Q&A: Rippling’s CISO Duncan Godfrey on Tackling IAM Challenges & Building A Robust, Scalable Zero Trust Strategy
Expert Insights interviews Duncan Godfrey, Chief Information Security Officer at Rippling.
“When threats feel like they are coming from every direction, some IT leaders freeze instead of taking action. It’s better to get started today and do the work than it is to worry every day that you aren’t protecting your business properly,” says Duncan Godfrey, CISO at Identity and Access Management (IAM) provider Rippling.
Securing user identities is critical, especially as credential based attacks like phishing and business email compromise continue to increase year-on-year. But when it comes to securing identities, organizations often struggle to balance robust protection without compromising usability.
In this Q&A, Godfrey shares his insights on how companies can overcome hurdles like outdated systems, complex access management, and limited resources, and how businesses can future-proof their IAM strategies for 2025 and beyond.
Q. What are the biggest challenges facing organizations in the IAM space today and how are threats evolving?
The threat landscape is complex, with attackers employing more sophisticated methods to exploit identity-based vulnerabilities such as phishing and credential theft to impersonate individuals and gain unauthorized access.
These threats are evolving at a pace that outruns the ability of manual processes to keep up, requiring the use of automated systems to manage the complexity. Also, many organizations face difficulties implementing even the most basic security controls, let alone layering advanced security measures.
When threats feel like they are coming from every direction, some IT leaders freeze instead of taking action. It’s better to get started today and do the work than it is to worry every day that you aren’t protecting your business properly. Take the basic challenges seriously and implement good old fashioned security hygiene.
There is a lot you can do with limited resources, and it doesn’t help getting distracted by the latest trends. There is also the scalability issue. Managing access for large or globally distributed workforces becomes overwhelming with outdated or siloed Identity and Access Management (IAM) systems.
Q. How does the Rippling IT platform help teams address these challenges, and how do you differentiate the platform in this competitive space?
Rippling’s Identity and Access Management (IAM) solution is built on a unified IT platform that seamlessly integrates identity, access, devices, and inventory logistics management.
This integration simplifies the implementation of zero-trust principles with tools like Single Sign-On (SSO), device trust, and conditional access rules. Our platform automates repetitive tasks like provisioning and de-provisioning, reducing human error and freeing up IT teams to focus on other projects.
Unlike competitors that require the assembly of disparate tools, Rippling IT’s pre-integrated solutions enable teams to secure their organizations quickly and scale without complexity.
Q. What are your top recommendations for CISOs in the process of looking for an IAM solution?
Adopting solutions that enable granular access controls, rather than relying solely on static roles and permissions, is essential for modern identity and access management.
An effective IAM solution should enhance the user experience with features like Single Sign-On (SSO), while maintaining robust security, as poor usability often leads to the rise of shadow IT and policy non-compliance. The most impactful things I’ve implemented at Rippling are Touch ID and phishing resistant MFA, which are natively built into our IT solutions.
It’s also crucial to choose a solution that is scalable and capable of handling an increasingly complex identity landscape, including global workforces, contractors, and service accounts. Understanding how your IAM solution manages data, integrates with your existing technology stack, and ensures compliance is critical. Lastly, companies should look for tools that can evolve with emerging threats, incorporating advanced capabilities like AI-based anomaly detection or authentication.
Q. What trends do you expect to see in the IAM space in 2025?
Organizations are increasingly adopting passwordless authentication methods, such as biometric or token-based systems, to enhance both security and usability. We will likely see an increase in consolidating user identity across SaaS cloud platforms and an increased adoption of zero-trust as opposed to a perimeter-based security model.
Hyper-automation in IAM will expand to include the management of machine identities, IoT devices, and role lifecycle processes, further streamlining operations and improving security.
Q. In your view, what should organizations’ top IAM planning priorities for 2025 be?
IAM priorities depend on where you are in your maturity model. Planning for contingencies, for example ransomware attacks, impersonation, or other crises, involves creating IAM protocols that ensure operational continuity even under degraded conditions, like restricted offline access modes.
Moving away from a “one size fits all” approach to security, organizations should tailor access rules, conditional access policies, SSO, and MFA based on user attributes like role and department. This approach strengthens security while minimizing unnecessary friction for users.
As Rippling IT has shown, building IAM workflows that begin at recruitment and tie access policies directly to HR records can effectively eliminate gaps between hiring, role changes, and departures. It’s important to focus on IAM solutions that align with the increasing global emphasis on data privacy and sovereignty, including implementing features like minimal-privilege access and ensuring compliance with updated regulations such as GDPR 2.0, CCPA, and new global privacy laws.
Further reading:
- Learn more about Rippling
- Read our guide to the top Identity and Access Management solutions