Cybersecurity

The Risk: Nonhuman Identities

The number of nonhuman identities such as API keys, OAuth tokens, and service accounts has grown dramatically, and those credentials pose a significant risk as adversaries can use them to compromise core systems and steal sensitive data. The scale of the challenge is big; the number of nonhuman identities—also called machine identities—typically outstrips the number of human identities in larger enterprises.

Enterprises frequently lack visibility into those identities to track their creation, usage, and access privileges. Managing nonhuman identities is considerably different than traditional human identity and access management (IAM), as nonhuman identities have different lifecycles, workflows, and policies.

This issue is something that established players and a collection of startups in IAM, privileged access management (PAM), and cloud infrastructure entitlement management (CIEM) are looking to solve. Astrix Security announced a Series A round of funding in mid-2023, Clutch Security recently came out of stealth, and Oasis Security announced an A round in January 2024.

Understanding Interest in Managing Nonhuman Identities

In looking at what people sought in machine identity management in various TechTarget resources, some interesting data pops out:

• About 20% of the people looking were from IT security, while about 80% was spread across responsibilities including IT systems management, IT infrastructure and cloud operations, application development, and so forth.
• 80% of the people searching came from organizations with more than 1,000 employees.

The interest in nonhuman identity management is shared across many disciplines, the largest of which is the security team. This is a grounds-up phenomenon driven by staff, managers, and directors. And while the interest in nonhuman identity management is large and growing, the biggest interest is in midmarket (1,000-10,000 employees) and large­ (10,000-plus employees) enterprises.

There are plenty of smaller, tech-forward companies that are looking at this—about 20% of the organizations have fewer than 1,000 employees—but the volume of the interest comes from bigger organizations researching the topic.

Diverse Interest in Nonhuman Identity Management

IT security teams have frequently been criticized for managing last year’s security risks rather than working with peer functions and lines of business to counter emerging risks to the business. When new technology comes along, the IT security team can be behind the curve in collaborating across the organization with constituencies like IT operations or DevOps partners to address new risks—with DevSecOps frequently a dream rather than a reality. And security teams have been criticized in the past for hindering business innovations in pursuit of controlling risk. The diverse interest in nonhuman identity management might signal that dynamic is changing, with the security teams actively collaborating with adjacent IT functions to get ahead of the nonhuman identity management challenge. Nonhuman identity management is a dynamic space. If you are involved in managing nonhuman identities and want to exchange ideas, give me a shout to share what you are doing.

All data from this blog are from TechTarget Buyer Intent Data, based on aggregated audience activities over the 3-month period between January 2024 and March 2024, submarket: Machine Identity Management.

After working for 17 years in IT, I had a huge personal epiphany: I discovered cybersecurity is my passion and wanted to exclusively pursue that in my career going forward. Let me explain how I had this seminal moment.

As early as I can remember, I’ve always loved technology—especially anything involving computers. I started my professional career in the mid-1990s working in the channel for a boutique systems integration firm in Houston providing technology solutions to Fortune 2000 companies. In my first role, I was a developer building enterprise applications. These were the early days of client-server architecture, where I developed new applications that replaced older legacy systems. Daily discussions of Java, relational databases, and multithreading were commonplace.

Life was great for a few years until my company decided to spin out that part of the business. Fortunately for me, I was able to transition into a network engineering role within the company. I established net-new local area networks for clients, managed existing networks, and occasionally got the opportunity to set up a new firewall here and there. Equipped with years of hands-on technical experience under my belt, I moved into a technical pre-sales role, working closely with account executives selling various technology solutions to clients. In my final channel role after moving to the San Francisco Bay Area, I managed a team of network engineers and oversaw successful professional service delivery for the West region.

In 2013, an opportunity presented itself to join an early-stage Silicon Valley cloud security startup, which I enthusiastically jumped headfirst into—it’s a requirement to work for a startup at least once if you live in the Bay Area, right? In that role, I became educated with the security market landscape and the challenges and use cases security vendors were addressing. Product vendors solving real-world security challenges were and still are extremely interesting to me. This was my lightbulb moment! It was at that point, I realized I wanted to exclusively pursue security in some capacity going forward in my career.

After learning a lot about securing cloud resources and wearing multiple hats, I left the startup world behind to join the competitive and market intelligence team at Tenable, where I became an expert in all things vulnerability management. I supported the sales team in winning deals, advised product management on key roadmap capabilities, features, and use cases, and also identified opportunities for partnerships and acquisitions. I spent over three years at Tenable until their IPO in 2018.

From there, I moved into a market intelligence role at Synopsys, where I was responsible for tracking the broader market landscape, discovering inorganic growth opportunities. I also helped them broaden their application security portfolio in building business cases for the acquisitions of three security companies: Tinfoil Security in 2020, Code Dx in 2021, and WhiteHat Security in 2022.

The Move to ESG

Over the years, I’ve had the good fortune to get to know many well-respected industry analysts who cover the security space. I have admired and appreciated their data and reports, which were critical to me for understanding the direction of the market. So, with over 10 years of experience working for security vendors in addition to my broad technical background, it was a natural fit to transition to an industry analyst role myself.

I am excited to join TechTarget’s Enterprise Strategy Group because it provides an opportunity to leverage my existing knowledge of the security landscape while also assisting vendors at the same time. From my time working on the vendor side, I keenly understand the dynamics of the security market and the challenges that vendors face at different maturity levels, and I look forward to conducting new research.

