CISOs on Identity Security Maturity in the Enterprise

Hannah Young
Hannah Young
.
September 26, 2023
5 min
 read

Security maturity refers to an organization’s ability to mitigate threats before they happen. It’s typically measured through various frameworks, guidelines, and tools (e.g., NIST’s Cybersecurity Framework), but how does this specifically relate to identity security, and what does maturity actually mean for CISOs?

image of Chris Castaldo and Tanner Randolph

To answer these questions, we sat down with Chris Castaldo (CISO, Crossbeam) and Tanner Randolph (CISO, Applied Systems) to ask them about security maturity and identity (in tandem with our new diagnostic quiz: “How mature is your security org?”).

Identity Security Maturity

comic that says "If someone steals my laptop while I'm logged in, they can read my email, take my money, and impersonate me to my friends, but at least they can't install drivers without my permission."
Image by xkcd

In terms of what sets identity security maturity apart from the rest of infosec, “it’s unique because it’s directly impacting the users,” Chris Castaldo comments, “your identity is really your first experience at a company.” He continues on this thread of user experience, “if you've worked pretty much anywhere, you’ve probably seen that cybersecurity does not put user experience first all the time. And I think that's a really critical thing to get really, really right from the start. That way, once you've got a really good experience, it's a little easier to secure that experience.”

In terms of actually breaking identity maturity down, “it’s an ongoing struggle for probably every CISO,” Tanner Randolph remarks. “I think at a high level: does everybody have a consistent identity? Do you know who that identity belongs to? Can you track it? What's the life cycle of that identity from end to end? How is that being used? And then, if you can understand how it's being used, can you intervene when it's being abused / can you act against those things? I think if you're going to break identity maturity down, that's how I would do it.”

Measuring Security Maturity

A few of the countless frameworks dedicated to security maturity

Frameworks are tools that offer a structured foundation for evaluating an org's security posture for the end goal of improving the maturity of your security program. However, like any tool, they’re not a panacea. In order to figure out the best ways to use frameworks/what they actually are, it’s helpful to look at what they shouldn’t be.

One concern is that without context, frameworks just become a way to compare different enterprises. “I've always gotten the request of ‘how do we compare to other companies?’; I think that is the wrong mindset,” Castaldo says. “You can't just say, ‘oh, here's another tech company that’s about the same number of people, similar product, let’s do what they’re doing.’ Security really needs to be situated in the context of the business and asking questions like ‘What are we securing at the end of the day? What are our responsibilities to our employees, to our customers?’”

"How mature is your security org?" quiz with the caption "understanding your security maturity is key to protecting your organization from threats. Take this quiz to learn how Crosswire can help you level up your security stack."

Frameworks or check-ins like Crosswire’s quiz on "How mature is your security org?" “give people a starting point,” says Castaldo. “‘What’s measured is managed,’ but you also should focus on which measurements help your business make a risk-based decision.”

So, where do you go from this starting point to avoid pitfalls? For Randolph, it’s technologies. “Technology is really about getting fundamentals right,” he says. “So, I think frameworks can represent different levels, but they're more or less different levels horizontally instead of vertically; we're always working on that base-level identity. [Frameworks] are usually designed in a circular fashion, and the idea there is that there needs to be continuous improvement. I think sometimes that idea gets lost and people lose focus; ‘we're going to connect this thing, get it to business as usual, and then we're going to move on to the next thing and never come back to this ever again,’ is not the point of frameworks.”

How do you effectively bolster your identity security maturity?

To answer this question, Castaldo advises, “focus on the absolutely bare minimum critical things first. There’s the old adage of ‘companies have a crunchy outside and soft inside,’ like your exterior is really bolstered, but once you're inside, there're no security controls. Start with the things that matter most.”

Image of a good with a hard shell and soft inside that says "crunchy on the outside, gooey on the inside"

In terms of what matters most, “‘Crown Jewels’ is the terminology we use, and that could be data, access to a system… the recipe for Coke,” Castaldo laughs. “You start with where those things live, controlling that, and then asking: ‘What does it live on (database, server, cloud environment)?’ and ‘Who has access to it (the identities and access to those systems)?’ If you break it up that way, you can start with putting the most controls (more protections, more defenses, more checks) on a fraction of your identities rather than trying to apply everything across the entire business from the start.”

For Randolph, his advice on how to improve security maturity is also his favorite part about being a CISO. “I put a lot of focus and pressure on myself and my teams to be really good at operations,” Randolph says. “Part of it is the belief that logistics really make the difference from end to end. So, even though I'm in security, I love really really well-run logistics operations. I love trying to figure out what the most efficient way for us to get from A to B is and make sure we're getting everything done that we need to.”

When asked what kinds of technologies are best to complement these frameworks for identity, Randolph replies, “I think there's a lot of good technology out there (like underlying identity providers), but you need the logs to understand where all these things can be used, right? So that's either your old-fashioned SIEM or it's in one of the newer ITDR platforms. I think if you have those basics, you can get a lot done and know a lot about how your identities are being used.”

To stay up to date with Crosswire and hear more about what we can do to bolster your security maturity through our ITDR solution, contact us for a demo here and subscribe to our blog below!

More from our blog

UPDATE: Customer Impact in the Okta Salesforce Breach

An update on Crosswire and the September 2023 breach of Okta’s Salesforce instance.

Crosswire Security Team
.
1 min
 read
Breaking Down the October 2023 Okta Breach

A comprehensive timeline and breakdown of the October 2023 Okta Support Case Management System breach.

Hannah Young
.
7 min
 read
October 2023 Okta Compromise Guidance

In light of October 2023 Okta support compromise, Crosswire sent the following message to its customers.

Crosswire Security Team
.
5 min
 read
What is ITDR?

The term Identity Threat Detection and Response (ITDR) has gained significant popularity this year, but what is ITDR, actually?

Hannah Young
.
5 min
 read
Black Hat Guide for Conference Veterans

Whether this is your 1st or 21st time at Black Hat, these tips can help you weather a jam-packed and intense week.

Hannah Young
.
10 min
 read
You Should Feel ‘Positively’ About Your Security Tools: How We’re Mitigating False Positives in Identity Security

False positives are a huge problem in security: see what Crosswire is doing to prevent them and mitigate their effects.

Hannah Young
.
5 min
 read
Decoding the (Broken) Modern Identity Stack

We've made the modern identity stack entirely too convoluted and broken, but not for the reasons you think.

Hannah Young
.
10 min
 read
The Secret Third Step to Threat Detection and Response: Protection

How are you protecting your accounts before an incident can occur (or slowing an incident down before it really ramps up)?

Hannah Young
.
6 min
 read
How to Detect and Remediate Identity Threats; Solution 2: Remediate

This is Solution 2: Remediate of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Practical Survival Guide to Okta Lifecycle Management

Crosswire’s technical usability guide to Okta Lifecycle Management (LCM), from onboarding to offboarding.

Hannah Young
.
6 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read