Organizations can spend tens of thousands of dollars, and more, on privileged access management. But are they achieving the full return on investment from their PAM purchases? Here are five reasons why PAM doesn't realize the ROI it should.
1. Product implementation
PAM product implementation often becomes stalled. Buying PAM software is not an investment, nor is it an asset. Without proper implementation, it can actually be a liability. It creates the illusion of security, which is far more dangerous than the fear of a security deficiency. Without follow-through after purchasing PAM software, the solution will languish. PAM is often installed on servers to support a couple of accounts, and after patting themselves on the back for a job well done, the IT team moves on to a different project.
2. ROI goals
ROI goals cannot be realized if companies start a PAM implementation without a strategic plan. Establishing clear objectives, with executive oversight, and integration of PAM into the entire IAM infrastructure is critical. A lack of strategy for everything PAM encompasses—including the people, processes, and products—creates a one-off product implementation. Without strategic objectives, companies won't have that much-needed roadmap.
Many companies implement PAM as a phased activity. They start by securing the highest-risk accounts, like Windows domain accounts, and may include Unix root accounts. But they should also include DBA accounts like Oracle and SQL server, service accounts, and Windows local admin accounts that provide access to infrastructure servers. Without securing these administrative accounts, applications are vulnerable, along with their data.
Privileged accounts don't end there. There are network infrastructure accounts, like network devices, routers, and firewalls, that need to be secured. The more time you spend in the world of privileged access, the more privileged accounts you see. My motto is, protect them all. If you're not getting the ROI you deserve, it's probably because your strategic objectives and account protections aren't broad enough.
3. Cost avoidance
If you don't factor cost avoidance into your privileged access management ROI, you won't realize the full value of your investment. Costs associated with non-compliance must be factored into the ROI. The money spent on PAM should be an effective remediation against your biggest attack surface. An alarming 74% of breaches come from compromised privileged accounts. Unsecured privileged accounts that are breached cost companies in regulatory fines, reputational damage, and shareholder and class-action lawsuits. And the associated costs are staggering. Some of the largest fines are coming out of Europe, under GDPR regulations. Companies such as British Airways, Google, H&M, Marriott, and Telephone Italia have all been fined upwards of $25 million.
When you examine the cost of PAM software, consider the cost of not having a PAM solution. Don't be a victim of these damaging avoidance factors. Cover all the bases with a broad privileged account security and compliance plan; that will improve ROI.
4. Inefficiencies
Inefficiencies within password management can eat away at your ROI. Consider the cost of $60 to $75 just to reset a user's password via the help desk. There's the time involved by the admin, and the employee's time on the phone, disrupting their workflow. If executives and others in upper management are having password problems, the costs can be much higher.
Now, consider the systems secured with PAM. Technical administrators will never forget their passwords because they are stored within a vault and changed regularly. They never have to know or memorize passwords. Their passwords are checked out when needed, and then checked back in. This is accomplished through PAM automated password servicing.
PAM also helps improve your operational controls. You can demonstrate for compliance purposes that you are following the letter of the law, whether it’s NIST, NTCIP, ISO27001, or CSC. Whatever control regimen you follow, PAM helps demonstrate your compliance and improves your operational controls.
5. Cost avoidance
The civil and criminal damages associated with a privileged account breach can catastrophically impact your ROI. When a company is breached, they not only have angry customers, they may have civil and criminal liabilities attached to their directors, executives, and possibly their general counsel. What are the costs involved in having these corporate officers under investigation by a federal agency because of a privileged account breach?
Each of these five reasons for a deficient PAM ROI are shocking and avoidable. Organizations must consider the potential ramifications of not fully implementing and integrating PAM. When a company loses control of its privileged accounts, the disastrous fallout from even a single breach can cause irreparable damage. Broad protection of your privileged accounts, with a fully integrated PAM solution, is the only way to achieve a healthy ROI.
