We live in times where, despite having access to the most advanced technologies on the planet, organizations struggle to protect sensitive data and intellectual property. And while the media reports an increase in spend on IT security, these increased budgets are no guarantee of improved security posture.
The more I talk to CISOs and IT leaders at conferences and trade shows, the more I am convinced that most organizations are experiencing the same realities year after year. These conversations validate my own experience of working “hands on” in the industry for over 16 years and paints a clear picture of how companies need help to achieve and secure their identity and access management (IAM) programs.
End of life systems. Too many organizations are at a point in their IAM journey where they literally have one of every product in the marketplace. Legacy systems are increasingly insecure and costly to replace, often burdened by organizational politics or lack of program funding. Plus, IAM teams are pressured by vendors to maintain license compliance with the latest hot fixes and security patches.
Provisioning silos. Overlapping systems and manual processes frequently not enforced by a company’s governance, risk and compliance policies (GRC) increase threat vectors and, consequently, the cost and effort of maintaining compliance.
Weak architecture and strategy. Weak architecture and strategy occurs when too much time is allocated to tactical execution. Myopic vision often is the result when architectural and strategic planning is neglected for too long. Myopic vision is detrimental to a department's ability to align with the business strategy.
Failure to focus on end-to-end experience. Multiple logins, password proliferation, inconsistent user experience, loss of productivity, and frustrated users all result from a failure to plan, design, and integrate IAM systems from a strategic vantage point. When organizations grow, systems become more disparate and disconnected, causing customers to suffer from poorly connected customer information systems and disjointed customer service.
Technology doesn’t matter
In his 2003 HBR article IT Doesn’t Matter, Nicholas Carr outlines his thesis that IT is of diminishing value and we must train IT managers not to throw technology at every problem. For most IAM solutions available on the market, there is at least one suitable alternative that can be substituted in its place. If technology was the only thing needed to enable great customer experiences, increased revenues, and mitigated risk, we would have an economy where success was directly proportional to how much money was invested into IT each year.
Managing IAM effectively requires holistic thinking combined with the right collaboration (people) and integration (processes) to establish governance and create efficiencies for lines of business and their stakeholders. Risk and security policies should inform IAM initiatives, which in turn informs architecture and strategic direction. Applications and IAM architecture should inform how infrastructure and operations will need to support and enable a business with hybrid solutions and expertly managed services. (See downloadable infographic) Fostering collaboration and a sense of vested interest in shared outcomes is key for an organization to mature and grow along with the technology.
Management effectiveness is key to secure IAM
How a company manages its systems and information is intrinsically more valuable than the technology itself. Data protection and privacy demand better end-to-end processes and standardized connections between systems to not only ensure improved customer experiences, but also to avoid legacy debt from becoming detrimental to the business. Secure IAM may become insecure if organizations do not act to address the cultural, talent management and process issues in question.
Improving the security of IAM requires forward-thinking organizations to look beyond technology and get crystal clear on the strategic direction and management issues today to exploit tomorrow’s opportunities. To do that effectively, I propose the following considerations that every organization will be faced with sooner or later:
1. Drain the swamp
Organizations must look at legacy systems and technical debt as a growing source of risk and liability to the business. Not only can talent be expensive, in some cases it’s impossible to find. End-of-life systems left unpatched can leak sensitive data and ultimately become a liability. Draining the swamp – eliminating the highest risk systems first – requires political astuteness and strong leadership to pull the organization into the future.
2. Make a Managed Services Provider a strategic partner
Juniper Research estimates that cybercrime will cost businesses around the world over $2 trillion by 2019. Despite the significance of this threat, not every organization can boast about their in-house security operations team.
Managed security service providers (MSSP) are to IT departments what Airbnb is to the travel and hospitality industry. MSSPs are not only an excellent option for companies that are having difficulties hiring in-house security personnel, but they often have specialized expertise and a purview of threat intelligence provided by third parties that many organizations are not routinely exposed to.
3.) Implement an Identity PMO
IAM strategy can no longer be created in a vacuum without severe consequences. A program management office, or PMO, can help to bring order to the chaos, and ensure that investments and activities are aligned across business units. When an effective PMO is in place, it will help minimize risk while maximizing the return on investment in IAM over the long haul.
As IT leaders, we need to set egos aside and foster a culture of collaboration, develop talent management skills and accelerate the process integration needed to scale today’s global businesses. As more organizations move sensitive data and critical workloads to the cloud, management issues take center stage. Simply throwing more money and technology at the problem does not guarantee success.