concern. We have come to realize since then that there are better means to insure more confidence in justified access than a one-time check at the time of log-in.
What started as a simple blog post from Google has rapidly ballooned into an industry movement. Major vendors continue to implement the Continuous Access Evaluation Protocol / Profile (CAEP) and analysts, practitioners, and decision makers agree that it is critical to the future of zero-trust. CAEP’s non-prescriptive nature makes it easy for anyone to implement their own policies and the Shared Signals Framework makes communicating changes efficient and nearly instantaneous. A future powered by Shared Signals and CAEP enables enterprises and vendors to break information silos to create a highly secure least-privilege access outcome.
In 2023, momentum will only accelerate for technologies and standards that offer continuous evaluation of access, identity and credential information, as vendors, buyers, evaluators, and industry experts continue to optimize and influence the ways we manage identities and access.
By 2026, 70% of identity-first security strategies will fail unless organizations adopt context-based access policies that are continuous and consistent 1.
Individuals will be Held Culpable for Breaches
For as long as we are storing secrets, bad actors and those with harmful intent will target this data. Despite considerable efforts, breaches will continue to occur, and companies will continue to take great lengths to make these heinous acts as difficult as possible. Recently, we have seen culpability make its way into the conversation following unfortunate events, even to the point of litigation and individual accountability. One such filed complaint alleged that defendants made false statements and/or concealed:
(i) inadequate cybersecurity controls; (ii) as a result, were vulnerable to data breaches; (iii) ultimately experiencing a data breach caused by a hacking group, which potentially affected hundreds of customers; (iv) failed to disclose and subsequently downplayed the severity of the data breach; (v) all the foregoing, once revealed, was likely to have a material negative impact on the business, financial condition, and reputation; and (vi) as a result, the Company's public statements were materially false and misleading at all relevant times.
In 2023, we will continue to see post facto guilt being placed (or forced) onto individuals, not just companies, even if they have taken steps to protect access to their own business environments. Security incidents are now placing legal liabilities on the parts of organizations - and even specific roles within companies - we look to most to protect sensitive information (eg: CISO). Unfortunately, we expect to see this litigious nature persist this year.
Regulatory Changes Will Take Place That Directly Affect Global Strategies
In many vertical markets: Financial Services, Healthcare, Government, Insurance, to name a few, regulation and compliance is a key business driver. This is especially true when it comes to how organizations within these categories are approaching data security and identity and access management (IAM). Who can access information is starting to be enhanced by also asking who should have access and why.
We have already seen the changing regulatory landscape affecting business priority and global strategies - from privacy rights of consumers to data protection. This includes SEC-proposed drafts to set more stringent and detailed outlines for cybersecurity disclosure, such as reports on attacks and risk management, governance and strategy.
It is not revolutionary to identify that requirements that are mandated by governing bodies often disrupt plans previously made. This is not something that will cease in 2023.
With an ever growing number of businesses “going global” based on remote work, omnipresent connectivity, and democratization of access, lines have blurred among previously established regulatory requirements, and they require new ways of thinking. The world is flatter than ever before, and with it will come regulations [hopefully] better attuned with the modern workforce and its way of work.
Revenue Generating Lines of Business Will Influence IAM Policies More Directly
As Zero Trust, Identity-first Security, and other frameworks proliferate businesses, the most forward-thinking organizations and teams will realize benefits and competitive differentiation by leaning into IAM strategies themselves - notably non-IT or InfoSec teams.
Information Security has become an obvious requirement (hopefully, at this point) in the processes by which Lines of Business evaluate how they perform day to day activities (and the applications and workflows they use in doing so). Subsequently, customers now request and require their vendors to take certain security measures that may have been thought of as hypercautious in the past. On any RFP, vendors are being asked what steps they take to best secure their own environments so that customers can be as comfortable as possible selecting them and trusting them as custodians of their own information.
We already see IAM approaches surfacing in vendor questionnaires; companies who maintain more finely grained access control will competitively differentiate themselves from those who do not. Customers evaluating services will select those providing this type of visibility in a clearly presentable way over those who do not 2.
This year, more than any before, Identity and Access Management postures will be propelled forward by revenue generating Lines of Business - not just IT or IS - rather than seen as unnecessary speed bumps or roadblocks. As customers clearly require vendors to adhere to a level of expectations with respect to IAM, go-to-market strategies will take steps to improve- and then proactively promote- their own IAM policies.
Incomplete Solutions in the Market Provide a Fertile Ground for Innovative Startups to Solve Modern Problems.
As mentioned in previous posts, including Looking Back: Identity & Access Management in 2022, due to external factors like remote work and democratization of data, IAM solutions (specifically in Authorization (AuthZ)) have not kept pace with the speed of the modern enterprise. This is precisely the rich opportunity for new offerings that can step in to address the needs of the modern workforce.
There is already evidence of a strong push forward in IAM and AuthZ, neither of which are novel markets, yet new developments and conditions have created new challenges. As Clayton Christensen famously posits in The Innovator’s Dilemma, “Disruptive technologies typically enable new markets to emerge.” In opposition however, we are seeing disruptive market conditions drive the need for innovative solutions.
Many of us work in entirely different ways, locations, methods of communication, dress codes (lol) than we did just a year or two ago. While on the one hand this creates uncertainty and difficulty, pioneers see these conditions as ripe for new approaches and offerings. Our uncertain economic conditions (globally), unpredictable political landscape, and fluctuating regulation and compliance make it nearly impossible for legacy products to adequately address; the clear opportunity exists in 2023 for new offerings to step up.
It’s an exciting time to be in Cybersecurity and Risk, more specifically Identity and Access Management! The abundance of technology advances that have made it possible for the modern workforce to adopt a new way of working has presented novel challenges for ours and other categories. Ultimately those who can provide forward-looking solutions that align with the market needs of today are the offerings that will succeed and thrive.
I look forward to seeing how 2023 - and beyond - plays out!
DISCLAIMER: These are predictions, not guarantees; we’d love to hear more about what you expect in IAM in 2023.
1 Gartner, Identity-First Security Maximizes Cybersecurity Effectiveness, By Rebecca Archambault, Felix Gaehtgens, James Hoover, Ant Allan, 7 December 2022
2 For example, Walmart recently hosted its first-ever cybersecurity media day with reporters in early January at its Bentonville, Arkansas headquarters.