Identity & Access Management. PHOTO: Cybercrime Magazine.

Identity & Access Management Report

Does Cybersecurity have an Identity Crisis? The IAM Annual Report Card Answers

Steve Morgan, Editor-in-Chief

Menlo Park, Calif. – Dec. 7, 2017

Safeguarding user identities and managing access permissions across the enterprise is one of the biggest challenges faced by CISOs (chief information security officers) and IT security teams.

Poor IAM leads to data breaches which leak personally identifiable information (PII). When that happens, it causes reputational harm. The losses can be so great they are incalculable.

Customers and partners will often shy away from or abandon organizations who suffer data breaches. The media writes extensively on PII leaks. Publicly-traded corporations may even see their stocks decline as a direct result of hacks which could have been prevented with better IAM.

The catastrophic damages of weak IAM have been witnessed by hacks on major brands including Equifax, Target, Verizon, Anthem, and Ashley Madison.



The looming GDPR deadline of May 25, 2018 — and the anticipated fines for non-compliance after that date — has spurred IAM spending, which is expected to grow at a CAGR (compound annual growth rate) of 12-15 percent over the next 5 years.

Cybersecurity Ventures predicts global spending on IAM products and services will exceed $16 billion USD annually by 2022. In a recent interview with BNN — Canada’s only all business and financial news channel — Robert Herjavec, Founder and CEO at Herjavec Group, said compliance is driving 50 percent of the cybersecurity market.

Grading the IAM Market

In this report, we look at the Identity and Access Management (IAM) market — vendors and end-users together — in an attempt to grade the progress, or lack thereof, around five key categories.

We’ve asked an expert — Ketan Kapadia, VP Identity & Access Management at Herjavec Group — to grade each category for our Annual Report Card. Kapadia has extensive hands-on experience with numerous IAM products and platforms, and he’s consulted on the topic with enterprises of varying size and industry globally over the past decade.

The IAM Annual Report Card is also a handy resource for self-examination by information security leaders and their organizations.

Digital Transformation: B+

Organizations are still in the early phases of adoption with limited scope on what digital identity transformation can truly unlock for their businesses, but the awareness level around this important initiative is high – and the focus it’s getting industry wide, give it a B+.

  • Digital transformation requires a range of tools, new processes and infrastructure investments, and the ability to manage customer, employee and partner identity data drives the effectiveness of everything involved.
  • Organizations need a way to collect, secure, and use identity data to enable access to digital resources and to fuel engagement across multiple digital channels, apps and devices.
  • IAM solutions purpose-built for the demands of digital business can help companies remain competitively nimble in the digital world.

“An IAM program is pivotal to supporting digital transformation in order to drive identity effectiveness,” says Robert Herjavec. “Slow time to value on large digital transformation initiatives is because of adoption of complex organizational processes.”

Real Time Adaptability: B

Good but not good enough. Organizations are not effectively enabling and managing real time capabilities of IAM platforms to help with effective controls around ever-changing identity management requirements.

  • Corporations and businesses will be forced to make their Identity and Access Management (IAM) Systems scalable in real time, given the extremely rapid advances made within their IT systems. The management team has to keep up with all of this.
  • If businesses fail to react in real time, it could become ripe for a major security breach to occur. Add to this complexity the drastic changes which are being brought on by the trend of BYOD. In other words, quick adaptability will be key in order to maintain pace with innovation.

“Real-time adaptability with the enablement of identity analytics is crucial to increasing an organization’s security posture and supporting risk reduction” says Atif Ghauri, VP at Herjavec Group.

“Most organizations can’t change company processes in real-time and since successful IAM solutions mirror company processes, it’s no surprise that real-time will take time as companies streamline business processes,” adds Ghauri.

Identity Relationship Management: C+

The control isn’t there. Establishing identity management for structured and unstructured data is still a challenge for organizations which hinders their ability to effectively establish relationships of identities to devices and connected things for more effective risk management across the organization. We all need to get better here.

  • Understanding the relationships between identity, devices, and connected things can enable a more effective, context based risk management strategy at every stage of the identity lifecycle. Managing these relationships throughout the identity lifecycle will allow organizations to offer the better fraud protection for users and privileged accounts

“Identity relationship management is imperative in order to understand contextual data as people, devices and “things” are assigned identities,” says Melissa Zicopula, VP at Herjavec Group.

“This rich contextual data allows organizations to make appropriate and effective decisions to support overall risk reduction,” adds Zicopula.

User Authentication Services: B

The Adoption of effective user authentication services (SSO, Federation, Multi-Factor) is on the rise; however, there is still lack of effective use and enforcement of checks and validations to reduce overall risk reduction. We have a ways to go but on the right track!

  • Effective user authentication mechanism(s) can enable organizations to drive a secure method of access critical information. Leveraging a multi-step authentication (multi-factor authentication) process will provide advanced authentication services not only leveraging basic credentials but additional contextual information to validate user authentication.

“Cloud adoption is accelerating and using single source credentials is being embraced by the user community” notes Herjavec Group’s Ghauri. “Compromised authentications have led to the majority of data breaches, and multi-factor authentication is a must.”

Identity Analytics & Artificial Intelligence: C

Still new and there’s a lack of understanding. Identity Analytics & AI is an emerging area with segregated market segments, multiple vendors and varying approaches in resolving anomalies. These programs are run typically run as silos with limited integration to IAM processes and platforms. Organizations really need a trusted advisor to help them understand how to maximize AI.

  • Often with data breaches it’s not the management of the identity that causes the breach, but the transfer of credentials to some unknown party. While least privilege access control does afford some protection here; however, there are still shortfalls. Identity management and access control have always been two sides of a coin, but in the future of Identity Analytics with AI as a backbone will be the glue to bind them together to much greater effect.
  • Identity Analytics with AI offers the potential for intelligent, real-time security to implement fine-grained access control for a user or a privileged account
  • Adding behavioral factors, real-time analytics and real-time risk analysis will help organizations increase their overall security posture

“Leveraging big data and advanced analytics provides a risk-based approach for driving IAM profiles” according to Zicopula.”

“Analytics goals are on every whiteboard in corporate America, but they simply aren’t specific enough,” says Robert Herjavec. “To keep afloat in the sea of data companies collect, Identity Analytics must get down to the nitty-gritty detail.”

IAM Tutoring Available

When it comes to IAM, are you a straight A student? Or, do you need to bring your grades up in one or more categories?

Excessive employee access is one of the fastest growing unmanaged risks to the protection of critical enterprise data and information assets. IAM is complicated, and organizations often need help. Kapadia and Herjavec Group are available to help assess, implement, or enhance your IAM.

To connect with IAM expert Ketan Kapadia, or to learn more about Herjavec Group’s Identity & Access Management practice, get in touch with them here.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.


At Herjavec Group, information security is what we do. Supporting your IT Security Lifecycle drives our business and your infrastructure’s protection is our only priority. We are an expert team of highly dedicated security specialists, supported by strategic and emerging technology partners, who are laser focused on information security for our enterprise customers.

Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity solutions and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services globally supported by state-of-the-art, PCI compliant, Security Operations Centres (SOC), operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including across Canada, the United States, and the United Kingdom.