Build your resilience as identity and sovereignty reshape cybersecurity

Enterprises are seeing a critical change: identity has become the most vulnerable target for attacks, and these risks must be part of the modernization of cybersecurity programs. Accenture’s move to acquire IAMConcepts signals that providers are gearing up for this shift, one that enterprises must match by modernizing their security stack with identity protection at the core.

Privileged accounts, employee credentials, and customer identities are now the top targets for attackers. For CISOs, this creates an urgent need to strengthen identity and access management (IAM) as cloud use, remote work, and third-party access expand. Accenture’s acquisition of IAMConcepts is a response to this reality, bringing governance and access management capabilities along with experience in regulated industries such as banking, energy, and healthcare. That makes the deal foundational to enterprise defenses, not just a technical addition.

Identity and zero trust are rising enterprise priorities

Our recent Cybersecurity Services Horizons report highlighted that IAM and zero trust are fast-growing areas of enterprise security investment. We also profiled Accenture’s security capabilities, and this acquisition extends the direction we noted there. The message for CISOs is clear: IAM is no longer a supporting function but a core pillar of security strategy.

Furthermore, our study showed that cybersecurity is top of mind for executives as they navigate shifting geopolitical and economic risks. This means IAM and zero trust are not only technology priorities but also board-level concerns (see Exhibit 1).

Exhibit 1: Cybersecurity threats rank among the top barriers to enterprise progress

Sample: 305 major enterprise decision makers
Source: HFS Research Pulse, 2025

Cybersecurity emerges as a growth engine within Accenture’s strategy

Accenture’s acquisition strategy showed that the company is betting on security as a growth engine for the AI era. In 2024, it reported 18% year-on-year growth in security revenues, outpacing overall revenue growth. This growth underscored that cybersecurity is moving well beyond a compliance task or IT sub-sector and becoming a core driver of trust with regulators, customers, and partners. Our research (see Exhibit 2) revealed that enterprises ranked cybersecurity as the top area where AI can deliver significant value.

Exhibit 2: Enterprises put cybersecurity first for AI value

* Product management, business process design, and experience design
Sample: 608 survey participants
Source: HFS Research, 2025

Looking at the bigger picture, we see that the acquisition isn’t happening in isolation. Accenture has added Brazilian defense firm Morphus (Brazil), MNEMO Mexico, and Spain-based Innotec Security to its cybersecurity portfolio in the last couple of years. Since 2015, the company has made 22 acquisitions in the cybersecurity sector, mainly to bolster its solutions across the cybersecurity portfolio.

The message to enterprises is clear: cybersecurity has evolved from a cost center to a core driver of business growth. Without strong security, all the crown jewels are at risk, and enterprises that address this passively will face far-reaching consequences.

Data sovereignty must be intertwined with cybersecurity strategies, or they’ll fail to attract customers

There’s an underlying pattern in Accenture’s picks. IAMConcepts (Canada), CyberCX (Australia), Morphus (Brazil), MNEMO (Mexico), and Innotec (Spain) all sit in jurisdictions moving toward tighter privacy obligations. These changes may not move at the same pace, but the direction is the same.

Is Accenture hedging against rising sovereignty expectations? We don’t know that, but what’s clear is that owning local firms with existing trust, government ties, and compliant infrastructure gives it a kind of ‘sovereign credibility.’ This could be a way to win regulated, public-sector, and critical-infrastructure deals without dealing with residency mandates, which is more than portfolio expansion. If more economies begin requiring ‘trusted local providers’ to handle critical cyber functions, Accenture will be well-positioned.

Sovereignty debates are also influencing how services are built. For example, Accenture is partnering with Telus in Canada to deliver sovereign cloud and data services for government, healthcare, and financial firms. This exemplifies how partnerships are co-developing sovereignty requirements that are now shaping how security, cloud, and identity services are designed.

The bigger signal for enterprises is that conversations around sovereignty are reaching the boardroom. Governments are drafting new laws about where data sits, who manages it, and how breaches are reported. Enterprises must demonstrate compliance through their own controls and the partners they select.

The Bottom Line: Cybersecurity today is about proving trust through access control and sovereignty compliance—not just blocking threats

Accenture’s acquisition of IAMConcepts, alongside the other cybersecurity deals, indicates how it is adapting to where the market is going. Providers are adding identity skills, building local presence, and preparing for data and compliance rules. The bigger takeaway is not about Accenture itself but what this means for enterprises.

Identity risk and sovereignty demands are becoming the biggest tests of security readiness, and enterprises shouldn’t treat them as background issues. Weak access controls are now attackers’ most common entry point, coinciding with the stricter regulations on data management. Security leaders can’t solve this alone. They need partners with technical depth, domain expertise, and industry knowledge to close gaps in IAM and meet rising compliance expectations. Those that act early will strengthen their position with regulators, customers, and their own boards.