TL;DR: Poor secrets management increases breach cost, insider risk, compliance exposure, and cloud sprawl, with IBM cited at $4.45 million average breach cost and 15% of breaches tied to stolen or compromised credentials. The editorial case is that rotation, discovery, and centralisation are cost controls only when they also reduce non-human identity exposure and audit friction.
NHIMG editorial — based on content published by Entro Security: Cutting cybersecurity budget with good secrets management
By the numbers:
- The global average cost of a data breach in 2023 was $4.45 million, a significant 15% increase compared to three years ago.
Questions worth separating out
Q: How should security teams reduce the risk of exposed secrets in cloud environments?
A: Start by inventorying where secrets exist, then remove unnecessary standing credentials, shorten lifetime where possible, and enforce usage logging.
Q: Why do long-lived service account secrets create such a large governance problem?
A: Long-lived secrets increase both attack window and operational dependence.
Q: What breaks when organisations centralise secrets management but do not improve auditing?
A: Centralisation alone does not tell you whether a secret was used appropriately.
Practitioner guidance
- Map every secret to an owning workload and lifecycle: Build an inventory that ties each credential, token, API key, and certificate to a named system owner, rotation owner, and decommission path.
- Shorten secret lifetime where applications can tolerate it: Replace static credentials with dynamic or time-bound alternatives for workloads that can support renewal without outage risk.
- Require usage logging on every privileged secret: Capture who or what used the secret, from which workload, and at what time so investigations do not begin from guesswork.
What's in the full article
Entro Security's full blog covers the operational detail this post intentionally leaves for the source:
- Detailed explanation of how the vendor positions secrets management as a cybersecurity budget control.
- Step-by-step rotation and discovery guidance for teams managing multiple secret stores.
- Examples of how the vendor connects secret exposure to breach cost, compliance, and cloud spend.
- The article’s own framing of how its platform fits into NHI and secrets management operations.
👉 Read Entro Security's blog on how good secrets management reduces cybersecurity costs →
Secrets management and NHI sprawl: where cost control meets risk?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Secrets management is a governance problem, not a storage problem. The article is correct that cost follows control failure, but the deeper issue is that organisations often treat vaulting as the endpoint. In practice, the risk lives in discovery gaps, rotation failure, and untracked use across service accounts, APIs, and pipelines. The practitioner conclusion is that lifecycle visibility matters more than any single repository for secrets.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How do you know if secrets rotation is actually reducing risk?
A: Rotation is working only if exposure windows shrink without causing downstream failures or manual exceptions. Measure whether secrets can be changed on schedule, whether applications recover cleanly, and whether incident investigations show shorter periods of valid compromise after disclosure.
👉 Read our full editorial: Secrets management can cut breach costs and reduce NHI exposure