top of page
Search

Cybersecurity Awareness Month Comes to a Close — Has the Industry Truly Shifted to “Identity First”?

As October draws to a close, organizations worldwide are winding down campaigns marking Cybersecurity Awareness Month (NCSAM) —- an annual reminder to rethink our digital hygiene. But this year, the message landed in a very different place: no longer just about strong passwords and antivirus updates, but about who and what gets access.


A new emphasis: identity at the core


The theme for the 22nd edition of NCSAM underscored a stark reality: identities — both human and machine — are now the primary battleground. According to a recent article, more than 70 % of breaches involve misuse of identities, credential theft or the abuse of privileged accounts. The federal proclamation reiterated this urgency in a national context.


In this context, Rich Dandliker, Chief Strategy Officer at Veza, offered pointed language:


“Visibility has become the single most critical factor in cybersecurity resilience—and the shift to an identity-first defense is no longer optional. As Gartner predicts, ‘By 2028, 70 % of CISOs will leverage an Identity-Verification and Intelligence Platform (IVIP) to reduce their IAM attack surface.’
“The real threat isn’t the breach itself–it’s the invisible sprawl of permissions lurking inside systems like SharePoint.
“Continuous visibility across every identity—human and machine—is essential to enforce least privilege and stop credential-based intrusions before attackers gain persistence.
“Identity security is no longer an IT task—it’s a core security discipline demanding full-spectrum visibility, privilege control, and behavioral monitoring. The path of least resistance is no longer the network–it’s identity.”

This framing captures the shift: it’s not just layering one more firewall or deploying one more endpoint agent—it's about who can do what, and when and how they prove they’re allowed to do it.


So, what changed this month?


Though the month of October is over in calendar terms, its impact is measured in milestone shifts:


  • Campaigns aimed higher: Rather than only educating employees about phishing and strong passwords, many programs now include modules around authorization hygiene, service-account permission audits, machine-identity lifecycle and behavioral anomaly detection.


  • Infrastructure sector spotlight: This year’s awareness efforts were especially concerned with critical infrastructure and the small-to-medium businesses that support it. These organizations are often under-resourced yet under-attack.


  • Metrics and measurement: Awareness isn’t just about trainings – security teams are being asked to demonstrate identity metrics: how fast accounts are deactivated, how many service-accounts sit orphaned, how many anomalous behaviors flagged.


  • Machine identity as attack vector: The lines between human logins and machine/service accounts continue to blur—research underscores that machine identities now sometimes outnumber human ones and pose a weak link.


But is the industry ready?


The rhetoric is shifting but many organizations remain in transition. Here are the key friction points:


  1. Visibility still fragmented: Many companies can monitor human user accounts, but fail to track service-accounts, automation scripts, or third-party identities. Dandliker’s warning about “invisible sprawl of permissions” hits home here.


  2. Least-privilege remains aspirational: It’s easier said than done to enforce just enough access. Legacy systems and proliferated roles often leave permissions beyond what’s needed—and attackers exploit exactly that.


  3. Behavioral monitoring not yet pervasive: Continuous identity verification and behavioral anomaly detection remain complex. Many firms lack dashboards or processes to turn “logged in as usual” into “did this make sense?”


  4. Identity vs. network mindset: Traditional security architecture focuses on networks, endpoints and firewalls. The ‘identity-first’ paradigm demands a mindset shift—to recognize that who has access is now more important than where access is coming from.


  5. Resource constraints: Smaller organizations, in particular, have limited staff and budget, making identity hygiene a heavier lift even while their risk remains high.


What happens after the month?


The end of October should not mean the end of momentum. Here’s how security teams can keep the ball rolling:


  • Embed identity metrics into dashboards: Monitor number of privileged accounts, orphaned accounts, time to de-provision, anomalous logins.


  • Automate identity lifecycle processes: Ensure that when an employee leaves or a service gets deprecated, access is promptly removed.


  • Audit non-human identities: Map service accounts, machine credentials, APIs, bots—treat them with the same scrutiny as human users.


  • Behavioral baselining: Build profiles of “normal” activity per identity and flag deviations—this includes human and machine.


  • Education shifted to role-based identity awareness: Training needs to include not just “watch out for phishing” but “here’s what happens if a service account goes rogue”.


  • Governance and review: Establish identity governance frameworks that span across teams—security, HR, DevOps—to maintain least-privilege access.


The bottom line


Cybersecurity Awareness Month 2025 managed to bring identity security into daylight—not as a niche topic but as the front line. Yet, as the month wraps, it also exposes a larger truth: many organizations must do more than talk about identity-first security—they must live it.


As Dandliker put it: “The path of least resistance is no longer the network–it’s identity.” Whether that message sticks will depend on whether organizations transform rhetoric into workflow, architecture and culture.


October may be over, but the identity reckoning has just begun.

bottom of page