Hey Bob , UnixGuy (Abed Hamdan) here!
Identity and Access Management (IAM) remains one of the most underserved and misunderstood areas in cyber security.
Despite being foundational to how organisations control risk, many practitioners treat it as a niche function rather than a core discipline.
In this video, I sat down with an IAM expert to unpack what IAM actually is, why it matters, and where most people in cyber security get it wrong:
Why IAM Is Widely Misunderstood
IAM often gets reduced to user provisioning and password resets. That view is incomplete.
At its core, IAM is about controlling who can access what, under which conditions, and how that access is monitored and governed. When done properly, IAM directly supports:
- Risk reduction
- Regulatory compliance
- Threat detection and containment
- Cloud security posture
- Application security controls
When done poorly, it becomes one of the fastest ways for attackers to move laterally inside an environment.
| | Sponsored by Superhuman Find out why 1M+ professionals read Superhuman AI daily. AI won't take over the world. People who know how to use AI will.
Here's how to stay ahead with AI:
1- Sign up for Superhuman AI. The AI newsletter read by 1M+ pros.
2- Master AI tools, tutorials, and news in just 3 minutes a day.
3- Become 10X more productive using AI. | | |
IAM Touches Every Cyber Security Role
One of the biggest misconceptions is that IAM is only relevant for dedicated IAM engineers. In reality, it cuts across nearly every cyber security specialty.
GRC professionals rely on IAM for access reviews, segregation of duties, and control assurance. SOC analysts depend on identity telemetry to detect account compromise and privilege abuse. Cloud security engineers must design least privilege access models across AWS, Azure, or GCP. Penetration testers routinely exploit weak identity controls, excessive privileges, and poor authentication flows. Application security engineers deal with authentication, authorisation, and session management.
Regardless of your path in cyber security, you will run into IAM repeatedly.
The Market Gap
There is a clear mismatch in the market.
Organisations heavily depend on identity controls, yet many cyber security training paths barely cover IAM in depth. As a result:
- Teams implement identity controls incorrectly
- Privilege models become overly permissive
- Access reviews become checkbox exercises
- Detection teams lack identity visibility
- Cloud environments accumulate toxic combinations of permissions
This creates a persistent skills gap and, consequently, strong demand for practitioners who genuinely understand identity.
What We Covered in the Conversation
In the discussion with the IAM expert, we broke down:
- What IAM actually includes beyond user provisioning
- How IAM failures commonly lead to real breaches
- Where IAM fits within broader cyber security programs
- Why least privilege is harder than most people think
- The career opportunity within identity-focused roles
If your goal is to work effectively in cyber security, IAM is not optional knowledge. It is baseline literacy.
Final Thought
If you want to thrive in your Cyber Security career, don't sleep on IAM. Don't say I didn't tell you
