Five simple principles to help your Privileged Access Management remediation succeed

Successful Privileged Access Management (PAM) implementations are difficult due to the complexity of the technology and the amount of business change required.

Our latest blog explores the five principles we have applied in the past when helping Clients successfully transform their approach to PAM.

Our five simple principles to help PAM succeed are:

  1. Principle One: Understand the real issues affecting  PAM– Technology alone will not solve all PAM issues.
  2. Principle Two: Change starts at the top – Senior Management buy-in is critical.
  3. Principle Three: Define “privileged” – The scope of privileged accounts needs to be defined, understood, and agreed.
  4. Principle Four: Start small and use an iterative implementation process – Don’t do too much too soon.
  5. Principle Five: Deliver a service, not a widget  – Don’t forget about service design and transition; there needs to be a plan to transfer the project to operational teams.

The ever-changing threat landscape makes it difficult to gauge where you should focus your security efforts and budget. But what remains constant is how important it is to control your organisation’s privileged accounts, especially those accounts that might give a malicious actor the ‘keys to the kingdom’.

As IT risk and information security transformation specialists, we have worked on many projects that have helped to deliver or improve PAM. Through our work, we have identified key principles that we feel helped us deliver sustainable change to our Clients.

Principle One: Understand the real issues affecting PAM 

Privileged access issues can’t be solved by simply implementing a PAM tool alone. Rather than diving straight into purchasing technology, spend time upfront to identify high-risk issues, which may not always just be with existing technology.

Consider any wider issues that may exist with governance, people, and processes, such as the lack of recertification processes, or poor standard operating procedures designed to reduce concerns around the hygiene of access data.

Principle Two: Change starts at the top

Senior Management buy-in, is an age-old critical success factor for any important project. However, this is particularly important in a successful PAM project because there is likely to be significant resistance from systems administrators and privileged users.

These users may have become accustomed to using their privileged credentials with minimal control, and over time this will have been embedded in the culture of their teams. Changing this culture will be impossible without Senior Management buy-in and clear top-down messaging will go a long way to ensuring the project has the right level of support.

Principle Three: Define “privileged”

There can be numerous ways do define both “privileged access”, and critical information assets, (AKA “Crown Jewels”).  Further, we have seen frequent internal disagreements about which specific accounts and entitlements qualify as privileged. This can result in either over-scoping or under-scoping of the PAM project, making it too complex to deliver, or failing to meet the intended business requirements.

Therefore, it is important to start by clearly articulating and defining which access roles or entitlements are considered “privileged” within the scope of the project.  This will help reduce complexity, saving time and resources.

It is important to start by clearly articulating and defining which access roles or entitlements are considered “privileged” within the scope of the project. This will help reduce complexity, saving time and resources. 

Principle Four: Start small and use an iterative implementation process

From experience, we know that implementing PAM successfully is a difficult task. Therefore, we always encourage our clients not to do too much, too soon.

  • Start small by onboarding an initial, limited, set of your highest-priority privileged accounts.
  • Take any lessons from this first iteration and apply these in your next set of in-scope accounts.
  • Use this iterative approach to onboard a smaller subsection of accounts over time rather than implementing all accounts at once.

This approach helps to continuously identify and resolve potential issues that may arise during the complex implementation process and limit the potential effect on the entire business if any problems do occur.

Principle Five: Deliver a service, not a widget

Ensure your project includes effort and budget for service design and transition.

We typically suggest that 15% of the project’s budget should be allocated to target operating model definition and service transition. This includes identifying an appropriate team that will own the PAM solution, documenting operating procedures, conducting training, and issuing communications.

Service design and transition must involve impacted teams. In most cases, this will be IT operations teams. This presents an additional challenge, because there may already be friction with security; IT’s focus is typically on technology availability, whereas Security’s is on integrity, completeness, and accuracy.

Strong security culture and governance combined with clear service management documentation, will help smooth the introduction of privileged access processes.


We have recently launched our free 360° Security Assessment.

The assessment will take 5 minutes to complete, and it aims to provide you with a list of minimum-security requirements based on our experience with organisations of various sizes and profiles.

The report will provide you with the following:

  • Cyber security industry indicators based on similar organisations;
  • A plan on how to systematically assess and improve your current security capability;
  • Key cyber security risks to your business that require immediate attention;
  • An extract of minimum-security controls for your business; and
  • A PDF tool to rapidly assess your own performance against the minimum requirements.

To complete the assessment:

  1. All you need to do is read the business profiles below and select the one that most closely resembles your current organisation.
  2. Once selected, you will be able to fill in your details and we will send you an email with your report.

Complete your 360 Security Assessment today.

Insight Tags


Sign up for updates!*

Hey there, couldn’t help noticing you’re using Internet Explorer

That’s great and all, and we commend you for pushing through with it. Unfortunately we no longer offer support for IE; it hasn’t received a major update since 2015 and Microsoft are dropping support for it later in the year.

If you’re using Windows 10 and want to stick with a built in browser, please consider switching to Edge. Or, if you really want to enjoy the internet properly we strongly recommend downloading Google Chrome here.