Ponemon Institute: Just 16% of enterprises have mature IAM programs

Ponemon Institute: Just 16% of enterprises have mature IAM programs

More than half (56%) of respondents to a recent Ponemon Institute survey reported an average of three identity-related data breaches over the past two years. That could be because so few organizations in healthcare and elsewhere are adequately investing in identity and access management technologies, the report suggests.


The report shows just 16% of respondents having a fully mature IAM plan in place, according to Saviynt, which develops identity governance tools and sponsored the survey. That’s defined, the company says, as an organization having fully operational IAM programs with skilled workers and C-level and board executive awareness.

The other 84%? They’re “currently dealing with inadequate budgets, programs stuck in a planning phase and lack of senior-level awareness,” according to Saviynt.

Of those poll respondents who’d expired identity and access-related cyberattacks, 52% indicated that the breach was due to lack of comprehensive identity controls or policies.

The study was conducted by Ponemon for Saviynt, and respondents included more than 1,000 IT and IT security practitioners in the United States and EMEA.

About 35% of those respondents said they’re confident they can determine privileged users are compliant with policies. The same percentage have confidence in the effectiveness of current security controls preventing internal threats involving the use of privileged credentials.

Of those who aren’t confident about the visibility of privileged user access, 61% of respondents said they can’t keep up with the changes occurring to their IT resource, according to Saviynt, which notes that almost half of respondents (46%) reported regulatory noncompliance because of access-related issues.

That’s led to significant legal and financial consequences for many of them: lawsuits, fines and loss of revenue, customers and reputation.

But the biggest operational challenge of these compliance failures was IT downtime, according to nearly two-thirds (64%) of survey takers.

Among some other key discoveries of the report: More than half (56%) said granting and enforcing privileged user access rights required too much staff to monitor and control and 51% can’t keep pace with the number of access change requests.

While many of these IAM programs are treading water, the number of digital identities continues to skyrocket – creating complex enterprise environments and widening security gaps.

Just 28% of respondents, for instance, said their organizations are assessing whether their remote workers are accessing the network securely.

On the other hand, 52% did say that their organizations’ cloud transformation programs were already integrated with their IAM strategy, and 51% have seen an improvement in their IAM effectiveness.

“While these numbers certainly raise concerns, our research also shows that many organizations are recognizing the benefits of a converged identity platform,” Jeff Margolies, Saviynt’s chief strategy officer, in a statement.

“In fact, 71% of respondents are actively considering, or plan to adopt, converged identity governance & administration and privileged access management solutions to reduce costs and provide frictionless access to enterprise resources,” continued Margolies.


It’s not just the avoided fines and legal fees that make strong IAM programs a valuable investment for health system leaders. Consider the case study of PeaceHealth, where identity and access management automation saved hundreds of thousands of dollars.

For some deeper perspective on how CIOs and CISOs can prioritize IAM deployments, read Bill Siwicki’s deep dive feature story.


“We’ve found that most enterprise IAM programs have not achieved maturity, leaving companies struggling to reduce identity and access related risks,” said Margolies. “Our research findings should serve as a wake-up call to C-level executives and security leaders: the absence of a modern IAM program fuels the risk of rising identity and access-related attacks, and their financial consequences.”

Twitter: @MikeMiliardHITN

Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

Leave a Comment

Your email address will not be published. Required fields are marked *