Sean Deuby | Principal Technologist, Americas

As organizations expand their digital ecosystem, they recognize that cloud security solutions, although valuable, aren’t a standalone cure-all. In today’s sprawling hybrid identity environments, cloud security is inseparable from your on-premises business architecture. Ensuring the resilience of those interconnected systems involves a great deal of complexity and configuration—especially related to identity security posture management, where many organizations still fall short.

“Identity is the core of cybersecurity, but businesses typically don’t know where they stand,” said Maarten Goet, chief threat officer at Wortell, when I spoke to him at Hybrid Identity Protection Conference (HIP Conf) a few years ago. “They lack clear insights on who has what rights, what systems are in place, and how things are connected or disconnected. Establishing their current identity posture is their chief concern. Without that, they can’t define a strategy or roadmap.”

His insight is compelling. As an 18-year Microsoft MVP and Microsoft Security MSSP of the Year, Goet understands that to be effective, identity security must embrace the full complexity of our constantly evolving hybrid environments. The need to comprehend that complexity has only increased since our conversation.

Pursuing cybersecurity maturity and a strong security posture requires more than flipping a switch. Let’s take a look at some key insights from my conversation with Goet that can guide you to a deeper understanding of your identity environment—and provide a foundation for building a resilient identity security posture.

Identity security is evolving

When Microsoft introduced Entra ID in 2022, the move represented an accelerating trend not only in hybrid identity security but also in the broader cybersecurity sector.

“What everyone’s figured out is that identity isn’t just about directories, and access isn’t just about the network,” says Goet. “Our security challenges have grown broader, and we need broader solutions. We need to adopt an integrated approach that establishes identity as a trust fabric for the digital ecosystem.

“That’s the bigger goal over time. Secure access for every employee, microservice, database, and sensor.”

Manage identity security posture from all angles

No two organizations are exactly alike, even those operating within the same industry. Although some best practices are broadly applicable, you must build a unique approach to your organization’s identity security. More important, you must consider how your decisions affect your ecosystem and attack surface.

Comprehensive identity threat detection and response (ITDR) solutions are incredibly valuable. Through machine learning, they establish a baseline for normal behavior in your environment, identify suspicious activity, and automate risk detection and remediation for most identity-based risks. This is something that traditional security solutions have been unable to easily account for.

Yet even this represents only a partial solution.

“Technology is only one piece of the identity security puzzle,” explained Goet. “You also need processes in place. You need a strategy. You need to ensure your people are trained and that you can keep up with changing priorities and circumstances.”

Complexity and technical debt put enterprises at a disadvantage

The security space has changed dramatically over the past several years. Passwordless authentication is arguably the most significant leap forward, offering a streamlined and secure alternative to outdated credential-based logins. Yet, for all its benefits, businesses (in particular, large enterprises) have been slow to adopt passwordless authentication.

“Small to midsized companies tend to be quite a bit more agile, as their environments are less complex,” said Goet. “This allows them to adopt passwordless authentication through solutions like Windows Hello much more readily. In larger enterprises, there are simply too many other factors in play—endpoints and legacy systems that make it challenging to deploy any new technology.”

Security posture scoring metrics are valuable—but only in context

Microsoft Secure Score, a metric for assessing overall security posture, can provide your organization with valuable guidance on where to focus your efforts. However, you shouldn’t make the mistake of applying such frameworks without context. These frameworks shouldn’t be the only means by which you measure success.

In my experience, metrics reporting solutions can be misleading. Many of them fail to account for configuration differences, for instance. I’ve found the Identity Secure Score particularly frustrating because it never accounted for some of the security controls I had implemented.

“Security scoring is a stepping stone,” Goet agreed. “The real challenge lies in how you interpret it, how it fits your environment, and how it applies to your broader strategy. These scores and measures are built for a perfect world and relate to perfect settings. But your environment isn’t perfect.

“The other thing I find misleading about security scores is that they seem finite,” he continued. “Security is an ongoing process that takes time, money, effort, and focus. It doesn’t end once you reach an arbitrary benchmark.”

Never underestimate the value of a secure identity foundation

Where cybersecurity is concerned, too many businesses try to reinvent the wheel. They assume the only way to contend with modern threat actors is through bleeding-edge security solutions. The reality is that most threat actors aren’t unstoppable black hats—they’re opportunists looking for misconfigured and outdated systems.

“Just having basic security configurations in place can greatly harden your identity security posture,” said Goet. “I always recommend that clients get their security defaults established. It’s something that helps a lot before a business steps into broader, more sophisticated solutions like SIEM.”

Permissions management and identity security posture management go hand in hand

Permissions represent the most crucial factor in managing and securing an organization’s identity landscape. What systems can users access, and what can they do with that access? These are the questions every identity security strategy seeks to answer.

Permissions management is the key to modern identity security,” explained Goet. “It provides a unified view of permissions and identities across any cloud. It gives you insight into every cloud environment—what’s happening, who’s involved, and whether there’s anything you should be concerned about.

“From that point, it helps you automate Least Privilege access,” Goet continues. “You can then right-size permissions based on historical usage data and real-time monitoring. That’s the end goal: ensuring people have only the permissions they absolutely need.”

Continue exploring: Survey the broader landscape

Your business never stops evolving. Your identity security must keep pace. But for any enterprise, mapping your cybersecurity objectives can’t happen in a vacuum. Your identity security posture encompasses all the activities, technologies, people, and processes that make it possible for your organization to not only prevent cyber incidents but also recover—with resilience.

That’s why it’s important for security teams to periodically redefine what identity security means to your organization. Events such as HIP Conf bring together the world’s leading identity protection experts, put you in touch with current trends and solutions, and foster rich conversations to help you solve complex cybersecurity challenges.

Visit the HIP site to browse resources. And consider registering yourself and your team to attend HIP Conf 2025 in Charleston, South Carolina, in October.

Further reading