Definition

Identity-first security treats the identity plane — authentication, authorisation, and privilege lifecycle — as the primary security perimeter, superseding network-centric controls. It encompasses FIDO2 passwordless authentication, Entra ID / Okta Conditional Access, and just-in-time privileged access, delivering measurably lower credential-abuse risk at a lower per-control cost than equivalent network investments.

Why it matters

The pressure on Cybersecurity Advisory programmes is shifting in specific, observable ways:

• SAMA CSF 3.3.5 and NCA ECC-1 3-2-3 mandate MFA for all privileged and remote access; FIDO2 hardware keys or platform authenticators directly fulfil the control at AED 80–150 per user vs. AED 2M+ for equivalent network NAC projects.
• Verizon DBIR 2024 attributes 74% of breaches to compromised credentials; deploying Conditional Access risk-based policies in Entra ID eliminates the attack vector without new network infrastructure.
• UAE NESA IA-5 and India IT Act Rule 8 both require privileged access controls; JIT admin via Entra PIM or CyberArk satisfies both frameworks simultaneously for multi-geography GCC/India organisations.
• Cyber insurers (Chubb, Zurich) apply mandatory MFA requirements as coverage conditions; FIDO2 deployment evidence is the single fastest control to produce at renewal, reducing premium SAR 150K–600K for mid-market firms.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Entra ID / Okta MFA registration report — % users enrolled per authentication method (FIDO2, TOTP, SMS) and legacy method deprecation status.
• Conditional Access named location and sign-in risk policy audit — policy count, coverage % of applications, and risk-triggered block events per month.
• Entra PIM / CyberArk PAM activation logs — JIT privilege request count, approval time, and standing privileged role assignment count by tier.
• Identity threat detection alerts (Entra ID Protection / Defender for Identity) — risky sign-in count, compromised account alerts, and MTTC per alert.
• Password spray / credential stuffing detection log (SIEM) — event count, blocked vs. successful attempts, and affected account list.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: IAM Engineer runs an Entra ID / Okta authentication method analysis; blocks legacy auth protocols for all users and enforces FIDO2 or Microsoft Authenticator (phishing-resistant) for all Global Admin and Privileged Role Administrator accounts.
• Day 31–60: Security Architect deploys risk-based Conditional Access policies blocking sign-ins with Entra risk score ≥Medium for all cloud applications; enables Entra PIM for all Azure AD roles eliminating standing Global Admin assignments.
• Day 61–90: IAM team rolls out FIDO2 hardware keys (YubiKey 5 series or equivalent) to the top 50 privileged users and executives; configures Defender for Identity to alert on pass-the-hash and Kerberoasting patterns.
• Day 90+: CISO maps deployed controls to SAMA CSF 3.3.5, NCA ECC-1 3-2-3, and UAE NESA IA-5 in the Statement of Applicability; presents identity risk reduction metrics to the board.
• Ongoing: IAM team reviews unused privileged role assignments monthly; rotates service account credentials quarterly using CyberArk Conjur or Azure Managed Identities.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Phishing-resistant MFA coverage for privileged accounts — target: 100% within 30 days.
• Standing Global Admin account count — target: 0; all access via PIM activation with ≤15-minute approval SLA.
• Legacy authentication block rate — target: 100% of sign-ins via modern auth within 30 days of policy enforcement.
• Risky sign-in block rate (Entra ID Protection) — target: ≥95% of High-risk sign-ins blocked or MFA-challenged.
• Identity-related incident MTTC — target: ≤1 hour from Defender for Identity alert to account disable.

The executive frame

For an executive sponsor, the decision behind this piece reduces to three questions: what changes in the next two quarters, what is the cost of not acting, and what is the minimum credible response?

Held against the board cyber committee and national cyber authorities (NCA in KSA, CSC/NESA in UAE, CERT-In in India), the answer is rarely "do nothing" — but it is also rarely "rebuild the programme". The honest answer for most Cybersecurity Advisory buyers is a sharply scoped uplift focused on the two indicators that move the most: mean time to detect (MTTD) and respond (MTTR) by incident class and % of privileged accounts with phishing-resistant MFA.

• What changes. The supervisory bar has moved on operating evidence, not on the control text itself.
• Cost of inaction. Findings carried into the next cycle compound; remediation in a regulator-driven timeframe costs 3–5× what proactive remediation costs.
• Minimum credible response. A 90-day uplift focused on the two indicators above, with a board-level commitment to the next review point.

Pitfalls we keep seeing

Across MAST Consulting Group's Cybersecurity Advisory portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: logging without a use case behind each source. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: a strategy that lists capabilities but not outcomes. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: IR plans untested against the company's actual likely scenarios. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: identity controls that stop at email but not at admin tooling. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Cybersecurity Advisory engagements because the integrations are cheap and the evidence is defensible:

• EDR (CrowdStrike, SentinelOne, Defender) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• SIEM/XDR — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• identity (Entra, Okta, Ping) — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Cybersecurity Advisory programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this briefing is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Cybersecurity Advisory programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.