Published 1 December 2023 – 20 min read
By Analyst(s): Michael Kelley, Rebecca Archambault, Nathan Harris, Henrique Teixeira,
Oscar Isaka.
As the world inexorably moves toward identity-first security approaches, the responsibilities and requirements of the IAM leader will continue to evolve. We have defined several possible
predictions for how an IAM leader will function, in and out of the Csuite, during the upcoming years.
Overview
Key Findings
■ The disciplines, practices and technologies known collectively as identity and access management have evolved into enablers for business and the core control plane for cybersecurity.
■ IAM’s evolution is affecting the ways that IAM teams function and, in particular, how the roles of security and risk management leaders responsible for IAM are changing.
■ IAM will no longer be relegated to one technology tower in the overall IT infrastructure group of most businesses; instead, it will deliver foundational capabilities for all of IT.
■ IAM leaders will evolve in different directions, depending on the organization, each with increased responsibility, visibility and influence.
Recommendations
Organizations with heavy IAM investments in people, processes and technology should:
■ Elevate the IAM leader’s role to include other C-suite roles. A chief identity officer role will focus on the delivery of cybersecurity and business outcomes, with sole accountability and responsibility for identity-first security.
■ Set up the IAM leader for success by requiring additional direct and dotted line reports that reflect business and cybersecurity responsibilities.
■ Ensure that IAM leaders will deliver IAM as a set of products, rather than a service, by giving them responsibility for the financial results of the service, in addition to the normal requirements of availability and security.
■ Change IAM metrics to support this new dynamic. Be prepared to reflect a holistic view of the success of IAM leader by adding business outcome measurements to the traditional performance and availability metrics.
Strategic Planning Assumptions
■ By 2026, 25% of identity and access management (IAM) leaders will be responsible for both cybersecurity and business results, operating from the C-suite as chief identity officers (CIDOs).
■ By 2027, 45% of IAM leaders will be promoted into executive roles, due to increased demand for effectiveness of compliance with regulations involving identity
breaches.
■ By 2026, IAM leaders who address IAM as a set of products will accelerate capability improvements and increase business value from IAM initiatives by 25%.
■ Through 2026, 40% of IAM leaders will take over the primary responsibility for detecting and responding to IAM-related breaches.
Analysis
What You Need to Know
As the world prioritizes identity-first security over the classic “perimeter-first” approach, significant changes have been happening to organizations. With IAM moving to the forefront of cybersecurity, the job of an IAM leader is quickly becoming unmanageably complex. How can security and risk management (SRM) leaders responsible for IAM manage their expanding responsibilities in these changing times? IAM leaders need a larger mandate that includes responsibility for the financial results, performance of the IAM investment and how that investment contributes to business success. This change will give them a larger role in making decisions regarding risk, cybersecurity and business enablement. It will also require them to have influence across a larger section of the corporate IT organization.
Strategic Planning Assumptions
Strategic Planning Assumption: By 2026, 25% of IAM leaders will be responsible for both cybersecurity and business results, operating from the C-suite as CIDOs.
Analysis by: Rebecca Archambault
Key Findings:
■ Chief information security officers (CISOs) are having an identity crisis. As explained in Key Behaviors Driving CISO Effectiveness, “Digital transformation, continued cloud adoption, remote-hybrid work, business technologists and AI adoption have all expanded the volume and variety of cyber-risk decisions to support.” This research highlights that most CISOs overinvest time in operational aspects, and underinvest in stakeholder relationship building and strategic planning. This lack of strategic planning, especially when organizations lack a formal IAM program, directly affects their ability to manage IAM controls that mitigate risk for their organizations. According to a recent Gartner survey, senior IT leaders continue to underestimate the level of effort required to deliver a mature IAM program. A CIDO role would provide leadership and focus to this area.
■ In a recent Gartner survey, fewer than 50% of respondents derived full value from tools for their IAM capabilities, 1 due to changing priorities of the organization that are tactically focused, without understanding that IAM is a powerful enabler. Value around productivity (i.e., single sign-on [SSO], birthright access assigned to joiners) and increased process efficiency (automatically provisioning access, providing passwordless options that result in fewer calls to the help desk) directly affects business lines. This drives customer retention and customized sales with customer identity access management (CIAM).
■ Security and business units continue to make siloed decisions to solve tactical problems without acknowledgment of the wider implications to the organization. According to the 2023 Gartner IAM Modernization Preventing Identity First Security survey, 76% of senior-level IAM, full-time roles report to CIOs, CTOs or CISOs; however, only 31% of organizations use IAM metrics to routinely drive business
decisions. 1 Although IAM leaders have influence, they lack decision-making authority. A CIDO with decision-making authority is a natural progression to the Csuite.
