Over the last eight years, I’ve had the unique challenge of building and maturing an Identity and Access Management (IAM) program from the ground up for a large multi-national retailer with an extremely complex hybrid environment. On day one, it was just me, a laptop, and a myriad of challenges. The scale was staggering—thousands of business applications, tens of thousands of servers, nearly half a million employees worldwide, and a vast attack surface to secure with limited resources. Despite our best efforts, we constantly discovered new security risks, underscoring the dynamic nature of our identity security.
Building a strong IAM foundation
Freedom from heavy regulation allowed me and my team to design an IAM program tailored to our unique security needs. We set to building the foundations of a successful IAM program— strong, highly automated access management for millions of accounts and their access privileges which were rooted in a comprehensive inventory of identities. We implemented single sign-on (SSO) protected with multi-factor authentication (MFA) for hundreds of applications and developed technology for secure password reset deeply tied to HR processes.
Despite these efforts, we were never fully comfortable. It seemed that behind every door we opened, we found new risks. Identity security felt like an endless cycle of plugging gaps while new ones appeared. Given the complexity of modern IT environments, even the most seemingly innocent account could become an entry point for attackers.
Through this experience, I developed a guiding principle: security is a game of space and time. The goal is not to implement security gradually, but to make strategic investments in solutions that mitigate multiple risks at once, allowing security teams to stay ahead of threats without being buried in complexity.
Creating space and time
Traditional security improvements often involve small steps that each take a significant amount of time and resources while only addressing a small portion of the problem; for example, the use of SSO or the implementation of Identity Governance and Administration (IGA) for business applications. No single initiative can reduce identity risk to an acceptable level. In each case, they are applied incrementally without achieving any wider benefit, and all of them require a great deal of time and resources to implement.
My challenge was to find the right investments to prevent my team from having to work through complex, deeply technical, incremental work in plain sight while running with unacceptable levels of identity risk. We needed to shift the focus from individual use cases and incremental fixes to investments that solve specific problems while also providing a broad scope of protection and scalability—in other words, investments that create space and time for our teams.
The question is: how do we secure identity quickly without getting lost in complexity?
To answer this, I believe you need to take a three-part approach to achieve complete identity security protection across your organization.
A game of ceilings and floors: Raising the baseline of security
As an avid sports fan, I often draw parallels between identity security and team sports. In sports, a team’s success is rarely determined by its best players; instead, it hinges on the performance of its weakest link. The ‘ceiling’ of a player represents their maximum potential performance, while the ‘floor’ is their worst performance level.
Identity security follows the same principle: organizations must first raise their security floor before aiming for their ceiling. So, instead of focusing solely on high-end protections for select systems, the priority should be building broad, foundational security that addresses common attack vectors and security risks.
In practice, this means implementing strong security controls and ensuring up-to-date IAM best practices are being followed by all user accounts and resources within the organization. By establishing this baseline, organizations create a resilient foundation that mitigates the most significant threats and reduces overall risk.
It’s only after this baseline of protection has been established that security leaders can focus on elevating the ceiling with more advanced protections. As a result, high-leverage security investments that address multiple risks simultaneously can provide a multiplier effect on ROI.
By prioritizing broad, foundational security and leveraging investments that offer multiple benefits, organizations can create a comprehensive and scalable security strategy. This approach ensures that no account, no matter how “insignificant”, is left vulnerable to compromise and the entire organization is better protected against evolving threats.
Using leverage to your advantage
Not all security investments deliver the same value. Some controls solve isolated problems, while others create leverage by mitigating adjacent risks. High-leverage investments provide a multiplied return, reducing the urgency of solving related risks.
In my experience, protecting all server authentication with MFA or usage restrictions (e.g., limiting service accounts according to source and destination) mitigates a host of password-related and access management risks. Poor-quality passwords, uncertainty about where your passwords are stored or written down, lack of rotation for non-human identities, and concerns about overprivileged accounts—all of these will be less urgent problems to solve if you have proper authentication protection in place.
On the flip side, preventing passwords from being stored insecurely is an incremental, difficult problem that cannot be solved with leverage. A password may be found in a file on a computer, in a cloud storage account, in a file share, etc. Solving this problem alone requires considerable effort and does not mitigate other, equally pressing risks. Even if a password is stored securely, it is still at risk if it is low quality.
Finding investments with leverage reduces the urgency of the technical risks they mitigate; they buy space and time for your team to build your security ceiling.
Broad protection matters
There is a well-known story from a red team exercise that illustrates a crucial point: to breach a high-security data center, an ethical hacker found a robust, access-controlled door. Instead of attempting to bypass it, they ran through the plasterboard wall adjacent to it.
This story made me think about how attackers are like water; they will always find the lowest level. The adversary will simply pivot to lower-hanging fruit if an organization restricts its security efforts to a limited number of systems or accounts. Most cyber-attacks are financially motivated and opportunistic; they are not personal.
Considering how complex and connected our systems are today, we cannot assume that any account, no matter how innocent-looking, is safe or too low priority for protection. The key to scalability is to assess investments for their ease of scaling.
Platforms that enable an easily manageable control plane are more scalable than incremental, decentralized controls. Strong security controls that cannot be implemented at a scale create a weak foundation. To achieve scalability, a comprehensive approach is necessary to close these gaps efficiently.
A balanced approach to identity security
Identity security leaders have complex and demanding roles. Building a broad security floor while prioritizing investments that buy your team space and time can help. Balancing this way of thinking with compliance requirements, which by their very nature encourage selectively building high security ceilings, will go even further to protect your environment. In fact, I believe this balancing act is the only effective method of reducing risk in today’s environments.
It is important to prioritize investments that provide leverage, broad coverage, and centralized control to reduce risk at scale. Keeping these principles in mind will allow organizations to secure identity efficiently and stay ahead of evolving threats without drowning in complexity.
For security leaders, the challenge is clear: build a strong foundation, invest in scalable security solutions, and ensure your security efforts buy the time and space needed to stay ahead of the identity threat landscape.