Skip to main content

Posts

IAM Metrics That Actually Matter: Proving Risk Reduction and Value to Every Level of the Organization

I have been in information security for more than twenty years, and one of the conversations I have had more times than I can count goes something like this: the security team has spent eighteen months building out an identity and access management program. They have deployed a new IGA platform, cleaned up thousands of orphaned accounts, enforced multi-factor authentication across the enterprise, and automated the joiner-mover-leaver lifecycle. And then someone in the CFO’s office asks a simple question: what did we actually get for that investment? If your answer is a technical presentation about policy enforcement rules and connector configurations, you have already lost the room. If your answer is a blank stare because you never built a metrics framework to begin with, you have lost the budget cycle too. IAM is one of the highest-value security investments an organization can make. Identity is the new perimeter. Credential-based attacks are the dominant breach vector. And access...
Read more
Recent posts

IAM for AI Agents: Why Your Identity Program Isn't Ready

AI agents are multiplying inside enterprise environments faster than identity governance programs can track them. They are being deployed by developers, operations teams, and business analysts — often without security involvement, without formal registration, and without the kind of access scoping discipline that any human identity would require. The service accounts they run under accumulate permissions. The credentials they use do not rotate. The ownership of those identities is tied to whoever built the agent, and when that person moves on, the agent keeps running with nobody accountable for what it can access or what it is doing. This is not a theoretical future risk. It is the current state in most organizations that have started adopting AI automation in any meaningful way. And it represents a significant gap in the IAM frameworks most security programs are built around — because those frameworks were designed for human identities, and AI agents are something fundamentally differ...
Read more

Zero Trust — From Concept to Board Room Post 4 of 4

Blog Series: Zero Trust — From Concept to Board Room Post 4 of 4 A Practical Guide for InfoSec Professionals, Aspiring CISOs, and New Security Leaders We have covered a lot of ground in this series. We started with the business case and the executive conversation. We went deep on the five pillars and what each one actually demands from your architecture. And in the last post we worked through how to use CISA’s maturity model to assess your current state honestly, identify your most consequential gaps, and define a target state that reflects your organization’s actual risk profile. Now we build the roadmap. And we execute it. This is where the work becomes real. Everything in the first three posts was preparation for this moment — the moment you have to translate a framework, an assessment, and a set of targets into a concrete plan with timelines, owners, dependencies, milestones, and a narrative that leadership will fund and support over a multi-year horizon. That translatio...
Read more

Zero Trust — From Concept to Board Room Post 3 of 4

Blog Series: Zero Trust — From Concept to Board Room Post 3 of 4 A Practical Guide for InfoSec Professionals, Aspiring CISOs, and New Security Leaders In the first two posts of this series we covered what zero trust is, why it matters, how to win executive and board support for it, and how each of the five pillars works. If you have read those posts, you now understand the architecture. What you may not yet know is where you stand within it. That is what this post is about. Understanding zero trust conceptually is one thing. Knowing your actual current posture — what you have already built, where the gaps are, and how far you realistically are from where you need to be — is something else entirely. That knowledge is what drives everything that comes next: your roadmap, your investment priorities, your sequencing, and your executive narrative. You cannot build a credible program without it. CISA’s Zero Trust Maturity Model gives us the framework to do that assessment with pre...
Read more