Cyber resilience begins with modern identity security

November 2025
M	T	W	T	F	S	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
« Oct		Dec »

Published on the 25/11/2025 | Written by Newsdesk

Where access and governance meet…

Cyber resilience isn’t built on firewalls anymore. In today’s hybrid, cloud-first world, it starts with identity. But while global enterprises are advancing their identity maturity, many local organisations are still stuck in the slow lane and struggling to move beyond basic identity security initiatives.

Raymond Dickinson, SailPoint New Zealand country manager says identity security is no longer a technical control and just a layer of defence in a multi-layered stack. Today, it’s the organising principle of cyber resilience.

“Every user, system, device and process now relies on identity as their control point,” he says.

“You’ve really got to start looking at what is the unique area you do have control over, and that’s identity – because every person has an identity that needs to be managed. Every machine has an account or identity that needs to be managed. Every agent has one as well.”

“Identity security has shifted from being a technical control to the organising principle of cyber resilience.”

The shift is being driven by the decentralisation of IT. With users connecting directly to cloud services and software-as-a-service platforms – often outside the purview of IT – traditional perimeter-based security is no longer enough. Identity is the new perimeter.

By managing identity properly, organisations can enforce least privilege and reduce the risk of breach while also reducing damage should a breach occur.

“The lower the amount of access someone has means when there is a breach, you’re really reducing the amount of damage that is going to happen to an organisation.”

Many organisations, though, are still grappling with the basics.

SailPoint’s latest Horizons of Identity Security report shows 63 percent of organisations globally are still stuck in basic identity maturity. Dickinson says in New Zealand and, to a lesser extent Australia, may be even further behind.

“A lot of organisations here are still looking at the very early stages of identity and access management – they’re still really looking at multifactor identification (MFA) and single sign-on (SSO) – so we are in many cases a long way behind.”

He says many organisations still don’t realise the importance of identity governance and how it can uplift their cybersecurity maturity.

“They still seem to think that your average Microsoft Active Directory group is enough to achieve a lot of these outcomes. And it’s just not. It can’t give them the control, the governance and that real uplift that you get from a mature enterprise-wide identity security platform.”

Identity as a productivity engine

While identity security is critical for reducing risk, Dickinson says it also delivers serious business benefits, especially when it comes to productivity.

Automating joiner-mover-leaver processes mean new staff get access faster, internal moves are seamless and leavers are properly offboarded, cutting down on licence waste and security gaps.

“The leaver one is super important so you can ensure all their access has been revoked and you’re not having an account that is still active and may not be adhering to password policies and so on. It’s a key area where a lot of money and time is saved.”

Meanwhile, faster onboarding and provisioning means new hires and contractors can hit the ground running – improving customer experience and accelerating project delivery.

“Security often gets blamed for slowing things down,” Dickinson says. “But identity governance actually speeds things up. It’s a win-win.”

Automating user access reviews is also a key business benefit gained from identity security – bolstering accuracy while also reducing time.

“One organisation spent six months of the year going through doing access reviews, and then after six months, they start the next one. It’s a lot of time and effort that goes into sorting these things out.”

With identity governance, that becomes a continuous, automated process.

The benefits extend to cost savings too. With SaaS use exploding, many organisations are unknowingly paying for licenses tied to inactive accounts. Identity governance helps eliminate that waste revoking access as soon as someone leaves.

Despite the benefits, many organisations are still exposed. Over-provisioned access, unmanaged SaaS and shadow IT are common culprits, but one of the biggest risks is third-party access, Dickinson says, pointing to recent high-profile third-party breaches.

“Visibility over third parties is a critical gap. It’s an area where a lot of organisations still have someone manually managing the onboarding process and it’s just held in a spreadsheet.”

That opens the doors for people having too much access to systems, and accounts not being removed later on.

“It’s becoming a real issue for most people and it’s a real challenge for retail as well, because they have a lot of transient workers coming through and managing the onboarding and offboarding of those individuals is really hard.”

Machine identities and bots are another emerging threat as attackers increasingly target non-human accounts, increasing the critical need for visibility and governance.

Making the case to the C-suite

So how can businesses convince stakeholders outside of IT, such as the CFO, COO and risk managers, that identity security is worth the investment?

Dickinson says it’s not an easy sell unless you’ve got someone who has prior experience with identity governance.

“If they don’t there’s a lot of learning that needs to be done through that journey. It comes back to that lack of awareness and education within a lot of companies about the value of what identity governance can actually do for them.

“It’s the chicken and egg scenario – they haven’t seen it before so they don’t think it can achieve the objectives or outcomes.You’ve got to educate them before they’re actually ready to move forward.”

For many organisations, compliance is the lever that gets identity governance over the line.

“If they’re missing or failing compliance audits, that’s when [they say] ‘we have to get this done’.”

He recommends three key steps for building a compelling business case:

Understand your cybersecurity objectives and frameworks

“Map those key framework controls back to how they link to an identity security platform… that will help you articulate back to the business why you need to invest.”

Engage with other departments

“Go and talk to the CFO, go and talk to the head of risk. Understand their challenges. Look at how you can map them back to an identity security platform.”

Quantify the value

“Sit down and understand what your current processes look like and what they are costing you today. If you were to put in a new identity security platform, what savings can be achieved?”

Even if the investment is net neutral, Dickinson says most business leaders will support a project that accelerates operations.

“Most business owners go ‘That’s great, so we’re going to do a security project that’s net neutral when most others cost a lot of money!’”