Some of the biggest challenges that face security teams today are Identity and Access Management (including Privileged Access Management) and Application Security. Too often, these initiatives get mired in the details and complexity and never end up getting completed. Systems administrators and application teams cringe at the thought of touching their Service Accounts. And you can’t find anyone who can tell you why some guy from some third party has a privileged account on that one server in the corner of the data center.
When it comes to appsec, the problem is that the product roadmap has already been approved for the next two years including new features and identified bugs to fix. And while they might genuinely like to help get some of those security defects in the queue, they will also inform you that it will take an act of Congress to shoehorn those in to the existing roadmap.
I think we end up at the stalemate we often see because while the details are necessary to fix the issues, no one outside of the security team and a few IT folks can understand them. The business surely doesn’t understand these issues, and therefore they can’t grasp the risks either. Until the business can help prioritize these initiatives and remove obstacles, we’ll never make headway.