Q&A: IBM’s Executive Director of Security Product Management On IAM Trends, Advice For CISOs

Wes Gyure is the Executive Director of Security Product Management at IBM. He has over 25 years’ experience addressing data security, online fraud, and digital identity management.

Expert Insights reached out to the IBM team for Gyure’s insights on the state of the challenges in the Identity and Access Management (IAM) space, and how CISOs should be planning for 2025.

What are the biggest challenges facing organizations in the Identity and Access Management space today and how are threats evolving?

Poor Identity and Access Management (IAM) practices continue to be a leading cause of security breaches, according to IBM research. In our 2024 X-Force Threat Intelligence Index, we found a 71% year-over-year increase in cyberattacks leveraging stolen or compromised credentials.

The underlying challenge here is often the increasing complexity of the IAM space. Fragmentation is the norm, with businesses across industries trying — often unsuccessfully — to wrangle multiple identity solutions across multiple clouds and with limited visibility.

Meanwhile, IAM risks and threats are being compounded by generative AI. Large language models make it easier than ever before for bad actors to hone and then scale phishing and other identity-centric attacks.

How does the IBM Verify platform help to teams address these challenges, and how do you differentiate the platform in this competitive space?

IBM Verify can tame the chaos that accompanies modern IAM sprawl and does so without enterprises having to start back at IAM square one. IBM Verify takes an ‘identity fabric’ approach, complementing and not replacing existing tools.

IBM Verify provides vendor-agnostic building blocks that eliminate identity product silos, and then layers modern authentication mechanisms into legacy tools — often times without requiring code changes. IBM Verify also automates threat detection and response, giving admins valuable time back.

What are your top recommendations for CISOs in the process of looking for an identity and access management solution?

One, find a solution with the latest authentication capabilities. The best technology today leverages passwordless, biometrics, and AI-powered, risk-based features. 

Two, ensure your solution has a ‘least privilege’ philosophy baked in. Users should have the minimum amount of access required to carry out their jobs — and nothing more.

Three, choose a solution that includes robust compliance and measurement abilities. Monitoring and auditing user access and activity should be as painless and comprehensive as possible.

Finally, choose a solution that enhances your existing tools, not one that mandates you replace existing parts of your IAM architecture.

What trends do you expect to see in the identity and access management space in 2025?

In 2025, how enterprises think about identity will continue to transform in the wake of hybrid cloud and app modernization initiatives. Recognizing that identity has become the new security perimeter, enterprises will continue their shift to an Identity-First strategy, managing and securing access to applications and critical data including generative AI models.

In your view, what should organizations’ top identity and access management planning priorities for 2025 be?

Organizations’ top priority should be taming the chaos and mitigating the associated risk caused by a proliferation of multi-cloud environments and scattered identity solutions.

Also, organizations should ensure their IAM security fundamentals don’t atrophy. Organizations should be vigilant about implementing ‘least-privilege’ principals and multifactor authentication mandates.

Further reading:

• Learn more about IBM Verify.
• Read our guide to the Top 11 Identity and Access Management Solutions.