CIS Control 5: Account Management Is Where Most Breaches Really Begin

Written By Pierre Pham

CIS Control 5 – Account Management

Most cyber breaches don’t start with elite hackers or zero-day exploits.

They start with something painfully ordinary: an account that never should’ve existed—or never should’ve had that much access.

Former employees. Dormant service accounts. Shared admin credentials. Test users that quietly became permanent. These are the cracks attackers look for first.

That’s exactly why CIS Control 5: Account Management exists.

Why Account Management Is a High-Risk Blind Spot

Organizations often focus heavily on perimeter defenses—firewalls, EDR, phishing training—while assuming identity access is “mostly handled.”

It rarely is.

In real environments, account sprawl happens fast:

  • Employees change roles but keep old permissions

  • Contractors leave, accounts remain

  • Admin access is granted “temporarily” and never removed

  • Service accounts run forever without review

Each one becomes a silent entry point.

Attackers don’t need to break in if they can simply log in.

What CIS Control 5 Actually Requires

CIS Control 5 is not about bureaucracy—it’s about precision.

At its core, it enforces one principle:

Only the right accounts should exist, and only with the access they actually need.

Key expectations include:

  • Inventory all accounts (human and non-human)

  • Disable accounts promptly when no longer needed

  • Restrict and monitor privileged accounts

  • Avoid shared credentials

  • Regularly review and validate access

This control turns identity from an afterthought into a managed security surface.

Where Organizations Commonly Fail

Most failures come down to convenience and assumptions:

  • “We’ll clean that up later”

  • “That account is probably still needed”

  • “It’s just an internal admin account”

Attackers thrive on “probably.”

Unchecked accounts allow:

  • Privilege escalation

  • Lateral movement

  • Persistence after initial access

  • Silent data exfiltration

When breaches are investigated, identity misuse is almost always involved.

Account Management as a Business Enabler

Strong account management doesn’t slow teams down—it removes chaos.

When done right, it:

  • Reduces breach impact

  • Simplifies audits and compliance

  • Supports Zero Trust strategies

  • Improves onboarding and offboarding

  • Clarifies accountability

Security becomes predictable instead of reactive.

Making CIS Control 5 Practical

This isn’t about creating red tape. It’s about repeatable discipline:

  • Automate provisioning and deprovisioning

  • Enforce role-based access instead of exceptions

  • Review privileged access on a schedule

  • Treat service accounts as high-risk assets

  • Align identity controls with real job functions

If identity is the new perimeter, then account management is the lock on the door.

Final Thought

Most breaches don’t happen because security teams lacked tools.

They happen because access was never fully controlled.

CIS Control 5 forces organizations to answer a simple but uncomfortable question:

Who actually has access—and should they?

If you can’t answer that confidently, attackers already know the answer.

Pierre Pham

http://www.pierrepham.com
Previous

Who Has the Keys? Why CIS Control 6 Is the Real Gatekeeper of Your Business Data
Next

Understanding Online Privacy in 2026: Key Trends and Best Practices