CISOs Must Integrate IAM to Strengthen Cybersecurity Strategy

17 September 2025 - ID G00836009 - 7 min read

By Oscar Isaka

Rapid pursuit of digital transformation, maturing zero-trust strategies and legacy, compliance-focused identity and access management leaves critical gaps in cybersecurity strategies. CISOs must transform IAM from a checkbox exercise into a key pillar of cybersecurity strategy.

Overview

Key Findings

Credential compromise is the leading cause of breaches, yet the importance of IAM in achieving cybersecurity objectives, such as the implementation of zero-trust controls, is often overlooked.
CISOs struggle to prioritize and execute IAM projects because they underestimate complexity and fail to align IAM investment with broader cybersecurity and business strategy.
Leaders undervalue IAM programs because operational IAM metrics lack business context. CISOs and C-suites see IAM as a technical capability, not a strategic investment.

Recommendations

Align the IAM program with the cybersecurity strategy by benchmarking IAM maturity and gaps, leveraging them for planning and prioritization.
Measure and communicate the IAM program by creating outcome-driven metrics (ODMs). Incorporate them to measure the efficiency and coverage of IAM’s controls and functions programmatically.
Embrace identity threat detection and response (ITDR) and adopt identity-first security to enable zero trust and optimize the organization’s cybersecurity posture.

Introduction

Increasing reliance on cloud services, digital supply chains, machine identities, AI, and the pursuit of zero-trust strategies have made IAM a core element and key enabler of the cybersecurity strategy. In a recent Gartner Survey, for half of the organizations, the head of cybersecurity is primarily or solely responsible for reporting on and making the business case for IAM and communicating to senior-most stakeholders.¹

CISOs must incorporate a formal IAM program into their cybersecurity strategy for effective identification of access risks and prioritization of controls in a consistent, systematic and scalable way. This ensures that cybersecurity objectives can adapt to the volatile and uncertain threat landscape where identity is prevalent as an attack vector.

CISOs must ensure their cybersecurity strategy includes a formal IAM program to engage business stakeholders, govern IAM activities, and address project risks to achieve the desired business outcomes (see IAM Leaders’ Guide to IAM Program Management and A Journey Guide to Delivering an IAM Program). This will require working with the IAM leader to mitigate IAM-related risks and ensure IAM efforts and controls are correctly prioritized as part of the overall cybersecurity strategy.

A successful IAM program has three core pillars: privileged access management (PAM), identity governance and administration (IGA), and access management (AM) (see Figure 1).

Figure 1: The Main Pillars of Identity and Access Management

The three main pillars of identity and access management (IAM) are access management, privileged access management, and identity governance and admin. Understanding these pillars helps CISOs align with industry terminology, communicate internally about IAM requirements and grasp the necessary competencies.

This research outlines how CISOs should incorporate IAM program objectives into their cybersecurity strategy, enhancing the organization’s overall security posture while ensuring sensitive information remains protected and regulatory compliance is maintained.

Analysis

Benchmark IAM Maturity to Effectively Prioritize and Plan

A comprehensive, well-planned and well-governed IAM program lays the foundation for cybersecurity strategy and enables the business to achieve its strategic objectives. CISOs must see IAM strategy as an integral part of cybersecurity planning to be able to identify gaps in fundamental controls and therefore appropriately prioritize capabilities and improvements to increase the overall posture.

Use Gartner’s IT Score for Identity and Access Management (see Figure 2) to assess and evaluate current IAM maturity, identify strengths and weaknesses, prioritize activities and projects, and support establishing an IAM program.

Figure 2: Functional Activity Map for IT Score for IAM

Gartner

A functional activity map for IT Score for Identity and Access Management (IAM) encompasses engaging and supporting stakeholders, managing the IAM function, managing risk and enabling trust, delivering IAM operational capabilities, and managing talent and workforce strategy.

Measure the Impact of IAM Through ODMs

Making IAM investment decisions in isolation, by focusing on solving specific problems, limits the organization’s ability to measure the return on those investments, and align them with cybersecurity and business goals.

ODMs and protection-level agreements (PLA) achieve both of these objectives. They measure cybersecurity outcomes achieved by specific investments and directly map to tangible business outcomes leadership prioritizes. In this manner, ODMs simultaneously reflect protection levels and value for investment as well as raise awareness to the rest of the C-suite regarding the important role of the IAM function in cybersecurity strategy.

Gartner recommends benchmarking three IAM ODMs (see Figure 3).

Figure 3: Protection-Level Agreements — Security Impacts

The three primary protection-level outcome-driven metrics for identity and access management are time to remove access, privileged access management and multifactor authentication coverage. Well-formed programs articulate how they support risk reduction and how they often deliver a competitive business advantage.

