Presented by Cisco
Enterprise security is having an identity crisis. Attackers aren’t going after zero-day exploits on a server or an operating system; instead, the vast majority of security breaches are happening in a surprisingly low-tech wave of identity compromise via social engineering.
“Con men, and social engineering, have been around for a long time,” says Matt Caulfied, VP of product, identity at Cisco. “The oldest trick in the book is sneaking in by putting on a construction vest and walking in the front door, and this is essentially the same thing. You trick someone into giving you access to their account, and use it to get all the access that they have, as far as you can go.”
Consider spearphishing which once meant laboriously researching a few high-value targets. With AI, attackers can generate target lists, identify those targets’ nearest relatives, and fire off convincing emails and texts at scale — multiplying their odds, even for non-native speakers without strong language skills.
However, there’s a clear disconnect between awareness and execution in the enterprise. Cisco Duo’s 2025 State of Identity Security report found that 51% of organizations have suffered financial losses from identity-related breaches. So why do 74% of IT leaders admit that identity security is an infrastructure-planning afterthought?
“It’s a fundamentally hard problem to solve,” Caulfield says. “Identity security is unique in that it combines social aspects, and a psychological aspect, with a technical aspect. Over time, just as their targets get better at defending themselves, attackers get better at attacking their targets. And while we know how to prevent identity breaches entirely, most of those mechanisms have been incredibly expensive and difficult to scale, from an operational perspective.”
But strong identity and access management (IAM) is no longer optional — it must actually be the foundation of enterprise security, rather than just one pillar, especially as AI agents gain a foothold in organizations as a third class of users, without any of the restraints or guardrails that humans presumably have.
A new definition of zero trust
Today you can’t trust users just because they’re on the network, or coming from a corporate device; you can only establish trust through strong cryptographic identity authentication. That shifts trust from the network over to identity systems that authenticate the user. And since a zero-trust system is just going to enforce what the identity system tells it to, identity has to be the foundation of an enterprise security process — keeping systems safe, humans from being hijacked, and AI agents performing only the actions they’re meant to take.
If that authentication and authorization step is wrong, then it doesn’t matter how good your network access control is. However, traditional second-factor and multi-factor authentication is no longer enough, since an SMS message, call-back number or even a verified push notification can all be hacked.
“Only one in three leaders trust their current identity providers to stop identity-based attacks. Just because you’re doing identity doesn’t mean you’re doing identity securely,” Caulfield explains. ” Phishing-resistant authentication is the new gold standard, where a user cannot be tricked into giving away the keys to the kingdom. They would need to literally be at your desk with you, while you’re using your laptop, in order to take over your account.”
However, until now, phishing-resistant MFA approaches have either been too complex or too expensive to implement. While 87% of leaders believe phishing-resistant MFA is critical to a security strategy, only 19% of companies have deployed FIDO2 tokens, which are a standard way to achieve phishing-resistant MFA. Hardware tokens are often reserved for privileged users, adoption often stalls out here due to token management complexity (what happens when a token is lost, for example?), the expense and complications of training, and just the cost of creating and distributing a hardware solution.
Security as an enabler
Awareness of identity security is growing, Caulfield adds, with 82% of financial decision-makers increasing budgets for identity security. But security can’t be treated as an add-on, because that results in tool sprawl, which adds additional costs, complexity, and misalignment, along with decreased visibility overall. To address that head-on, 79% of leaders are exploring identity vendor consolidation, which massively cuts down the operational drag of tool proliferation.
Integrated tools that offer interoperability in multi-cloud environments offer strategic simplification that not only reduces costs and increases security, but improves organizational efficiency for IT and end users.
“Identity management and security is not just a necessary evil, it’s an enabler for a workforce and for customers interacting with a business. It’s as much a security concern as it is a productivity and IT concern,” he says. “Phishing-resistant authentication is that easy button to get to the identity-first approach to security that makes it work.”
Learn how Duo and Cisco Identity Intelligence are helping global teams make sense of the complex identity landscape: Download Cisco Duo’s report, The 2025 State of Identity Security: Challenges and Strategies from IT and Security Leaders.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact sales@venturebeat.com.