■ IAM controls are foundational to cybersecurity. Identity threat detection and response (ITDR) focuses more attention on credential compromise and should be “top of mind” for CISOs, who typically don’t understand the complexities of IAM and don’t acknowledge that the identity is the “new perimeter.” 2
Market Implications:
Appointing a CIDO role, confirms the organization is focused equally on security and business enablement, using specialized expertise to address the complexity of IAM, with a focus on the containment of credential compromise, which is the leading source of breaches. A CIDO could directly influence an organization’s broader strategy by delivering value from the significant investments made in IAM, and introducing the cultural change needed to remove silos and embrace IAM as enablers. Business value propositions would include user experience improvements, while enabling productivity and efficiency across businesses and products. It would also include oversight of the strategic planning needed to develop current IAM capabilities and achieve identity-first security (Identity-First Security Maximizes Cybersecurity Effectiveness). The goal will be to enable, streamline and enhance processes, with the objective of limiting technical debt and duplication. Focusing all the responsibilities for IAM in a role with sufficient influence and authority (Csuite) will result in better success for IAM initiatives. A dedicated C-suite member (CIDO) with relationships with security and business leaders is in the best position to negotiate the value proposition and align it with IAM capabilities that can deliver desired outcomes. The major impacts of digital transformation demand a different kind of IAM leader. They
require someone embedded across many areas of the organization (e.g., compliance, HR, service desk/help desk, DevOps, infrastructure and security operations center [SOC]). This requires frequent, ongoing conversations to ensure that their needs are being met, not just reactively, but proactively. These conversations will lead to more-proactive engagement and support, and more options to secure funding, along with the needed resources. It will also simplify and streamline the decision-making process for better integration into the larger ecosystem.
With credential compromise on the rise, IAM is now in the spotlight. The CIDO position is uniquely qualified to understand how the lack of IAM data hygiene, or misconfigurations, may put the organization at risk. They know where to look for gaps, and how to remediate them. They are in the position to drive the priorities of the IAM team and enable crossdomain sharing with infrastructure, DevOps, cloud centers of excellence (CCOEs) and SOC teams. This expands automation and drives innovation with the goal of protecting the organization.
Recommendations:
■ Set a goal to achieve maturity in your IAM program, by promoting the IAM leader to a leadership position (e.g., CIDO) with the responsibility for oversight and getting value for both security and business leaders. This is a formal recognition of the importance of IAM to the organization, just as finance is to a chief financial officer (CFO).
■ Define the scope, responsibilities and boundaries of the role, by starting discussions with key stakeholders. Once accountabilities and expectations have been clearly defined, they need to be communicated to the rest of the organization.
■ Empower the decision-making capabilities of IAM leaders by appointing a CIDO who will focus equally on business enablement and security. This person needs to be included in C-suite discussions, because IAM affects both business and security functions.
■ Look to the CIDO to educate the organization around the power and value of identity, as well as inspire them for innovation and automation by appointing a CIDO who is the lead facilitator, communicator and liaison.
Related Research:
The Evolution of the CISO Role — What’s Next?
Identity-First Security Maximizes Cybersecurity Effectiveness
Do We Need a Chief Identity Officer?
Poll Result: Do We Need a Chief Identity Officer?
Strategic Planning Assumption: By 2027, 45% of IAM leaders will be promoted into executive roles, due to increased demand for effectiveness of compliance with regulations involving identity breaches.
Analysis by: Henrique Teixeira, Oscar Isaka
Key Findings:
■ IAM leadership in 2023 is still very operational, with 76% of senior-level IAM full-time roles reporting to CIOs, CTOs or CISOs. Most IAM leaders (61%) are not even final decision makers in IAM investments. There are 2,662 job postings on LinkedIn looking for IAM leaders in the U.S. Ninety-eight are labeled as director/executive level; however, only 28 are executive roles.
■ The majority of organizations (66%) allocate less than 25% of their cybersecurity budget to IAM. 1 However, access management (AM) is the third-largest spending in the entire security software market, with $4.96 billion, which grew by 22.4% in 2022. It’s behind only endpoint security ($12.17 billion) and consumer security ($7.44 billion).
