Johnny Beverton
In this episode, Martin Kuppinger, Founder and Principal Analyst at KuppingerCole Analysts, joins Empiric’s Head of Identity and Access Management for Benelux, Jamie Hercus, to discuss the risks of cybersecurity tool proliferation, why role management projects still fail and what organisations should prioritise when building identity and security teams.
Martin brings over two decades of experience analysing the identity and cybersecurity space and is a co-founder of KuppingerCole Analysts, an independent analyst firm focused on identity, access management and cybersecurity research.
Watch the full episode and read the full recap, below.
[ YOUTUBE EMBED ]
TLDR: Key Takeaways from the Conversation
- The average CISO manages 70 to 80 cybersecurity tools - that complexity creates cost, skills and integration burdens that often outweigh the security gains each individual tool was meant to deliver.
- Identity programmes fragment when decisions are made under pressure rather than through a structured approach - organisations end up spending wrongly and compounding operational challenges.
- Vendor loyalty and skills protection slow identity progress more than technology does - professionals who broaden their tool exposure become more adaptable and harder to displace.
- Most identity programmes start with the tool rather than the process - and a process built around a specific tool rarely survives when that tool changes.
- Role management keeps stalling because roles become outdated, over-entitled and too complex to maintain - the shift toward dynamic authorisation and just-in-time access is overdue.
- The identity skills gap is an investment problem as much as a hiring one - training existing people and looking at adjacent talent pools, including SAP professionals, is a faster route than waiting for the market to supply specialists.
Why More Identity Tools Don’t Always Mean Better Security
The identity and access management market continues to grow at speed, with each product promising to solve the next critical gap in enterprise security. Martin is candid about the risk this creates, "Every innovation seems to lead to a new acronym, a new product category, even while it's sometimes just features... improved features that fit quite well into an existing category."
He cites identity intelligence and visibility platforms (IIV) as a prime example, "I would say is, is a new generation of advanced access governance tools, which are around for decades... it's more a capability than really a tool thing."
“The average CISO reports that they have 70 to 80 different cybersecurity tools, which is extremely difficult to manage. Every tool creates challenges… cost, skills, integration, orchestration. Think about it from a capability perspective… do I really need it, do I already have it in another form, how important is it compared to other initiatives?”
Why Identity Programmes Fragment Instead of Scaling
[ MARTIN PIC EMBED ]
CISOs and identity leaders often struggle to recognise when their environment moves from layered to fragmented.
Martin sees both approaches across the market, “quite a lot of these organisations are looking at defining their more structured approach,” At the same time, he observes decisions made too quickly under pressure. “If you don’t act, you risk being blamed… if you act, you risk spending the money wrongly and ending up with operational challenges.”
Security leadership lives with constant tension, “you always weigh whether a decision really helps mitigate critical issues or whether there are other ways to improve your security posture.”
Why Vendor Loyalty Can Stall Identity Progress
Martin draws on extensive experience to explain how deep expertise can turn into resistance to change, particularly when identity decisions become tied to existing skills, platforms and internal ownership.
“Many of these conversations weren’t driven by facts… they were driven by protecting skills and value,” he says, recalling long-running platform debates that slow decisions, duplicate tooling and consume time and budget.
From his perspective, professionals strengthen their value by expanding their exposure. “If you are good in one or two access management tools, you can become good in the next one with reasonable effort... the more tools you know, the easier it becomes to learn another.”
Process, Methods and the IAM Skills Gap
As identity programmes mature, Martin sees a persistent issue in how organisations approach change. “Too many organisations don’t look at processes and policies… the tool is always the starting point,” he says, pointing out that this approach often undermines long-term progress. For him, the problem is structural rather than technical, because “if you have a really good process, then the process should survive the tool.”
That gap shows up most clearly in how teams are structured. While technical capability remains important, Martin stresses that “there’s the technical aspect… but there’s also this more process and organisational skillset that is very important,” adding that these skills are often missing when teams try to move beyond tooling and into sustainable operating models.
Role Management in Identity Programmes
Despite being a long-standing part of identity governance, Martin sees role management as one of the areas where programmes most often run into trouble. “Role management projects tend to stall… they tend to end up in an overly complex state,” he says, pointing out that many role models struggle to keep pace with how organisations actually operate.
That complexity creates deeper issues over time. Roles, in his view, “tend to be outdated… they tend to be over entitlement… they’re the root cause of all bad identity management,” yet they continue to sit at the centre of many programmes. One reason is familiarity. “People know how to do it… it is their distinguishing skillset,” which makes it hard to step away even when the approach no longer fits.
For Martin, progress requires a shift in thinking. “We need to reduce reliance on roles and move towards dynamic authorisation, just-in-time access and externalised authorisation,” approaches that better reflect how access decisions need to work today.
Building Identity Teams for What Comes Next
Martin brings the discussion back to people, starting with the individual perspective. For those working in identity and security, he stresses that “it’s about continuous learning because things are evolving… there are new technologies emerging,” adding that professionals “can increase the own value by looking at new technologies, by learning something in addition”.
From an organisational point of view, he sees the skills gap as a signal to think differently about how teams are built. “Everyone rightfully says we have a skills gap… we don’t find the resources we need,” he says, which makes it essential to “invest in your resources… invest in training”. That also means looking beyond traditional identity backgrounds, as “a lot of SAP people have excellent skills in business processes… they might be able to shift into the identity space rather quickly”.
He also points to how teams often end up “cleaning up behind the others”. “Invest in collaboration… so that they work with you and not that you then need to care for what has gone wrong,” he says, while combining internal expertise with external support where it makes sense.
Continue the Conversation
Our dedicated recruitment team connects organisations with identity and cybersecurity professionals who combine technical depth with strong organisational thinking. If you are building an identity team, hiring senior IAM leaders or considering your next move in the market, arrange a call with us today.
Connect with Jamie and Martin on LinkedIn to continue the conversation and follow Empiric on LinkedIn and subscribe to our newsletter for future Empiric Insights episodes.
