This is your Crown Jewels, your most critical assets (client data, intellectual property, service up time etc). Like anything precious, it always needs protection from unscrupulous characters.
But unlike the physical world, it’s more a question of when, than if, an attacker will get inside. Whoever they are, they know privilege account credentials are the route to those crown jewels.
Resources are limited, budget is tight and time constraints are an issue. What do you do first to protect your ‘crown jewels’ with the least amount of effort?