Security & Compliance

CISOs Can't Prevent Every Breach. They Can Decide How Much It Costs Them.

Aditi Sharma
Director, Strategy & GTM
July 7, 2025
8 MIn read

Ready to secure your identity surface?

About the author

Aditi leads Go-to-Market (GTM) and Business Strategy at Zluri, where she helps mid-market organizations modernize their identity governance and access management practices. Prior to Zluri, she was a Management Consultant at McKinsey & Company advising large enterprises on digital transformation, and part of the enterprise software investment team at B Capital. She holds an engineering degree from IIT Kharagpur and an MBA from Harvard Business School.

No CISO controls whether an attacker eventually gets through. Every CISO controls something else entirely: how much that attacker can actually do once they're in. That second thing is the real job, and it's the part almost nobody measures.

A CISO's performance gets discussed, informally and constantly, as if prevention were the whole mandate: fewer incidents, fewer alerts escalated, a clean year. That framing sets every CISO up for an eventual, unwinnable outcome, because prevention, at any budget, at any maturity level, eventually fails. The actual mandate, the part a CISO genuinely does control from end to end, is something narrower and more precise: how much does the breach that eventually happens actually cost.

At a glance, before the detail:

The Number Most CISOs Have Never Actually Calculated

Ask a CISO for their organization's breach count, their mean time to detect, their patch compliance percentage, and the answer comes fast, because those numbers get tracked constantly. Ask the same CISO a different, more specific question, if your single most broadly privileged identity were compromised today, how much of the organization could an attacker actually reach through it, and the honest answer is usually a shrug, or a number nobody has actually verified in a long time.

That number, not breach count, not detection speed, is the one a CISO has the most direct control over. Prevention outcomes depend partly on attacker sophistication, partly on employee behavior, partly on factors genuinely outside any CISO's reach. The blast radius of a compromised identity depends almost entirely on decisions made inside the access model itself, decisions a CISO owns completely: what access exists, whether it's still justified, and how quickly unnecessary access gets removed once it isn't.

Why This Reframe Actually Matters

Treating prevention as the job means every CISO is, statistically, working toward an eventual failure they can't fully prevent, regardless of how well they do the job. That's a genuinely demoralizing frame, and it's also the wrong one. Treating blast radius as the job means a CISO is working toward a number they can actually move, continuously, through decisions entirely within their own organization's control: tightening access, removing what's accumulated, making sure every identity carries only what its current role justifies.

This isn't a semantic distinction. It changes what gets measured, what gets funded, and what a CISO can credibly claim to have improved year over year. "We reduced incidents" is a claim partially dependent on luck and attacker behavior. "We reduced the average identity's excess access by a specific, measured amount" is a claim a CISO can make with full confidence, because it's the direct result of work the security organization actually did.

What Actually Drives the Number Up

Blast radius grows for a specific, predictable reason: access accumulates far more reliably than it gets removed. A role change grants new access immediately, since granting is obvious and someone notices right away if it doesn't happen. The same role change rarely triggers removal of the prior access with the same reliability, since nothing about a new role inherently signals that old access should go, and removal typically requires an explicit, separately configured step that many provisioning workflows simply don't include.

Repeated across every employee's tenure, every contractor engagement, every service account created for a specific integration and never revisited, this produces an access landscape where the organization's real blast radius is considerably larger than anyone assumes, because nobody has actually measured it directly. It's not a single dramatic failure. It's the compounding result of thousands of small, individually reasonable grants that were never paired with an equally reliable removal step.

Why Mid-Size Organizations Feel This Most Acutely

A CISO at a mid-size organization is managing essentially the same threat landscape as a peer at a much larger enterprise, comparable SaaS sprawl, comparable vendor access, comparable turnover, without a large team available to manually track and correct access accumulation across the organization. Attackers don't calibrate their effort to the size of the security team defending against them.

This is exactly why blast radius, not prevention spend, is the more achievable lever for a mid-size CISO specifically. Outspending a well-resourced attacker on prevention tooling isn't realistic on a mid-size budget. Keeping the organization's access model lean and continuously current is achievable regardless of team size, if it's built as an ongoing, largely automated discipline rather than something that depends on a large team noticing accumulation manually.

What Controlling the Cost Actually Looks Like

A CISO who's genuinely managing blast radius as the real mandate has a specific, ongoing discipline in place, not a one-time project completed and filed away:

Every identity's access reflects current need, not historical accumulation. Role changes trigger removal of prior access as reliably as they trigger new grants, so an identity's footprint stays close to what its current role actually requires.

Access gets compared against peers, not just checked against policy. A grant that looks individually defensible can still be a genuine outlier once it's measured against what a current peer in the same role actually holds, and that comparison catches accumulation that a policy check alone would miss.

Usage data feeds directly into what gets revoked. A permission that's technically still assigned but hasn't been used in months is functionally excess access, contributing to blast radius without contributing any actual value.

The full picture gets checked for combinations, not just individual grants. Two access grants that are each individually fine can still combine into a genuine segregation-of-duties risk once they're both held by the same identity, and catching that requires evaluating the full footprint, not each grant in isolation.

A CISO running this discipline continuously can state, with real confidence, exactly how large the organization's blast radius currently is, and show that it's trending down. That's a fundamentally different position than hoping prevention holds.

This Is What Zluri's IGA Is Actually Built to Solve

This is the direct, practical connection worth naming rather than leaving implied: giving a CISO real, continuous control over blast radius isn't a side effect of good identity governance. It's the specific outcome the discipline is built to produce.

  • Continuous discovery keeps an accurate, current record of every identity and application, so blast radius is a number that can actually be measured rather than estimated.
  • Access reviews, backed by peer comparison and real usage data, catch the accumulated, unjustified access that individual grants looked reasonable enough to approve at the time, trimming every identity back down to what its current role genuinely needs.
  • Mover-stage workflows pair every new grant with explicit removal of what the previous role no longer justifies, closing the specific gap that lets blast radius grow silently by default.
  • Segregation-of-duties evaluation runs continuously against an identity's full, current footprint, catching combinations that accumulate piece by piece across years of role changes.

None of this changes whether an attacker eventually gets in. That was never the number a CISO fully controls. What it does is give a CISO direct, measurable control over the number that actually determines how much that eventual breach costs, which is the mandate worth owning in the first place.

Frequently Asked Questions

Is blast radius something a CISO can actually measure, or is it more of a concept?

It's directly measurable, given accurate, current visibility into every identity's real access across every connected system. The reason most CISOs can't cite the number isn't that it's unmeasurable, it's that most organizations don't maintain the continuous, accurate access inventory required to calculate it confidently.

Why is blast radius a more useful metric for a CISO than breach count?

Because breach count depends partly on factors outside a CISO's control, attacker behavior, employee decisions, third-party vulnerabilities. Blast radius depends almost entirely on decisions made inside the organization's own access model, which means it's a metric a CISO can move through direct action rather than one partially subject to chance.

How does a mid-size organization reduce blast radius without a large security team?

By making access hygiene a continuous, largely automated discipline rather than a manual review process. Continuous discovery, peer-comparison access reviews, and mover-stage removal logic all reduce the amount of ongoing manual effort required to keep blast radius small, which is what makes this achievable without enterprise-scale headcount.

What's the single biggest driver of a growing blast radius over time?

The asymmetry between how reliably access gets granted and how reliably it gets removed. Role changes trigger new access immediately and consistently. They rarely trigger removal of prior access with the same reliability, since that requires an explicit step most workflows don't include by default, and that gap compounds across every role change an identity ever goes through.

Ready to secure your identity surface?