My core coverage areas include vulnerability and risk management, with my first research projects focused on risk management coming soon—stay tuned! I’ll also be assisting with adjacent areas, including application security, cloud security, and API security, since I have deep expertise with those areas as well. I’m looking forward to working with clients and engaging with companies in the space. If you’d like to get in touch to learn about Enterprise Strategy Group research and how we may be able to help, you can reach me on LinkedIn or send an email to [email protected].

Working in cybersecurity for the past 20-plus years has been satisfying because I enjoy helping enterprises to secure their infrastructure and stop bad actors from perpetrating their nefarious deeds. I also love cybersecurity because of the dynamism; the enterprise attack surface is always in flux as businesses grow and deploy new applications, adversary attacks are always changing, and cybersecurity technologies are continually evolving to counter threats. I have excelled in product marketing by understanding a problem area and distilling down to its compelling essence: why a security team should change what they are doing, why change now, and why they should use my approach to implement that change.

Understanding the customer problem, creating that sense of urgency so your problem bubbles to the top, and differentiating the solution poses an ongoing challenge to any product marketer. Enterprises have a laundry list of security challenges along with finite resources. Chief information security officers—CISOs—with constrained resources need to zero in on those projects that have the most impact and ROI. The security vendor challenge lies in cutting through the market noise with clear and concise messaging so that the problem you solve makes the short list of projects, and that your offering makes the short list of solutions being evaluated to solve a CISO’s problem.

The through line in my journey is cybersecurity product marketing—getting inside the security team’s heads, understanding their pain, and how to message around solving that pain. I have worked my way from product manager to product marketing manager to product marketing director and vice president of product marketing and vice president of marketing. I can empathize with today’s product marketing challenges because I have experienced them.

My Background

Following college, I landed at Oracle Corporation in Unix technical support, and then combined my Oracle experience with a UCLA MBA to land at Hewlett Packard Company. I had various roles at HP that exposed me to B2B marketing and the IT sales process.

My cybersecurity journey started at Trend Micro, where I started off leading field marketing in Latin America—si, hablo español!­—and ended up leading the team marketing data center security products. I subsequently gravitated to smaller startups focused on data security. I landed at Vormetic, now part of Thales, where I learned about encryption and key management technology and gained an appreciation of data security complexity. There are typically tradeoffs in different vendor approaches to meeting enterprise data security requirements, and providing information to educate on those nuances for sophisticated buyers makes the difference between vendor success and failure. I then got the startup bug and led marketing at PrivateCore—a seed round startup, acquired by Facebook—working to establish a new category that is now known as confidential computing.

Cybersecurity is always changing with a frequent risk of cybersecurity myopia. Industry analysts have helped me to understand the big picture and industry trends.

Opportunity came knocking at Nok Nok Labs, a founding member of the FIDO—Fast IDentity Online— Alliance, where I learned about identity and access management (IAM) met many of the “identerati,” the experts and thought leaders that share and define the way we manage identities online. My tenure was during the early days of FIDO; it is gratifying to see how passwordless authentication has grown and passkeys are taking off.

My product marketing journey also took a plunge into the managed detection and response (MDR) space, where I was part of the product marketing team Arctic Wolf Networks, and I subsequently landed at ReliaQuest, where I was responsible for product marketing around the core ReliaQuest GreyMatter security operations platform. While the MDR managed security service provider (MSSP) space was growing exponentially, all vendors were challenged in overcoming market confusion and navigating the hodgepodge of terms describing the space—MDR, MSSP, SOC as a service, managed XDR, co-managed SIEM, and so forth.

Value From Industry Analysts

I have briefed industry analysts throughout my journey as I established and tuned my messaging, educated the market, and helped drive demand. The analyst community provides an essential perspective for both vendors and enterprises that consume vendor products. Cybersecurity is always changing with a frequent risk of cybersecurity myopia. Industry analysts have helped me to understand the big picture and industry trends. They also helped me to optimize my message and skate to where the hockey puck was going—h/t to Wayne Gretsky.

The analyst community has also helped me educate the market and generate demand for my products; enterprise customers want the insightful and credible research that analysts produce so they can understand trends, see what their peers are doing, and make informed technology decisions.

The Move to ESG

TechTarget’s Enterprise Strategy Group analysts have distinguished themselves with exceptional and discerning research and commentary. In my experience, they have represented the gold standard in what industry analysts can provide. Enterprise Strategy Group’s acquisition by TechTarget further increases their reach and influence, delivering useful research to buyers who are considering solutions. I’m very proud to join a stellar team.

I am excited to land as an industry analyst at Enterprise Strategy Group because it allows me to analyze the industry big picture. Working for a vendor requires you to dive deeply into your technology and the market, but you are seeing your slice of the market. Analysts have the opportunity to talk to all of the vendors and understand what is happening at a macro level.

While change is endemic to cybersecurity, I also found painful inertia in the marketplace. A regular occurrence when reading sales win/loss reports was seeing “decision postponed” as the most frequent reason for losing a deal. The biggest marketplace competitor at every place I worked was inertia. My frustration button lights up when reading news headlines about this data breach or that compliance fine knowing that there are solid solutions in the market that could have avoided catastrophe. The analyst research that Enterprise Strategy Group produces helps inform the market and facilitate change and improvement.

My coverage area at Enterprise Strategy Group is IAM and data security, both of which are undergoing incredible change as data proliferates and identities evolve. Exploring concepts such as identity as the new perimeter, zero-trust architectures, identity threat detection and response, privacy and data sovereignty, data security posture management, and applying generative AI across IAM and data security are a few of the reasons why my coverage area is particularly exciting. I am looking forward to reconnecting with old acquaintances and making new ones. If you are an innovator in IAM or data security, I want to understand what you are doing! You can reach me on LinkedIn or send an email to [email protected].