■ IAM teams continue to be under-resourced, because senior IT leaders continue to underestimate the amount of effort required to deliver mature IAM programs. Fortyseven percent of organizations are not adequately staffed for new projects or IAM modernization efforts, such as protection of IAM systems against attacks, including ITDR. 1
■ Protecting IAM systems against attacks is increasingly becoming the most important function in the IAM line of business (LOB) and for the overall security strategy. Most privacy regulations that initially mandated only the protection of consumer data, now mandate the disclosure of breaches and security experience by the board. Often, there are strict timelines enforced by law.
Figure 1: Investments in IAM Are Not Keeping Up With Identity Breaches
Market Implications:
INSERT FIGURE 1
Market Implications:
The big spending in AM, plus how central identity protection is to prevent, detect and respond to breaches is demanding that IAM leaders step up. IAM leaders will gradually be promoted into C-level roles as their budgets expand to be larger than cloud security and other traditional endpoint and network security spending.
New regulations and law mandates regarding the disclosure of breaches are becoming more specific about the timeframes for which the disclosure must happen. Determining whether a breach is material or not, and whether it poses the potential for significant harm, will depend on the ability and agility of the IAM leader in finding that answer. It will require a broader scope in visibility from the IAM leader, because material breaches, for the most part, involve misuse of user credentials, and risk the exposure of user data. This agility demands more visibility and experience in the IAM practice, for appropriate recommendation and decision making in a timely manner from its leaders. Organizations with a stronger and more independent IAM executive who manages a healthy budget and is making the final decisions about those investments will be better equipped to respond to the growing demands of compliance with regulations. This will foster more-resilient IT infrastructures.
Recommendations:
■ Ensure that your organization’s support of breach disclosures is based on future, rather than current requirements, by hiring and promoting IAM leaders, or by upscaling the IAM training of IT and cyber executives to the appropriate executive level.
■ Apply a balanced approach to IAM investing that prepares the organization to anticipate evolving regulatory requirements, by promoting identity fabric immunity principles for prevention, as well as for ITDR.
■ Give autonomy to IAM leaders to make final decisions about IAM investments by training and supporting them to take on executive roles.
■ Enable IAM leaders to run an efficient IAM program, by properly staffing their teams to support the growing complexity of regulations for the disclosure of identity breaches.
Related Research:
State of Privacy — Regional Overview Across North America
Quick Answer: New SEC Cybersecurity Rules — What CISOs Should and Shouldn’t Do
Top Trends in Cybersecurity 2023
Market Share Analysis: Security Software, Worldwide, 2022
PIPEDA — The law requires that notification to individuals be given as soon as feasible after you have determined that a breach of security safeguards involving a real risk of significant harm has occurred. Of the 463 reported incidents, only five were cyberattackrelated. The agency has concerns about under-reporting of cyberattacks by the public sector.
SEC — The SEC now mandates that a report must be made due four business days after
a registrant determines that a cybersecurity incident is material.
DBIR Report 2023 — Results and Analysis: Introduction
Strategic Planning Assumption: By 2026, IAM leaders who manage IAM as a product portfolio will accelerate capability improvements and increase business value from IAM initiatives by 25%.
Analysis by: Nathan Harris
Key Findings:
■ IAM programs frequently struggle with delivering sustainable capability improvements, due to most nonoperations delivery via time-boxed project funding (IAM is seen as operations plus projects). This approach does not adequately account for ongoing improvement and is not “agile friendly.”
■ IAM teams have not adopted agile/DevOps delivery methods at the same pace as software engineering teams or even leading I&O organizations.
■ IAM programs frequently have difficulty realizing full value from their IAM investments. More than half of organizations report implementing/using less than 50% of their IAM technologies capabilities. 3
■ Organizations that adopt product-centric approaches, including DevOps and value stream analysis approaches, report accelerated value delivery/value realization that is not limited to software engineering practices.
■ IAM is a set of activities for which responsibilities are often/commonly distributed in organizations, versus fully centralized AND product-centric delivery, which is more effective at delivering value via distributed teams (fusion teams).
Market Implications:
Quite simply, IT delivery is evolving, and leading IAM programs, as directed by their leaders, will also continue to evolve to:
Quite simply, IT delivery is evolving, and leading IAM programs, as directed by their leaders, will also continue to evolve to:
■ Improve the tracking of delivery to business objectives/business value
■ Improve the pace of delivery (delivery acceleration)
■ Improve LOB and customer experience with IAM capabilities/services
■ Enable adoption and value realization from leading-edge market capability improvements, versus lagging in innovation adoption
In short, leading IAM program leaders will adopt top IT delivery practices that will enable them to outperform their peers in business value delivery with IAM capabilities. Central to this is the shift from the operations-plus-projects view of IAM programs to the ongoing product management (with all phases integrated and sustainability “baked in”) view of IAM programs. Because IAM technology vendors already think and deliver in terms f product management, this shift in client organization thinking will also strengthen vendor-client relationships by enabling technology vendors and technology consumers to
share more of the same language. This will, in turn, accelerate shared views of the IAM technology and services markets.
