Notifications
Clear all
Topic starter
25/06/2026 5:18 pm
TL;DR: Identity security programmes fail when teams rush to tools before understanding current capability, future state, and the communication needed to align security decisions with business priorities, according to SailPoint’s interview with CISO Rex Booth. The practical lesson is that identity governance starts with scope, trust, and maturity assessment, not procurement.
NHIMG editorial — based on content published by SailPoint: Meet our CISO, Rex Booth
Questions worth separating out
Q: How should security teams decide where to start with identity governance?
A: They should start by assessing current state against a defined target state, then rank the biggest control gaps by business risk.
Q: Why does communication matter so much in identity security programmes?
A: Because identity work succeeds only when leaders, application owners, and risk stakeholders understand the same problem in the same terms.
Q: What do organisations get wrong when they rush into identity tooling?
A: They often assume the tool will define the programme.
Practitioner guidance
- Run an identity maturity assessment first Document current access governance, lifecycle coverage, and visibility gaps before buying or expanding tooling.
- Translate identity risk into business language Create a standard way to explain access exposure, approval delays, and lifecycle gaps in terms leaders already use for cost, resilience, and delivery impact.
- Clarify decision rights for identity owners Assign who can approve, revoke, and remediate access without unnecessary escalation.
What's in the full article
SailPoint's full blog covers the personal perspective and leadership advice this post intentionally leaves at a higher level:
- Rex Booth's career path across developer, consultant, federal, and vendor roles.
- His view on how CISOs should communicate risk to different audiences.
- The thinking behind extending trust while still maintaining accountability in security teams.
- His practical advice on getting started with identity management and assessment.
👉 Read SailPoint's interview with CISO Rex Booth on identity security leadership →
Identity security maturity: why teams should start with assessment first?
Explore further
25/06/2026 5:54 pm
Identity security fails first as a governance problem, not a tooling problem. Booth’s advice to pause before acting captures the reality that many programmes buy controls before they understand the control gap. The real failure is not the absence of a product feature, but the absence of a clear target state, which leaves access, lifecycle, and risk management fragmented. Practitioners should treat programme clarity as the first control boundary.
A few things that frame the scale:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- Only 6 distinct secrets manager instances exist on average across organisations, creating fragmentation that weakens centralised control and slows governance decisions.
A question worth separating out:
Q: How can teams reduce bottlenecks in identity governance without losing control?
A: By giving the people closest to the risk enough authority to act, while keeping clear ownership and review for high-risk decisions. Excessive handoffs and approval layers usually slow remediation more than they improve security. The goal is disciplined delegation, not uncontrolled freedom.
👉 Read our full editorial: Identity security starts with clarity, not tools, says SailPoint CISO
