“Without data, you’re just someone with an opinion.”
It’s a modern take on Peter Drucker’s timeless principle: you can’t manage what you don’t measure. If you don’t have the visibility to understand your problem, how can you possibly solve it? Do you even know what the problem really is?
This is the dilemma facing cybersecurity professionals today. Over the last year, the industry has finally recognized that identity security isn’t just important—it’s fundamental to cybersecurity. Yet most organizations still lack real visibility or meaningful data to quantify their exposure. When I was CIO for a large consultancy, I found myself and my team in exactly that position a few years ago.
The visibility gap in identity protection
My IT team was highly data-driven. We had robust reporting across operations—program management, service management, availability, and more. Cybersecurity reporting was similarly mature in areas like perimeter protection and vulnerability management.
But when it came to the identity layer, reporting was thin. My fundamental question, “how exposed are we?” remained unanswered. This lack of insight was simply accepted as “the best we can do.”
We believed our strong perimeter defenses, backed by skilled teams, a global SOC, SIEM systems, and ITDR, kept us safe. That belief evaporated the moment the Red Team arrived.
The wake-up call
For the uninitiated, a Red Team—defined by NIST as “a group of people authorized to emulate a potential adversary’s attack”—tests how far an attacker can penetrate your defenses, ideally without setting off any alarms. Their ultimate prize is obtaining administration access to your whole domain.
In our case, the Red Team’s entry point was a cleverly crafted phishing attack. Despite regular internal phishing drills, a small percentage of users still clicked—and that was enough.
What followed was more alarming. Despite our state-of-the-art defenses, the Red Team operated undetected for weeks. No alerts reached the SOC, lost in the tsunami of SIEM data. The exercise ended only when they chose to stop. By then, they’d achieved domain access via a long-forgotten privileged account.
The harsh reality
We had just completed a five-year, multimillion-dollar cyber uplift program with top-tier tools. Yet a skilled adversary still broke through—because we couldn’t prevent credential misuse.
Since then, I’ve seen the same story play out across many organizations, regardless of their sophistication. If you think you’re immune to this threat but can’t prove it with data, you’re betting on hope—and hope is not a strategy.
What we learned
- Identity protection is fundamental.
Perimeter defenses are essential, but what happens after a breach is what truly matters. Breaking a window is bad; losing all your valuables is worse. In every attack, the misuse of privileged credentials is the key to that loss. - Quantify your risk.
Opinions about security posture are not enough. Back them with data. Commission a Red Team exercise that tests not only your perimeter but also your internal identity defenses. Quantifying your risk gives you a fighting chance to mitigate it. - Visibility is everything.
Many identity stores have evolved over decades, often hiding legacy risks. You must be able to identify high-risk accounts across all systems from a single pane of glass. Without this, your team is fighting blind. - Cover the basics.
You may believe you have full MFA coverage, but chances are, you don’t. Legacy systems, file shares, and command-line tools often lack MFA support and become easy entry points. Similarly, ring-fencing non-human identities so they can only be used where intended is vital.
"Misuse of privileged accounts—human or not—is at the heart of most successful attacks."
A lightbulb moment
The turning point came shortly after our Red Team exercise, when I discovered the Silverfort platform. It was a revelation for both me and my CISO.
Our proof of concept confirmed it: while the Red Team could still gain initial access, they were unable to move laterally or cause damage. Even more importantly, we finally had the visibility into our identity stores that had been missing for years—a huge leap forward in reducing cyber risk.
eBook
Preventing Lateral Movement in Active Directory
- Why traditional defenses can't stop lateral movement
- How to outsmart lateral movement with an identity‑first strategy
- The must-have capabilities for effective defense
You can’t protect what you can’t see
The lesson from my experience—and from countless others since—is clear: you can’t secure what you can’t see. Identity has become the new battleground of cybersecurity, and yet it remains the least measured and most misunderstood domain. Without quantifying your identity risk, your organization is effectively navigating blindfolded, relying on assumptions and opinions instead of evidence.
Real-world testing, continuous visibility, and actionable data are what separate the organizations that think they’re secure from those that truly are. The ability to see, measure, and understand how identities are used—and misused—across your environment transforms security from reactive to proactive.
By quantifying identity risk, you don’t just expose weaknesses—you empower your team to make informed decisions, prioritize effectively, and close the gaps that attackers exploit. In cybersecurity, that’s the difference between hoping for the best and confidently defending what matters most.