Introduction to Panel and Session Overview
The session was hosted by Troy Wilkinson, a former Fortune 500 CISO who guided a dynamic conversation alongside industry leaders Danny Brickman, Co-Founder & CEO at Oasis Security and Eli Erlikhman, VP of Cybersecurity at Sprinkler. This engaging panel explored how to effectively convince C-level executives to invest in a Non-Human Identity (NHI) program, a critical and often overlooked facet of cybersecurity. The discussion emphasized translating technical risks into clear business impacts, showcased real-world incidents that underscore the urgency of managing NHIs proactively, and offered practical strategies for embedding security seamlessly into business operations.
Main Topics Discussed
Key Challenges in NHI Management
- Difficulty in gaining leadership buy-in due to technical jargon and the need to translate risks into business terms (dollars and cents).
- Addressing legacy technical debt and the complexity of managing non-human identities like service accounts, APIs, and certificates.
- Increasing complexity with AI and agentic AI systems, which expand the number of non-human identities.
Strategies for Effective Communication with Leadership
To gain support, it’s essential to:
1. Articulate Business Risk Clearly
- Use risk scenarios, such as compromised service accounts or API leaks, to demonstrate potential impacts on the business. For example, a service account not updated for 15 years can be exploited, leading to security breaches.
- Translate technical issues into financial and operational risks using models like FAIR (Factor Analysis of Information Risk) and frameworks like MITRE ATT&CK for specificity.
- Identify and map all “skeletons” (vulnerabilities) related to identities to highlight potential threats.
2. Build a Compelling Business Case
- Align NHI initiatives with business objectives, such as faster AI adoption or operational efficiency.
- Show how NHI supports digital transformation, emphasizing that neglecting it could lead to vulnerabilities.
- Engage stakeholders across DevOps, development, and security teams understand their workflows pain points.
3. Develop a Clear Program Vision (Nirvana State)
- Define a future ideal state for identity security, such as full lifecycle management, ephemeral accounts, or federated infrastructure.
- Focus on integrating existing tools (secret managers, identity providers) and building governance layers on top of current infrastructure.
4. Prioritize Identity Security
- Identify the most risky identities and vulnerabilities to focus efforts.
- Explain why identity security is more critical than other areas, emphasizing its role as a bridge between security and business enablement.
5. Business Terms Communication
- Use language that resonates with executives, risk, resilience, and business value rather than technical jargon.
- Provide contextualized stories relevant to the company’s specific environment and challenges.
Role of AI in Business
- AI accelerates the growth of non-human identities, often increasing their number and complexity. Organizations adopting AI tend to see a rise in non-human identities, which underscores the urgency of managing them.
- AI systems rely on existing databases and service accounts, making NHI management integral to AI deployment.
- Positioning NHI as part of AI strategy creates a compelling business case, emphasizing speed, innovation, and risk mitigation.
Recent Incidents and Risk Awareness
- Many organizations have experienced security incidents involving identities, such as API leaks or compromised service accounts.
- A notable example includes a hacking campaign targeting banks via open APIs, illustrating real-world risks.
- Using data breaches articles and news (e.g., NHIMG 52 breaches article) helps justify investments by highlighting potential threats.
Building a Strategic NHI Program
There is no universal standard; each company must define its own vision based on its future state and business needs.
- Defining the “nirvana state”, the ideal future state of identity management (e.g., lifecycle management, ephemeral accounts, federated infrastructure).
- Leveraging existing infrastructure and tools to avoid unnecessary new investments.
- Implementing governance controls on top of current systems to enhance security and compliance.
- Ensuring the language and processes align with developer and DevOps teams to promote agility and speed.
Key Takeaways for Securing NHI
To make a compelling case and implement effective NHI programs, consider the following:
- Build a business case based on risk, resilience, and enabling business objectives.
- Use real incidents and threat intelligence to highlight vulnerabilities and potential impacts.
- Engage all relevant stakeholders early, including DevOps, development, security, and executive teams.
- Focus on automation, lifecycle management, and governance to reduce manual effort and errors.
- Recognize that non-human identities are pervasive (“ghosts”) and require proactive management.
Closing Remarks
The panel highlighted the urgency and complexity of managing Non-Human Identities, especially with AI’s rapid proliferation. Success in securing NHIs hinges on shifting the conversation from purely technical to business risks, resilience, and enablement. CISOs and security leaders must become skilled storytellers, crafting narratives that resonate not just with executives, but also with developers, engineers, and security teams. By defining clear strategic goals, leveraging existing infrastructure with governance overlays, and embedding security into development workflows, organizations can build robust, scalable NHI programs that protect critical assets and enable innovation.
