Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Are We Becoming an Industry of PAM “Haves” and “Have-Nots?”


Written by Chris Smith

May 7th, 2019

We are worried.

A few years back, Gartner reported that more than 65% of organizations allow unrestricted, unmonitored and shared use of privileged accounts. (Forecast Snapshot: Privileged Access Management, Worldwide, 2017). Surely, we thought, with high-profile cyber-attacks in the news and rapid growth of the PAM industry, that number must be decreasing. So, at the beginning of this year, we set out to assess the state of PAM.

The results of our research revealed that PAM adoption appears to be worse than expected.

If you want the full story, head to the detailed PAM Maturity survey report. We’ll break the topline findings down below and add some behind-the-scenes color to help drive the conversation forward.

Before we get into the numbers, let’s recognize that comprehensive privilege protection isn’t simply a matter of “do you or don’t you” have a PAM security solution in place. It’s not until you can implement Privileged Access Management controls at scale that you’re truly a PAM expert. It’s important to consider how your PAM program secures privileged credentials in different states, across your entire attack surface, and in the context of different environments.

With that in mind, in our maturity assessment, we posed 11 questions that determined how far an organization had progressed through four consecutive phases of Privileged Access Management maturity.

Phase 1 – Analog
Organizations in the Analog phase of PAM maturity face a high degree of risk. Securing their privileged access is limited and minimal. Privileged credentials are managed mostly manually and may be tracked with spreadsheets. As a result, these organizations often provide excess privileges to people who don’t need them, share privileges among multiple administrators, and neglect to remove privileges when users leave the organization or change roles.

Phase 2 – Basic
Organizations transition from Analog to the Basic phase of PAM maturity by adopting PAM security software and automating time-consuming, manual processes. They have implemented a password vault to store privileges but are typically implementing password management tools more appropriate for consumers than enterprises.

Phase 3 – Advanced
Organizations in the Advanced phase of PAM maturity have moved from a reactive to a proactive privilege security strategy. PAM becomes a top cyber security priority, with a commitment to continuous improvement of privileged access management best practices.

Phase 4 – Adaptive Intelligent
As the ultimate stage of PAM maturity, organizations in the Adaptive Intelligent phase take continuous improvement to a higher level, integrating leading technologies such as artificial intelligence and machine learning to collect information and adapt system rules. These organizations fully automate and manage the entire PAM lifecycle, from provisioning to rotation to deprovisioning and reporting.

With 450 organizations responding, we analyzed the results.

Although 78% of respondents said they include privileged credential protection as part of their cyber security strategy, upon deeper investigation, we learned that in the vast majority of organizations, PAM practices are woefully insufficient.

85% fail to achieve even basic privileged security hygiene

That’s right. 85% are stuck in the Analog phase of PAM maturity. Among those failing to reach even a basic level of maturity:

• 55% have no idea how many privileged accounts they have or where they’re located.

• Over 50% of their privileged accounts never expire or get deprovisioned.

• Only 18% are storing all their privileged accounts in a secure privileged access management vault or password manager.

Here’s the kicker: 11% have reached the highest level of PAM maturity

Interestingly, very few respondents landed in the Basic or Advanced stages of PAM maturity. If they weren’t stuck in Analog, the remaining organizations have accelerated to the final stage – Adaptive Intelligent. Not only do they have PAM solutions in place, they’re making the most of them.

What these results tell us is that there is a problem with cyber security hygiene. What they don’t tell us is why. For that, we need to rely on what our customers tell us and make some educated guesses.

Why do some organizations embrace PAM, while others do not?

It may be because some organizations are lucky to have a PAM “champion” who embraces change and rallies other departments and decision-makers – IT operations, development and engineering, incident response – to support the PAM project.

It may be that some organizations had negative experiences with older, clunkier versions of PAM software and haven’t looked around to see what is new.

It may be that some companies have experienced breaches and subsequently recognize the importance of PAM to control the damage and respond to incidents quickly.

What if this inequality were to continue growing?

Imagine if we allow this disparity to increase between the PAM security “haves” and “have-nots.” What might the world look like?

• Cyber criminals will look for the weakest target and companies that haven’t adopted PAM will be more vulnerable.

• Motivated experts will flock to companies that embrace advanced cyber security strategies, leaving others scrambling to find talent.

• Technology partners will choose companies with PAM best practices in place, rather than integrate with those falling behind.

• Customers will lose trust in companies that don’t adopt PAM and select vendors that represent lower risk.

This security gap is not acceptable

We believe organizations of all sizes and types deserve comprehensive Privileged Access Management.

To achieve basic PAM maturity you don’t need a large team of experts or a massive budget. Comprehensive PAM can be simple to use and give you the control and agility you need to become self-sufficient. As part of a cyber security risk assessment, evaluate your PAM security practices and plan your next steps.

If you’ve already achieved PAM basics and you’re looking to move to the next level of maturity, you can get inspired by stories of PAM success and ideas for implementation throughout the PAM lifecycle in our PAM Expert’s Guide.

Even if you’re a small organization and can’t invest in a paid PAM solution right now, you can take action to protect privileged accounts with Secret Server Free.

We’re here to help you improve your cyber hygiene, adopt security best practices, and advance in your PAM journey. Let us know how we can help.


What makes IAM, PIM, PAM and the other acronyms so confusing?

Get the answers—and check out our interactive ACRONYM DICTIONARY