Published August 2025

Executive summary

Threats against identities and their protections are worsening. Cybercriminals are more interested in stealing and abusing compromised credentials, organizations often can’t detect exposed credentials on the dark web, and visibility into the actions and behaviors of service accounts is lacking. Threat actors are increasingly leveraging social engineering for compromising credentials. Internally, most organizations lack the optics and processes to detect identity-led threats.

New identity security solutions are emerging to protect identities—both human and non-human—by layering additional protections on identity and access management tools. These include solutions for visibility, governance, and autonomous remediation. While the organizations in this research claim high maturity for current identity security deployments, evidence of high maturity is lacking for most. All organizations must urgently revisit their identity security protections, deploy new or advanced solutions to strengthen identity security posture, and reduce exposure to the negative implications of identity-led threats.

Request a copy

Published March 2025

Executive summary

CISOs and CIOs are prioritizing cloud infrastructure security, internal cybersecurity talent, and the ethical control of data in 2025. The threat environment continues to change, with AI-driven cyberthreats escalating the potential damages on the offensive side in parallel with tightening cybersecurity insurance requirements forcing a recalibration of the defensive side.

More organizations are experiencing a higher number of cybersecurity incidents each year, which drives the need to re-assess the efficacy of current posture against the organization’s desired standard of performance. Having done so, the CISOs and CIOs in this research are investing in protections to shore up the critical areas above. In addition to the overall prioritization of cybersecurity areas, we offer a more nuanced analysis of CISO and CIO priorities within the areas of applications, cloud platforms and services, identities, and data.

Request a copy

Published September 2024

Executive summary

Data breaches and ransomware attacks make headlines every day in the mainstream news. These articles routinely comment on the need for multi-factor authentication (MFA), especially if it wasn’t used. This emphasis can give the impression of MFA as a silver bullet, and that using it can easily prevent breaches. However, the reality is more complex. It is more accurate to say that while the presence of MFA reduces the likelihood of a breach, not all MFA is created equal, and the risk of data breaches continues to rise even as organizations implement MFA.

Despite these challenges, we strongly advise organizations to continue using MFA. Instead of abandoning it, organizations should focus on improving and strengthening how MFA is implemented—including the types of MFA being used. This should be part of a broader effort to reinforce security measures throughout the entire authentication process, ensuring that every step is as secure as possible given the risks involved.

Request a copy

Published September 2023

Executive summary

This white paper discloses a critical gap in organizations’ ability to protect themselves against identity threats—with 83% already having experienced a breach involving compromised credentials. Account takeover, lateral movement, and ransomware spread are a prominent cyber risk. To gain resiliency against these attacks, organizations strive to have the ability to prevent—in real time—malicious access with compromised credentials to their resources. The common practice today is to lean on solutions such as MFA and PAM, as well as manual monitoring of service accounts, to get this protection. However, surveys of identity security teams reveal that in most cases, these solutions fail to deliver the required level of protection. This failure manifests in the vast majority of organizations experiencing an identity-related data breach, as well as a shared notion among identity teams that they don’t have the ability to thwart such attacks in the future.

Published August 2023

Executive summary

Change is inevitable, as the saying goes. And, nowhere are the effects of rapid change more apparent than in today’s multi-cloud computing environments.

Organizations are constantly adopting new tools and technologies, including multiple cloud platforms, to stay competitive, agile, and secure. The findings of this year’s State of Multi-Cloud Identity Report build on the reports from 2021 and 2022 to show how organizations are thinking about identity services and technologies is shifting in response to external and internal forces.

What hasn’t wavered in the past three years is the increasing prevalence of multi- cloud in the enterprise and the resulting identity fragmentation that leads to security and operational risk.

Identity is a fundamental component of enterprise security. It relies on uniquely differentiating one user from another, granting the correct level of access for policies for each employee, customer, and partner. Getting identity and access policies wrong can result in the costly loss of customer confidence, data breaches, and regulatory compliance issues.

However, getting identity and access policies right is not easy. Many organizations face challenges in driving identity modernization — often tied to attempts to hire unicorn identity professionals who can handle the complexity and diversity of multiple identity platforms and services. But finding such talent is difficult, if not impossible. The skills or talent gap has delayed identity modernization projects, undermined internal capabilities, and driven away customers and revenue.

The solution to these challenges lies in the orchestration of an identity fabric. By harmonizing identity and access policies, Identity Orchestration enables organizations to manage multiple identity providers to dynamically secure applications across multiple cloud platforms and integrate new identity services seamlessly.

The benefits of an orchestrated identity fabric are manifold. It facilitates organizational digital transformations, and the modernization of on-premises applications with modern authentication capabilities while ensuring the decommissioning of legacy identity infrastructure does not compromise critical business processes or undermine security.

Sponsored by BlackFog, Cerby, OpenText Cybersecurity, Quest, and SonicWall

Executive summary

CISOs and CIOs view cybersecurity as a significantly higher priority than two years ago and are investing in multiple areas to meet escalating regulatory demands, protect new digital channels, and counteract ongoing cyber incidents. Improving protections for cloud services and platforms is the top-rated priority (attacks against cloud services were the most-seen incident type during the past year), followed by protections against ransomware attacks. CISOs and CIOs see a range of issues within apps, cloud platforms, data, and on-premises infrastructure requiring ongoing and higher investment in 2023. They are budgeting accordingly.

The data presented in this white paper is from a survey of CISO and CIO respondents at 284 organizations in the United States with more than 1,000 employees. 

Request a Copy

Published May 2022

Executive summary

Enterprises have accelerated their move to multiple cloud platforms over the past 12 months and intend to keep pushing in this direction. An increasing share of app workloads are hosted across multiple cloud platforms, but with only a minority of enterprises planning on giving up on-premises approaches entirely, most enterprises face the combination of hybrid and multi-cloud in perpetuity.

Successfully achieving the promise of a combined hybrid and multi-cloud future can only be gained if enterprises address their technical debt and outdated IAM (identity and access management) practices. Distributed identities across scattered identity silos result in inconsistent identity and access policies when people are accessing apps. Poor visibility of existing access policies means enterprises are flying blind—they do not know where apps are hosted, nor who has access to their data.

Current identity standards and technologies for multi-cloud policy management are failing to live up to the actual demands of multi-cloud, and enterprises are having to hire expensive identity architects to fill the gap. Nevertheless, data breaches continue, the identity threat looms large, and more strategic identity and IT modernization initiatives remain unaddressed.

Modernizing identity and access management is a strategic imperative for enterprises with hybrid and multi-cloud strategies. Consistent policies irrespective of where app workloads are deployed are essential; relying on identity architects to manually stitch these together is not a sustainable approach. A new category of software—Identity Orchestration—offers a better solution: a distributed abstraction layer that integrates multi-cloud and hybrid identity infrastructures and allows fine-grained enforcement of consistent identity and access policies. Identity Orchestration supports security modernization through Zero Trust approaches, and also gives enterprises the ability to achieve consistent Policy Orchestration between cloud platforms and across the tech stack.