Notifications
Clear all
Topic starter
25/06/2026 10:44 pm
TL;DR: As cybersecurity budgets rose only 4% in 2025 and 61% of CIOs said proving ROI is very challenging, organisations are being pushed to prioritise efficiency while managing access risk, according to IANS Research and Lenovo. Poorly integrated IAM can drive password sharing, manual workarounds, and weaker resilience when usability is ignored.
NHIMG editorial — based on content published by Imprivata: Experts urge shift toward ROI-focused cyber spending as IAM gaps introduce security risk and inefficiencies
By the numbers:
- A recent IANS Research report found that cybersecurity budgets increased only 4% in 2025, down from 8% the year prior.
- 61% of CIOs said it's very challenging to do so, according to Lenovo.
Questions worth separating out
Q: How should security teams balance IAM security with user productivity?
A: Security teams should design IAM so that access is secure and usable at the same time.
Q: Why do access controls fail when they are too hard to use?
A: Access controls fail when users see them as obstacles to work and start bypassing them through sharing, copying, or delaying changes.
Q: How can organisations tell whether IAM is actually improving ROI?
A: Organisations should look for lower exception volume, fewer manual access fixes, faster task completion, and fewer risky workarounds.
Practitioner guidance
- Measure access friction as a security metric Track login delays, approval bottlenecks, repeated access exceptions, and password-sharing reports together so identity teams can see where workflow pressure is driving unsafe behaviour.
- Map workaround patterns to identity control failures Review where users copy credentials, reuse shared accounts, or bypass approvals, then trace each pattern to the specific control that made the shortcut attractive.
- Align zero trust to changing session context Use continuous authentication and step-up checks for higher-risk actions instead of relying on a single login event to establish trust for the whole session.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- The article's framing of ROI pressure and cybersecurity budgeting in current enterprise planning.
- The specific Forbes Tech Council commentary from Imprivata's CEO on usability, enforcement, and enablement.
- The discussion of zero trust and continuous authentication as identity design principles for hybrid environments.
- The article's own examples of how IAM can support productivity while reducing security risk.
👉 Read Imprivata's analysis of ROI-focused IAM security and efficiency →
IAM efficiency versus security: where are teams creating risk?
Explore further
25/06/2026 11:25 pm
Security controls that create friction can become self-defeating. When IAM is hard to use, people do not stop working, they route around the control surface. That creates shadow practices such as credential sharing, duplicated access paths, and delayed changes to privilege state. The lesson for the field is not that usability trumps security, but that unusable identity controls degrade both.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- The same report found that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who should own IAM decisions when friction and risk pull in different directions?
A: IAM ownership should sit with both security and operations leaders because the problem affects risk, workflow, and business continuity at the same time. Security teams define the trust model, while operations teams validate whether the design works in real work patterns. Shared accountability prevents controls that look good on paper but fail in practice.
👉 Read our full editorial: ROI-focused IAM security gaps are creating avoidable cyber risk
