New Policies Drive New CIO Priorities

First, there appears to be an immediate change in focus for CIO priorities in 2025. When surveyed in October of last year, cost barely made the top 5. And only in the context of balancing cost, value and risk. But by late February of 2025 (just 4 months later), 3 of the top 5 CIO actions- current or planned- were related to cost; modeling scenarios, assessing third party costs and planning reductions.

Second, despite the many changes in priorities, managing cyber security risk remained at or near the top. It was #1 in October and #2 in February, falling behind the need to assess impacts to vendor / supplier relationships. I think we can all understand why that new priority topped the list at the moment, but the importance of cyber security remains strong. Just because we pause spending, doesn’t mean compliance obligations or threat actors take a pause too.

Third, despite all of the understandable uncertainty- mine, those of the CIO Research Council and perhaps yours- Gartner’s recommendation about cost is that “rather than just focusing on cost-cutting exercises, CIOs should use this opportunity to consider investments that will strengthen the company’s market position in the long term.” I guess, as the saying goes, in the midst of every crisis lies great opportunity.

Five Ways to Reduce Spend, Effort and Risk…at the Same Time

With that in mind, here are five opportunities for large organizations to reduce identity security spend, effort and risk (in real dollars, hours and controls).

1‍

Reduce the Cost of Application Inventory
$150K/Quarter

Most privacy regulations and cyber security frameworks require organizations to maintain some sort of application inventory. As just one example, the Center for Internet Security’s Critical Controls 2 requires you to “actively manage (inventory, track, and correct) all software (operating systems and applications) on the network.” The average large enterprise typically retains a system integrator to handle this time-consuming task each quarter, paying as much as $150,000 for the professional service. Automating this exercise, not only saves the recurring services spend but also enables it to be maintained continuously rather than quarterly.

‍

2

Reduce the Cost Application Onboarding/re-onboarding
$15K/Application

Many large enterprises outsource the application onboarding effort as part of new IAM / IGA tool implementation or regulatory associates update. After an initial lump sum fee to on-board the first 5 applications, system integrators typically charge an average of $15,000 per application to  assess the identity profile of each application and potentially integrate it into the new identity tool. Beyond the direct integration cost, there are significant hidden costs — with application owners and engineering teams spending days (or weeks) per application to support the system integrator onboarding effort. This represents lost productivity and diverted technical resources. Automating the analysis of identity features in each application costs a fraction (25%) of the traditional professional services spend.

‍

3

Save Time for Your Application Developers
1-4 Weeks / Application

As part of that same onboarding/re-onboarding process, whether led by an in-house engineering team or an outsourced system integrator, application owners are called up to provide detailed identity information about each application.  This is often in response to a survey, but in any case, usually entails 1 to 4 weeks (plus or minus depending on the app) of back and forth communication.  Orchid Security automates the analysis of identity flows coded into each application, providing it in the form of a completed questionnaire for the common IAM / IGA tools. While application owners are often asked to review this output, it greatly speeds the onboarding process to 1 week or less.  This frees up application developers to fully focus on the innovation of their job.

‍

4

Close Gaps in Identity Security
Remediate 7 Common Weaknesses

Across Fortune 1000 organizations in the U.S. and Europe, Orchid Security has identified the top identity control gaps compared to privacy regulations, cyber security frameworks and identity security best practices. These gaps range from credentials stored in clear-text or with weak encryption, no logging of authentication / authorization activity, no account lockout, lack of MFA and more. While organizations must resolve the use of clear-text, weakly encrypted or hard-coded credentials themselves, the remaining most common gaps can be immediately remediated through the use of application instrumentation provided by Orchid Security.

‍

5

Protect Against Personal / Corporate Liability
Fines from $5,000 to $100,000 per month until compliant / Up to $5 million in fines and 20 years in prison for willful violations

Missing or insufficient identity controls can create serious legal and regulatory liabilities — not just for the organization, but for its leadership. Regulatory frameworks like SOX, GDPR, PCI-DSS, and NIST all require strong identity governance to ensure data access is properly managed, monitored, and auditable. When these requirements are not met, organizations risk non-compliance penalties, reputational damage, and even personal liability for CISOs, CIOs, and other executives. In some cases, failure to implement or monitor identity controls has led to civil or criminal investigations following data breaches or audit failures. Orchid Security addresses these risks directly with its continuous discovery, assessment, and delegation capabilities, providing a real-time, application-centric view of identity posture. This approach ensures gaps are identified early, responsibilities are clearly delegated, and controls are kept up to date — reducing the risk of individual accountability failures and strengthening the organization's compliance position across evolving mandates.

‍

Orchid's Solution

With Orchid Security, organizations looking to reduce budget spend yet continue to maintain compliance- and even tackle new projects to improve cyber security- really can accomplish all three objectives at the same time.  New technology, applied purposefully to Identity and Access Management by Orchid, automates many of the manual, costly and recurring processes that are often outsourced, freeing up resources to be re-allocated. Just listen to what Costco has achieved.