Delinea has announced findings from a global survey of 2,100 IT Security Decision Makers (ITSDMs) which reveals that 60% of respondents believe their overall security strategy does not keep pace with the threat landscape, and that they are either lagging behind (20%), treading water (13%), or merely running to keep up (27%). Conducted in more than 20 countries, the research polled attitudes towards identity security and the protection of privileged identities.

The report also highlights differences between the perceived and actual effectiveness of security strategies. While 40% of respondents believe they have the right strategy in place, 84% of organizations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.

Promisingly, many organizations are hungry to make a change, particularly when it comes to protecting identities. In fact, 90% of respondents state that their organizations fully recognize the importance of identity security in enabling them to achieve their business goals, and 87% say that it is one of the most important security priorities for the next 12 months.

However, three quarters (75%) of IT and security professionals also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need. This is largely due to a lack of budget and executive alignment, with 63% of respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.

The research reveals that, despite good intentions, companies have a long way to go to protect privileged identities and access. Less than half of the organizations surveyed have implemented ongoing security policies and processes for privileged access management, such as password rotation or approvals, time-based or context-based security, or privileged behavior monitoring such as recording and auditing. Even more worryingly, more than half (52%) of all respondents allow privileged users to access sensitive systems and data without requiring multi-factor authentication (MFA).

The report brings to light another dangerous oversight. Privileged identities include humans, such as domain and local administrators, as well as non-humans, such as service accounts, application accounts, code, and other types of machine identities that connect and share privileged information automatically. However, only 44% of organizations manage and secure machine identities, while the majority leave them exposed and vulnerable to attack.