This trend is not limited to agile adoption versus waterfall. An increasing number of IAM leaders and leading IAM programs will realize there is additional value from DevOps and value stream approaches to IAM capability delivery. Adoption of DevOps and value stream management will also increase for IAM programs. The product-centric approach will also give rise to an IAM program leadership approach
that is more product manager and less IAM staff/team manager. This trend will be strongest in organizations for which IAM responsibilities are already highly distributed. These organizations will increasingly formalize their IAM programs for improved outcomes and adopt a product-centric program management approach without centralizing IAM functions into one organization. This will happen more frequently, because product-centric delivery is also a strong fit with fusion teams for delivery.
We do NOT predict that organizations that have largely centralized their IAM responsibilities into one team will undo this and decentralize these responsibilities. Such organizations will, in most cases, have already realized some of the benefits from IAM organization centralization. That being said, there will be an increase in organizations for which the top-level IAM leader is not a “head of org,” but is, instead, a head of IAM product management, with delivery executed via cross-org fusion teams.
Recommendations:
■ Improve value delivery for IAM programs by switching from the ops-plus-projects view of an IAM program to the portfolio of continuously improving products view. Keep abreast of more-modern IT delivery management approaches, including product management, DevOps, agile and value stream management, and continuously update your delivery process with high-value methods.
■ Organizations for which IAM delivery is not highly centralized should evaluate whether the fastest path to a modern IAM program is to proceed with org centralization. Otherwise, they can adopt a head of IAM program/product management approach to IAM leadership by managing delivery with a distributed, fusion team approach. “Somewhere in the middle” is also quite possible.
■ Improve IAM program business value results, including improved SRM by implementing a product management methodology that tracks product delivery to business objectives (versus project delivery to point-in-time deliverables).
■Further accelerate IAM solution delivery by including support for product-focused, agile/DevOps delivery processes in your IAM technology selection requirements. Favor vendor technology products that fully support continuous integration/continuous deployment (CI/CD) and infrastructure as code (IaC)
methods.
Related Research:
How to Prepare for, and Establish, an Effective Identity and Access Management Team
IAM Leaders’ Guide to IAM Program Management
Embrace Product Centricity to Eliminate Friction for Your Customers
Fusion Teams: a Proven Model for Digital Delivery
Strategic Planning Assumption: Through 2026, 40% of IAM leaders will take over the primary responsibility for detecting and responding to IAM-related breaches.
Analysis by: Oscar Isaka and Henrique Teixeira
Key Findings:
■ IAM leaders often focus on operational metrics that do not articulate security and business value to drive accurate investment.
■ IAM leaders are not involved in security resourcing and budgeting discussions, leading to investments made in isolation to IAM operations without alignment with the security and/or business strategy.
■ CISOs and C-level executives have limited visibility into the IAM program and how it fits into the overall security strategy and risk posture of the organization.
Market Implications:
According to the 2023 Verizon Data Breach Investigations Report, 3 49% of breaches involved credentials. Privileged misuse and stolen credentials are among the top three reported threat actions, reinforcing the importance and value of IAM in risk mitigation and breach prevention.
Metrics are the means to communicate the coverage, performance and effectiveness of a program to stakeholders. Aligning them with business requirements and security objectives provides a defensible means to justify and direct investments in the IAM program to the right areas for risk mitigation and to increase the security posture of the company. Given its complexity and tactical nature, aligning IAM metrics with risk mitigation outcomes is not a simple task, being usually done by IAM leaders after the fact to justify an investment that had been already made.
The outcome-driven metrics approach enables IAM to have a clearer means of alignment with the security objectives and desired protection-level outcome. It provides a greater understanding of the current versus the desired state, and justify investments in the IAM program aligned with the security objectives and, therefore, protection of the company.
For example, outcome-driven metrics (ODMs) can be targeted toward the efficiency of privileged access management (PAM) controls and help identify potential risks in the area, enabling a quick and effective redirection of focus and investment to correct it. Furthermore, a strong metrics program provides defensibility for investments in the maturity to the identity fabric, which, combined with the traditional detection and response functionality employed by the security, establishes the ITDR capability.
