The Audit & Discovery

Over the years, I’ve walked into many customer environments during cyber security audits, and most of the time the first conversations sound very similar.

“We already have MFA.”
“We already invested heavily in cyber security.”
“Our firewalls and endpoint protection are enterprise-grade.”

And to be fair , most organisations genuinely believe they are well protected.

Until identity becomes the problem.

One particular engagement still stands out to me because it perfectly demonstrated how modern cyber risks have shifted away from traditional perimeter attacks and directly into identity and authentication systems.

The customer operated a large hybrid environment built around Active Directory. Like many mature businesses, years of operational growth had created a mixture of modern cloud platforms, legacy applications, VPN access, service accounts, remote contractors, and privileged administrative access spread across multiple systems.

On paper, the environment looked stable.
Operationally, the business was functioning well.

But during the audit, the gaps became very clear.

We identified multiple concerning behaviours:

• Dormant service accounts still actively authenticating
• Legacy authentication protocols still heavily used
• Administrative accounts accessing systems from unusual locations
• VPN authentications with very limited visibility
• Critical internal systems that could not support modern MFA
• Excessive privilege sprawl across operational teams

Individually, none of these findings looked catastrophic.

But together, they painted a very different picture.

The business wasn’t lacking security products.
It was lacking visibility and control over identity behaviour.

And that’s the challenge many organisations face today.

Attackers no longer need to “break in” the traditional way. In many cases, they simply authenticate using compromised credentials, service accounts, token theft, or lateral movement techniques that blend into normal operations.

The Business & Operational Challenge

The hardest part for the customer was balancing security with operational reality.

Many of their critical systems were legacy platforms deeply integrated into daily operations. Replacing or redesigning them would cost millions and potentially introduce major business disruption.

Operations teams feared downtime.
Security teams feared exposure.
Executives feared both.

Like many businesses, the organisation had evolved over time through acquisitions, rapid growth, operational urgency, and years of “temporary” exceptions that quietly became permanent.

Service accounts were shared between systems.
Administrators retained elevated privileges longer than necessary.
Legacy applications continued using outdated authentication methods because “they still worked.”

And while the business continued operating successfully, the operational risk kept growing silently in the background.

The reality was simple:
the company could not modernise everything overnight.

That meant the organisation needed a security strategy capable of protecting both modern and legacy systems simultaneously — without slowing the business down.

The Solution

That’s where my role shifted from auditor to strategic advisor.

Instead of recommending another disruptive infrastructure transformation, I proposed a different approach:

Secure the authentication layer itself , across both modern and legacy systems , without forcing the business to redesign everything.

The implementation focused on extending identity protection directly into the organisation’s existing infrastructure, including systems that traditionally sat outside normal MFA and identity security coverage.

And the impact was immediate.

For the first time, the customer gained deep visibility into authentication activity across their entire environment.

We could identify:

• Risky authentication patterns
• Unusual administrator behaviour
• Service account misuse
• Legacy protocol exposure
• Authentication attempts that previously blended into normal traffic

More importantly, the organisation was finally able to apply adaptive security controls across systems they previously considered impossible to modernise securely.

The technical improvements were significant:

• Expanded MFA coverage into legacy environments
• Reduced lateral movement opportunities
• Better privileged access visibility
• Stronger detection of identity-based threats
• Improved operational reporting for security teams

But the real transformation was business confidence.

Before the engagement, the organisation operated reactively. Security incidents created stress, uncertainty, and long investigation cycles.

Afterwards, the conversation changed entirely.

Executives gained measurable visibility into identity risk. Operational teams became more confident supporting legacy systems. Security teams spent less time chasing noise and more time focusing on genuine threats.

Most importantly, the business reduced one of the largest modern cyber risks without disrupting operations.

Summary

That engagement reinforced something I strongly believe after years working across infrastructure, identity, and cyber security:

Modern security is no longer just about protecting networks or endpoints.

Identity has become the new operational perimeter.

And the organisations that succeed in the coming years will be the ones that can secure identity intelligently , across every user, system, service account, legacy platform, and authentication flow the business depends on , without slowing the business down.