Chief information security officers (CISOs) are the ultimate gatekeepers of the flow of sensitive data inside and outside the organization. While protecting data and identities is of paramount importance, there’s mounting pressure on the CISO to do so without adding more friction to the user experience.

This challenge is in plain sight when a user, internal or external, attempts to gain access to data, resources or applications. Traditionally, this has been accomplished through simple username/password systems, but compliance mandates built to protect privacy and increasingly sophisticated cyberthreats demand stronger, multifactor authentication.

Despite the Benefits of Pervasive MFA, Companies Are Slow to Adopt

Multifactor authentication (MFA) is the practice of requiring a user to supply two or more factors to gain access to systems, applications and data. Beyond a password and personal identification number (PIN), factors can include tokens, one-time passwords and biometrics. In other words, MFA solves the problem of a threat actor being able to gain unfettered access with just a single stolen credential.

Despite the obvious benefits of multifactor authentication, organizations tend to leverage this technology on a selective basis. What is preventing more pervasive MFA use? When asked why their organization hasn’t deployed multifactor authentication more extensively, according to an Enterprise Strategy Group (ESG) survey, more than half of respondents cited the need to determine what actually requires at least a second level of authentication (30 percent) and/or the fact that not all IT or physical assets require that level of protection (27 percent) — both of which can be attributed to aligning MFA with the appropriate use cases and requirements.

Source: Enterprise Strategy Group InstaGraphic

Multifactor Authentication Is More Than a Bolt-On Feature

There has been a historic bias — which is not a great way to make security decisions — against MFA. Business and IT executives have not supported broader use of multifactor authentication and employees have resisted it, so organizations are very careful about any new MFA initiatives. However, modern, enterprisewide MFA solutions, including mainframe security, can be deployed effectively and with minimal friction to the user experience.

For example, you could optimize multifactor authentication for the platform or system of record where critical data and applications reside and add MFA to more users that access systems like the mainframe — which is more than you think. The investment made in native mainframe security access control systems can be leveraged to help provide flexibility so that the right level and kind of additional factors can be used for the right type of user and access.

MFA is not a one-size-fits-all proposition. MFA solutions are considered as part of the overall experience and should not be an afterthought that is bolted on after the fact.

How Does Multifactor Authentication Fit Into Your Security Strategy?

Progressive organizations are implementing security processes and technologies that accommodate the insatiable demand for more access without adding unacceptable risk. One example is an identity governance program with risk-based scoring that determines what kind of access a user should be granted depending on a variety of conditions. Enterprise MFA solutions should have the flexibility to serve up the right kind of additional factors determined by the risk score. This is just one example of how multifactor authentication will help drive an “authentication everywhere” strategy that accommodates all systems, users and conditions.

Download the MFA infographic

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today