These IAM ODMs are defined in the Cybersecurity Business Value Benchmark and additional guidance is found in Use Outcome-Driven Metrics to Drive Value for Identity and Access Management.

Embrace ITDR and Identity-First Security to Strengthen Your Cybersecurity Posture

Credential misuse was the most popular path to security breaches in 2024.² There is an active initial access broker marketplace for stolen credentials.³ There are well-known attacks against MFA.⁴ And sophisticated attackers are now targeting the IAM infrastructure itself.

Prevention is a foundational part of every cyberattack preparedness plan. This includes documenting key elements of the identity infrastructure and assessing whether proper preventive controls are in place to protect them (see the four areas discussed in the first question). However, there is no such thing as fail-proof prevention. Organizations must be prepared for the highly probable scenario that controls will be bypassed (See Augmented Cybersecurity: Act Now to Thrive Amid Chaos and Complexity).

— Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response
ITDR is a security discipline that encompasses threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It works by implementing detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.

ITDR unifies tools and best practices to protect the integrity of identity systems, which is necessary even for mature IAM and infrastructure security deployments. The focus of ITDR is to work as the second and third layers of defense (see Figure 4), after the foundational preventive mechanisms identified above are in place.

Figure 4: How ITDR Works With Infrastructure Security Operations

This architecture shows how identity threat detection and response (ITDR) works with infrastructure security to detect and respond to identity threats such as password spray, credential scanning and unusual user activity.

For more information on identity threat detection and response, see:

Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response
Prioritize IAM Hygiene for Robust Identity-First Security
Address Top IAM Hygiene Issues to Enhance Security and Reduce Risk
IAM Hygiene: Laying the Groundwork Through Continuous Discovery

Identity-First Security

Identity-first security makes identity-based controls the foundation of an organization’s cybersecurity, shifting away from obsolete, static perimeter defenses toward consistent, flexible, scalable, and context-driven access policies. Achieving identity-first security is a key goal of an effective IAM program. As organizations face a dynamic threat landscape, IAM must enable continuous, adaptive assessment of trust and risk, allowing access decisions to be made and updated rapidly to support a zero-trust approach. However, many IAM programs remain too process-driven to respond quickly to active threats.

To achieve an identity-first security strategy, instead of focusing on specific IAM tools and capabilities, cybersecurity leaders should focus on end-to-end use cases. For example, there are numerous components involved in an API security strategy, including API gateways, an access management tool, a secrets management tool and public key infrastructure (PKI), among others. All these components need to work together to effectively deliver the control. The objective is to achieve an integrated and extensible framework, where IAM along with security and risk management (SRM) tools and processes can be used interoperably.

Figure 5 illustrates how IAM components can be viewed as elements within a connected ecosystem or identity fabric that enfolds multiple use cases. For more information, see Identity-First Security Maximizes Cybersecurity Effectiveness.

Figure 5: Elements of an Identity Fabric

An organization’s identity fabric includes the following components: identity and access management (IAM) functions, principles and location, and tools woven together.

Evidence

¹2025 Gartner Guidance for Communicating the Value of IAM to the C-Suite Poll. The question “What do you find is the biggest obstacle when communicating the importance of Identity and Access Management (IAM) to your C-suite?” was asked of attendees in the breakout session “Guidance for Communicating the Value of IAM to the C-Suite” at the Gartner 2025 Identity & Access Management Summit (EMEA) on 24-25 March 2025. In all, 92 attendees responded.
Disclaimer: The results of this survey do not represent global findings or the market as a whole but reflect the sentiment of the respondents surveyed.

² 2025 Data Breach Investigations Report, Verizon.

³ Compromised U.S. Academic Credentials Identified Across Various Public and Dark Web Forums, FBI.

⁴ Lapsus$ and SolarWinds Hackers Both Use the Same Old Trick to Bypass MFA, Ars Technica.

2024 Gartner IAM Leadership Survey. This survey sought to understand identity and access management (IAM) leaders’ approach to building IAM strategy, aligning with business and cybersecurity goals, and collaborating with cybersecurity functions. The combined data represents responses from 335 IAM leaders globally across industries, geographies and revenue bands, and was collected from August 2024 through October 2024. This research was further substantiated and informed by in-depth practitioner interviews with over 50 IAM leaders to understand their goals and challenges while managing their organization’s IAM program. Gartner created measures to determine an IAM leader’s ability to deliver against key outcomes. Gartner then used regression analysis to measure and identify the most impactful approaches for improving their ability to deliver key outcomes. Disclaimer: The results of this study do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.