Making the Business Case for an NHI Security Program

The 1st NHI Security Conference brought together five influential CISOs to unpack the complexities of building a business case for a non-human identity security program. As machine identities multiply, the conversation focused on prioritizing NHI security amid competing demands, budget limitations, and growing regulatory expectations.

Why NHI security and why now?

The panel opened by stressing the urgent need for NHI security due to rising NHI-based vulnerabilities. Colleen Coolidge highlighted that NHIs are not new but have remained under-prioritized compared to more mainstream identity solutions. Corey Scott shared a cautionary tale from his time at Confluent, where he navigated a breach involving over-permissioned API identities. This incident exposed critical gaps in monitoring and control, underscoring the risk of NHI-based attacks that evade traditional IAM approaches.

Addressing industry-wide challenges

  1. Supply chain exposure: Moriah Hara noted that NHI vulnerabilities can allow vendors, like those involved in the SolarWinds breach, direct access to core systems, creating risks that many security frameworks overlook. She emphasized integrating NHI into IAM to secure third-party access and better comply with regulatory frameworks like NIST and SEC guidelines.
  2. Collaboration is key: The panel stressed that cross-departmental collaboration is crucial. An NHI program needs buy-in from teams like DevOps, third-party management, and privacy. Coolidge shared her strategy of friendly competition between teams to enhance accountability, ensuring NHI policies don’t become isolated security responsibilities.

Building a practical business case

The CISOs provided a realistic roadmap for gaining executive support and budget for an NHI program:

  • Quantify ROI: Demonstrating potential cost savings, as Corey Scott did with a cost-bounty program at Confluent, can make a compelling case. Identifying redundant or idle NHIs not only mitigates risk but also reduces cloud costs, creating a direct financial incentive.
  • Showcase risk reduction: Many tools now offer comprehensive monitoring and life-cycle management for NHIs, making it easier to prevent breaches and comply with policies. The panel highlighted that any data supporting reduced cyber insurance premiums can also help validate the case for investing in NHI security.

Key takeaways

The panel concluded with these essential insights for security leaders:

  • Inventory matters: Know where and how NHIs are being used within the organization, as this is vital for controlling access and mitigating risk.
  • Ongoing process: Effective NHI security requires continuous monitoring, updating, and collaboration. NHI vulnerabilities are dynamic, necessitating adaptable strategies.
  • Education & communication: Explaining NHI risks in clear terms to stakeholders can help prioritize NHI security within broader risk management and compliance goals.

Watch the full session for the full insights.