Recommendations:
■ Collaborate with CISOs to take ownership and obtain the right investment byestablishing an ITDR capability to detect and respond to incidents related to the IAM infrastructure, providing greater risk mitigation to IAM breaches.
■ Provide visibility to the board by leveraging protection-level targets to direct investments in the IAM program aligned with the enterprise’s biggest risks.
■ Seek to break traditional IT and security silos and give key stakeholders visibility into the role IAM plays across the organization by collaborating with the CISO and aligning the IAM program and security initiatives.
Related Research:
Demonstrate Control Over User Access With IAM Effectiveness Metrics
Use Outcome-Driven Metrics to Drive Value for Identity and Access Management
Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response
A Look Back
In response to your requests, we are taking a look back at some key predictions from previous years. We have intentionally selected predictions from opposite ends of the scale — one where we were wholly or largely on target, as well as one we missed.
On Target: 2019 Prediction
Strategic Planning Assumption: By 2022, 40% of global midsize and larger enterprises will use identity and access management as a service (IDaaS) capabilities to fulfill most of their identity and access management (IAM) needs, which is up from 5% today.
Analysis by: Michael Kelley
This prediction may have been too conservative, but there is no doubt that the direction in the market is to adopt SaaS-based services for IAM. The access management and authentication markets began the migration, with many businesses choosing to adopt´SaaS-based AM tools for single sign-on (SSO) and multifactor authentication (MFA). However, the identity governance and administration (IGA) market was not far behind, and, during the past several years, we have seen the PAM market similarly selling more
SaaS-based products, as opposed to on-premises products. This prediction, made in 2019, certainly is on target for more than 40% of IAM products being consumed as SaaS subscriptions across the IAM market today.
Missed: 2020 Prediction
Strategic Planning Assumption: Decentralized identity is making a debut in 2021, and will disrupt traditional methods of access for many providers, as it will be used for 25% of all bring your own identity (BYOI) logins by 2023.
Analysis by: Michael Kelley
Although we have seen continued interest in decentralized identity (DCI), and we anticipate growth in organizations leveraging this approach for users, 2023 was not the year in which 25% of all BYOI logins would use DCI. We are observing increased activity. A recent Gartner report on the DCI startup market tracked more than $250 million in investment across more than 90 companies building DCI products (see Emerging Tech: Revenue Opportunity Projection of Decentralized Identity).
And from the more established vendors, we are now seeing products being sold to end users. We are also finally seeing actual adoption of DCI products; however, we expect a few more years to pass before 25% of all BYOI logins are using DCI.
Evidence
2023 Gartner IAM Modernization Preventing Identity First Security Survey. This survey was conducted to determine how far along the market is moving toward identity-first security. It was conducted online from 9 June to 24 July 2023 among 303 respondents from North America (n = 104 in the U.S. and Canada); Latin America (n = 41 in Brazil); the Asia/Pacific (APAC) region (n = 59 in India, Australia and Singapore); and Europe, the Middle East and Africa (EMEA; n = 99 in Germany, France and the U.K.). Respondents’ organizations had $100 million or more in 2022 enterprisewide annual revenue and at
least 250 employees. Respondents were required to have some involvement in their organizations’ IAM, and should be planning to have at least one among workforce, consumer or machine/nonhuman IAM in their organization during the next two years.
Disclaimer: The results of this survey do not represent global findings or the market as a
whole; rather, they reflect the sentiments of the respondents and companies surveyed.
1 2023 Gartner IAM Modernization Preventing Identity-First Security
2 2023 Gartner IAM Modernization Preventing Identity-First Security
3 Verizon Data Breach Investigations Report
Recommended by the Authors
Some documents may not be available as part of your current Gartner subscription.
Identity-First Security Maximizes Cybersecurity Effectiveness
How a Human-First Approach Will Make Your Identity-First Security Initiative a Success
© 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner’s prior written permission. It consists of the opinions of Gartner’s research
organization, which should not be construed as statements of fact. While the information contained in
this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties
as to the accuracy, completeness or adequacy of such information. Although Gartner research may
address legal and financial issues, Gartner does not provide legal or investment advice and its research
should not be construed or used as such. Your access and use of this publication are governed by
Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any
third party. For further information, see “Guiding Principles on Independence and Objectivity.” Gartner
research may not be used as input into or for the training or development of generative artificial
intelligence, machine learning, algorithms, software, or related technologies.