Blog

Why Identity Security Projects Fail, and How CISOs Can Fix That

By: Carolynn van Arsdale
April 30, 2026
Two people sit at a conference table with laptops, both looking concerned. One person holds their head in their hand, while the other looks at a screen thoughtfully. The office setting appears serious and tense.
Summary
Back to Resources

Identity projects — initiatives that aim to improve or secure an organization’s identity fabric — oftentimes run long, cost more than scoped, and often fail to deliver the outcomes security teams actually need. This begs the question: What separates the identity security projects that succeed from the ones that spiral? 

In the latest episode of Radio Logic — the cybersecurity podcast dedicated to the people and technology behind digital identity — host Anders Askasen sits down with Michael Ribaudo, CEO of CyberIAM, for candid thoughts on what it really takes to execute identity initiatives successfully. With a decade under his belt designing and implementing Identity and Access Management (IAM) systems for complex organizations, Ribaudo has seen the full spectrum: the wins, the disasters, and the warning signs that most organizations still miss. 

Why Do Identity Security Projects Fail? 

Ask most practitioners what causes identity projects to fail, and you’ll hear the usual suspects: budget constraints, technical complexity, and shifting requirements. But Ribaudo points to something more fundamental — a lack of communication between parties. 

“Projects fail because there isn’t honesty and clarity between the delivery partner and the customer,” he says. “No shared understanding of what they’re trying to achieve versus what’s actually been scoped.” — Michael Ribaudo  

That misalignment often starts before the project does. When a request for proposal focuses on cost and technology needs rather than outcomes, vendors bury assumptions in the fine print, change orders start flowing from day one, and the customer ends up paying far more than they bargained for — while still not getting what they needed. 

The other failure driver is reactive decision-making. The majority of identity security projects are triggered by audit findings or regulatory pressure rather than strategic foresight. That reactive posture creates real problems: tight deadlines, executive panic, and a compressed delivery timeline that forces teams to cut corners on the work that matters most.

“The best projects we run are the ones where the organization has been proactive,” Ribaudo notes. “When you have a (audit) finding, you have a deadline, you have panic, and you end up rushing parts of the delivery.” — Michael Ribaudo 

What Is an Outcome-First Approach to Identity? 

What does a successful identity project look like? For Ribaudo, it starts with a fundamental shift in the questions being asked. 

“We’ve spent too long asking ‘what do you want to do?’ rather than ‘what do you want to achieve?'” he explains. “An outcome-based approach is the best way to tackle an identity project, and it needs to be grounded in the bigger picture of the business requirements you’re trying to resolve.” — Michael Ribaudo 

That means anchoring the project to a concrete business objective from the start — whether it’s closing a specific audit finding, reducing risk exposure across the identity landscape, or satisfying a new regulatory requirement like NIS2 or DORA. For a successful identity initiative, actions come second, not first. Initially prioritizing the outcome defines the scope, the success criteria, and the conversations that happen when the project inevitably encounters friction. 

What Role Should the CISO Play in Identity Projects?    

According to Ribaudo, identity is frequently mischaracterized as an IT problem. In his view, it’s a risk problem and a people problem — and that distinction matters enormously for how projects get resourced and governed. 

Ribaudo is direct about where executive sponsorship needs to sit: “You want your CISO as the champion and the CEO as the sponsor.” He recalls one bank where the CEO personally sponsored the identity program. The result? Nothing stalled. When escalation went to the top, decisions were made. 

For CISOs navigating the current regulatory environment, the conditions have never been better to take that champion role seriously. Regulations like NIS2 put accountability squarely on senior executives, creating a board-level incentive to act. The question is whether security leaders use that leverage proactively — or wait for the audit finding to force their hand. 

What Does a Successful Identity Project Look Like? 

When the right stakeholders are aligned, the scope is honest, and delivery is grounded in outcomes; identity projects can do exactly what they’re supposed to do. Ribaudo describes the best-case scenario simply: 

“When you put your statement of work and program together, make sure there is absolute clarity on what you want and what you’re going to get. That way, when it’s delivered, what you asked for is actually what you receive.” — Michael Ribaudo

That clarity, backed by collective expertise and proven delivery processes, is what separates sustainable identity security programs from the projects that keep cycling back to the same problems — year after year. 

For deeper insights into how your organization can deliver a successful identity initiative, watch or listen to Radio Logic Episode 2: CISOs: Take Charge of Identity.

Cybersecurity, IAM, Identity Security
Back to Resources