Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Why Security Awareness Remains on the Front Lines of Access Management

2025-09-24

Back in 1993, I was working in France, overseeing a Sun Microsystems environment. I still remember running a simple password checker script on the central /etc/passwd file. Most passwords were easy to guess; there were a lot of swear words, so on the upside, I was able to improve my vocabulary.

Here we are, some three decades later, and are things really any better? Passwords are a scourge: they litter our phones and clutter our computers, leaving us with no recourse but to take shortcuts.

In the corporate world, each compromised authentication string leaves a tiny window in the enterprise defences, which, if breached, might as well be a front door. Hackers don’t generally care about individual user accounts, but rather, what they can do when they’re in – kick off a bigger data breach, or a ransomware attack.

People remain a weak point — not out of malice or carelessness, but because nobody can realistically cope with today’s complex, layered, fast-changing digital environment. It’s not just the end-users. A major burden is borne by operations and security teams, who must manage people’s password resets, onboarding and offboarding, and monitor for poor behaviors and attempted breaches.

And then, of course, we have developers. What of the username-password combinations required to access databases, or tokens to authenticate with APIs? These can be hard-coded into applications, held as environmental variables, or stored as run-time data, and transmitted in clear via a weak transport protocol.

Secrets sprawl is a problem for any development shop. However,so is the human trait of writing code to test something out without having security front-of-mind. If I want to build quickly, I don’t want to jump through all the hoops. But then, of course, three weeks later, the temporary hard-coding is still in place.

The final pillar of risk is not about people, but machines. Developer secrets are one piece of a bigger puzzle, extending to non-human endpoints such as edge devices, SaaS APIs, and other points of connection, potentially to be accessed via VPN or tag-based microsegmentation.

These needs are extending into AI Agents, which not only need to authenticate but would also ride roughshod over any privacy policy if left unfettered. Like humans, agents are only as safe as the credentials they’re given — but unlike humans, they are amoral by nature. Equally, agents need to be managed and protected securely.

“The car that starts the season isn’t the car that ends it—there are constant iterations,” said Nimesh Kotecha, Group Head of End User Services, Oracle Red Bull Racing. “The data and workflows around those iterations are our crown jewels. Many applications feed into those decisions, so having controls to ensure only authorised access, with accountability and auditability, is crucial. 1Password fits seamlessly into our existing ecosystem, complementing the tools we already rely on to deliver secure access, while giving us a unified view and the metrics we need.”

So, tools and workflows work well together in an organization which puts security first. As a consequence, for example, least privilege access (deny unless authorized) was implemented by default, not exception. Such approaches are great in an organisation where you have the backing of the management team and you’re on top of the complexity, as we can see in the case of Oracle Red Bull Racing (and power to their elbow).

However, they’re not necessarily going to be so effective where security isn’t a core pillar at board level, or where the organisation is too big to apply policies consistently. Even if SecOps can get on top of secrets and non-human identities, the thousands of users across multiple departments will leave a million tiny holes in the otherwise pristine attack surface.

It would be truly great to think that we could solve this conundrum through technological means alone. Perhaps one day we will – through a combination of white-hat agents and uniquely passkey-based access, maybe, or some quantum technology we haven’t worked out yet.

Until some combination of tools, processes, and architecture solves the problem completely, awareness remains our best defence. Another experience from my dim past was as a security awareness trainer for various government departments – I’ve seen firsthand how the security-first lightbulb can switch on in even the least technical of staffers, from board to the front line.

For this reason, I’d propose to security vendors that they consider end-user-facing “personal security posture” dashboards on their tools, making security awareness part of their daily information feed. Just a thought!

In the meantime, regular doses of security awareness remain an important piece of the overall puzzle. From experience, it’s a Goldilocks thing – too much advice or policy can become overbearing, too little and the message gets forgotten. But be in no doubt that it should be part of any organization’s security response, whatever the scale.