I've spent over 20 years in the cybersecurity industry as an operator, investor, and board member, watching the threat landscape evolve and become more sophisticated. Today, I'm writing to address a critical issue that doesn't often get the attention it deserves at the board level—identity vulnerabilities including non-human identities, like service accounts.The risks associated with unmanaged identity vulnerabilities and non-human identities are directly tied to the company's overall security and, consequently, its financial and reputational standing.We all know that cybersecurity today is much more than just an IT issue—it's a business risk. Ignoring identity vulnerabilities can lead to catastrophic breaches, like those we've seen with major companies and government institutions. Such incidents have proven that hidden, unmanaged identities can be an easy gateway for attackers, making service account oversight an essential topic for the board.Boards must shift their perspective to see identity security posture management (ISPM) as a critical aspect of the company’s overall risk management strategy. When identity vulnerabilities are overlooked, organizations risk non-compliance, data breaches, and operational disruptions—all of which come with heavy costs.By empowering CISOs and supporting identity initiatives, boards can help ensure that their organizations maintain a resilient, secure posture in the face of evolving threats.Identity Vulnerabilities: An Overlooked ThreatThe conversation around cybersecurity at the board level often focuses on headline-grabbing topics—ransomware attacks, phishing scams, and insider threats. However, beneath the surface lies an often-unseen risk: identity vulnerabilities, especially those related to service accounts.Service accounts are non-human accounts used by applications, systems, or devices to interact with one another. Unlike user accounts, they are often set up quickly to facilitate automation, data transfer, or software integration, and tend to remain in the system with elevated privileges. These accounts are indispensable for day-to-day operations but, if left unmanaged, can create gaping holes in an organization’s security.
One of the primary reasons these identity vulnerabilities are so dangerous is that they tend to be invisible to those tasked with monitoring the company’s security posture, such as IT Managers or the CISO.Service accounts typically lack a specific owner and are not tied to a particular employee, making their tracking and management a low priority. In fact, the Anetac ISPM Survey Report found that “44% of IT security professionals rely on manual logging for service account visibility, while 10% admit to no visibility measures at all.” Highlighting the need to both assign responsibility for the management of service accounts, as well as a simple way to monitor them.The Cost of Poorly Managed Service AccountsBoards must understand that unmanaged or poorly managed service accounts can lead to significant breaches. In recent years, cybercriminals have increasingly targeted these accounts, recognizing their privileged access and their potential to slip through security cracks. Once an attacker takes control of a service account, they can move laterally within the network, extract sensitive data, or execute malicious actions without raising alarms.The SolarWinds breach is a stark illustration of the dangers associated with poorly managed service accounts. Attackers exploited inactive and unmonitored accounts, using them to move laterally across the compromised networks and gain access to sensitive resources.The impact was widespread, affecting numerous federal agencies, including the Department of Homeland Security, the State Department, and the Department of the Treasury. Major private-sector organizations also faced significant consequences.This incident highlights the critical risks posed by unmanaged service accounts and the severe consequences that can arise when these identity vulnerabilities are overlooked.Why Board-Level Attention is CrucialCybersecurity is no longer just an IT issue—it’s a business risk. The board’s role is to ensure the stability, growth, and profitability of the company, and cybersecurity plays a critical role in protecting these goals. Here are some key reasons why board-level attention to these vulnerabilities is crucial:1. Connected Risk: Service accounts often have connected risk to critical assets. In Anetac's Annual ISPM Survey Report, 76% of organizations admitted to service accounts having direct access to crown jewels. This can lead to an increase of breaches and reputational damage.2. Elevated Access and Privileges: Service accounts often have high levels of access—sometimes even more so than user accounts. A compromised service account can provide direct access to sensitive data, critical systems, or business functions.3. Regulatory Compliance: Many regulatory frameworks, such as GDPR and HIPAA, alongside the SEC’s new four-day breach disclosure requirements, require stringent access controls and audit trails. Unmanaged service accounts can lead to non-compliance, potentially resulting in fines and legal actions.4. Risk Mitigation and Cost Avoidance: Addressing service account vulnerabilities proactively can prevent breaches that would otherwise cost millions in remediation, recovery, and reputational damage. This is especially important in an era when customers and shareholders are increasingly conscious of cybersecurity.5. Sustaining Trust and Confidence: Board members must inspire confidence among investors, customers, and partners. Demonstrating a commitment to robust cybersecurity, including service account management, is a fundamental part of building and maintaining that trust.CISOs Need Real Authority and Clear Oversight to Drive ChangeTo effectively engage the board, CISOs must emphasize how identity vulnerabilities—especially service accounts—pose substantial business risks, aligning their discussions with the board's focus on financial and reputational impacts. Drawing insights from successful cases, CISOs should present identity security as integral to regulatory compliance, operational continuity, and customer trust.Organizations must implement comprehensive discovery processes to identify and map the full scope of service accounts, including their interconnections within the system. This approach is crucial for understanding the potential vulnerabilities associated with non-human identities and mitigating risks in the increasingly complex cybersecurity landscape.By clearly illustrating how unmanaged service accounts can lead to costly breaches and employing a Identity Security Posture Management (ISPM) Solution, CISOs can make a compelling case for prioritizing identity management. Elevating the reporting structure, so identity security is directly accountable to the CISO, further ensures that this critical area receives the attention and resources it deserves.Bringing Identity Security into the BoardroomIt is no longer sufficient for cybersecurity discussions to reside solely within IT departments or CISO’s. Identity vulnerabilities, and specifically those arising from service accounts, require board-level awareness and support. The responsibility for securing an organization’s digital assets lies with every level of the company, from individual employees to the C-suite and the board.As board members, understanding how identity security affects the overall risk profile of your organization empowers you to make informed decisions. It allows you to ask the right questions, allocate resources effectively, and ensure that the organization is not exposed to preventable risks.Identity vulnerabilities—particularly those related to service accounts—represent a significant risk that demands attention at the highest levels of each organization. A proactive approach to managing these accounts, ensuring visibility, continuous monitoring, and robust security controls, will help protect against breaches and demonstrate a commitment to maintaining a strong security posture.As we move forward into a more interconnected and complex digital world, managing identity risks must be an essential part of your strategy—and that starts with board level buy-in.Timothy Eades Bio:Timothy Eades, currently the co-founder and CEO of Anetac, has over 20 years of leadership experience in sales, marketing, and executive management. His expertise lies in driving high growth for computing, security, and enterprise software companies. Before his tenure at Anetac, Tim was CEO at vArmour. Prior to that, he was the CEO at Silver Tail Systems from March 2010 until the company was acquired by RSA, the security division of EMC in late 2012. Before leading Silver Tail Systems, Tim was CEO of Everyone.net, an SMB focused SaaS company that was acquired by Proofpoint. Tim has also held sales and marketing executive leadership positions at BEA Systems, Sana Security, Phoenix Technologies, and IBM. He holds advanced degrees in business, international marketing, and financial analysis, primarily from Solent University in England.
