I recently conducted a webinar with BeyondTrust where I discussed why privileged access management (PAM) is the keystone of modern identity and access security, and a necessary defense strategy within the realities of today’s threat landscape. Our goal was—and still is here, in this blog—to develop a deep understanding of how and why this component is so critical to effective cybersecurity, as well as to highlight those factors which make PAM implementation projects more likely to succeed.
BeyondTrust has recently, and helpfully, produced their own guide to this topic (which you can download here), but in this blog, my aim is not only to explore those must-have objectives, but to extend that understanding by sharing the practical steps and potential roadblocks from my own hard-won experiences, solutions, and, let's be honest, failures.
What are the key contributors to effective cybersecurity?
Imagine having the opportunity to refine your practical cybersecurity skills in over 50 commercial environments. That is how much of my initial experience was accrued, working as a global supplier security auditor, tasked with applying sometimes impractical suggestions on behalf of a Fortune 50 company in a wide range of environments.
From small family-run software operations to multi-billion-dollar cloud offerings, and from manufacturing environments to research facilities and vast office financial management settings, I have experienced at firsthand the chasm of difference between theory and reality. Whether the company had two employees or more than one hundred thousand, I learned that if you take an impractical list of proposed measures into such environments, you soon understand the real key controls, as opposed to what people assume they are.
Key ingredients for effective cybersecurity
#1: Attitude and culture—not just from the top down
One insight I gained through applying rigid cybersecurity measures in various environments is that, surprisingly, the principles of effective cybersecurity are not so different across different settings. For example, no matter how large or small an organization is, it is how or if their privileged accounts are securely managed that demonstrates whether an environment is likely to be reasonably safe.
As I reviewed more and more environments it became clear that effective cybersecurity is largely built on the attitude and culture from the top, but that is not the only essential ingredient.
Frequently, I encountered resistance to the practicality of some suggestions. Sometimes this pushback was well-founded, but often, the objections I heard as to why a particular control was not viable hinted at wider infosec issues the organization needed to address.
#2: Effective engineering—and support
A fascinating pattern I observed from these reviews was the differentiating factor that enabled some companies to grow rapidly from 20 to 1,000 employees in a matter of years, while others struggled to surpass 40. Often, I revisited the same organization two or three years later, only to find that 8 out of 10 of them still grappled with the same issues. It was the 2 out of 10 that addressed their problems who were experiencing significant growth.
One of the key ingredients for growth was effective engineering. Organizations that figured out how to grow had also worked out how to create efficient, scalable processes that turned a potentially difficult task into a simple, repeatable and mostly automated workflow. But engineering alone was not enough, a good idea also needed substantial support around it.
#3: Resolving knowledge gaps
The initial impressions I received during my visits were not always reliable indicators of the company's state. A frosty reception often hinted at anxiety about potential gaps or deficiencies, while a warm welcome did not necessarily mean everything was in order.
The dynamics between the people I met revealed another pattern. In some organizations, there was marked hostility and demarcation between individuals, while in others, there was genuine camaraderie. That is not to say that where the group dynamics were great there were never any issues – but that such gaps or issues would be due to a temporary absence of knowing about it. If you give the right information and steps into environments that have great group dynamics – and check back six months later – the problem would almost always be fixed.
What is the most critical element for PAM success?
Make no mistake - there is no pillar of effective information security more important than privileged access management.
You may have encountered numerous statistics that indicate the various pathways attackers use to successfully infiltrate systems, often adding up to more than 100 percent. For years, such paradoxical percentages frustrated me, as they seemed to point not towards one definitive root cause of infiltrations, but rather to a multitude of contributing factors. A single successful phishing email, or a disgruntled intern, is never the substantive cause of a successful cyber-attack. While they might be the cause of the initial infiltration or foothold, the real issue lies elsewhere.
There exists one layer of controls that, if implemented successfully, can significantly influence security outcomes. This layer pertains to how we manage, or fail to manage, those privileges that enable managerial or administrative changes to our environments. This privileged access management (PAM) is dependent on other factors, including how well we coordinate all authorized Identity Access Management (IDAM) and manage IDAM itself.
Indeed, the flurry of statistics on infiltrations can sometimes cause us to lose sight of the fact that, ultimately, nearly all attacks must gain access to or leverage a privileged account to cause damage or harm to our organizations.
And where did I go wrong? Before I was a security manager I worked as both a project and program manager. Latterly, I have had to combine my security and project skills to build programs that have jarringly reminded me of the potential pitfalls in setting up PAM projects.
Conclusion: Finding the key to cybersecurity success in your organization
Cybersecurity can seem very challenging, but in my experience, the key to success is to understand the objectives as well as all of the factors that make those objectives achievable. That is the goal I’ve set for this blog, to look at the must-have objectives and their softer real-world dependencies.
If you haven’t had the chance to watch “Key Steps of Must-Have PAM Capabilities to Secure Identities and Access," click here to catch it on-demand, or register for "EMEIA Key Steps of Must-Have PAM Capabilities to Secure Identities and Access" here. You’ll learn more about the strategies and elements to watch for when building towards effective cybersecurity. I hope you find it a valuable way to spend an hour of your workday.
Raef Meeuwisse, Cybersecurity Expert and Author
Raef Meeuwisse is one of the most popular authors in the field of cyber-security and social engineering. Raef’s titles include the global best-seller, ‘Cybersecurity for Beginners’, the frequently evolving ‘Cybersecurity to English Dictionary’ and ‘How to Hack a Human’; an exploration of how easily us humans can be controlled and influenced. His experience includes running eight digit security budgets, consulting on security at over 50 different organisations, designing a multi-million-pound security software platform, training as a hypnotist (yes, you read that correctly) and occasionally flying helicopters.
In addition to making public appearances at countless conferences across Europe, the UK and the US, he is also a frequent provider of commentary for multiple technologies and mainstream news outlets and has appeared in Infosec magazine, ZDNet, TechTarget, TEISS and on Sky News.