• United States



3 ways to improve the security of identity and access management

Mar 06, 20175 mins
Identity Management SolutionsInternet SecurityIT Leadership

A highly effective identity and access management program will always deliver business value.

head scratcher strategy thinking
Credit: Thinkstock

We live in times where, despite having access to the most advanced technologies on the planet, organizations struggle to protect sensitive data and intellectual property. And while the media reports an increase in spend on IT security, these increased budgets are no guarantee of improved security posture.

The more I talk to CISOs and IT leaders at conferences and trade shows, the more I am convinced that most organizations are experiencing the same realities year after year. These conversations validate my own experience of working “hands on” in the industry for over 16 years and paints a clear picture of how companies need help to achieve and secure their identity and access management (IAM) programs.

End of life systems. Too many organizations are at a point in their IAM journey where they literally have one of every product in the marketplace. Legacy systems are increasingly insecure and costly to replace, often burdened by organizational politics or lack of program funding. Plus, IAM teams are pressured by vendors to maintain license compliance with the latest hot fixes and security patches.

Provisioning silos. Overlapping systems and manual processes frequently not enforced by a company’s governance, risk and compliance policies (GRC) increase threat vectors and, consequently, the cost and effort of maintaining compliance.

Weak architecture and strategy. Weak architecture and strategy occurs when too much time is allocated to tactical execution. Myopic vision often is the result when architectural and strategic planning is neglected for too long. Myopic vision is detrimental to a department’s ability to align with the business strategy.

Failure to focus on end-to-end experience. Multiple logins, password proliferation, inconsistent user experience, loss of productivity, and frustrated users all result from a failure to plan, design, and integrate IAM systems from a strategic vantage point. When organizations grow, systems become more disparate and disconnected, causing customers to suffer from poorly connected customer information systems and disjointed customer service.

Technology doesn’t matter

In his 2003 HBR article IT Doesn’t Matter, Nicholas Carr outlines his thesis that IT is of diminishing value and we must train IT managers not to throw technology at every problem. For most IAM solutions available on the market, there is at least one suitable alternative that can be substituted in its place. If technology was the only thing needed to enable great customer experiences, increased revenues, and mitigated risk, we would have an economy where success was directly proportional to how much money was invested into IT each year.

Managing IAM effectively requires holistic thinking combined with the right collaboration (people) and integration (processes) to establish governance and create efficiencies for lines of business and their stakeholders. Risk and security policies should inform IAM initiatives, which in turn informs architecture and strategic direction. Applications and IAM architecture should inform how infrastructure and operations will need to support and enable a business with hybrid solutions and expertly managed services. (See downloadable infographic) Fostering collaboration and a sense of vested interest in shared outcomes is key for an organization to mature and grow along with the technology.

workforce management and hiring trends 2017 Thinkstock

Management effectiveness is key to secure IAM

Illustration of management and organizational strategy key to IAM success.

How a company manages its systems and information is intrinsically more valuable than the technology itself. Data protection and privacy demand better end-to-end processes and standardized connections between systems to not only ensure improved customer experiences, but also to avoid legacy debt from becoming detrimental to the business. Secure IAM may become insecure if organizations do not act to address the cultural, talent management and process issues in question.

Improving the security of IAM requires forward-thinking organizations to look beyond technology and get crystal clear on the strategic direction and management issues today to exploit tomorrow’s opportunities. To do that effectively, I propose the following considerations that every organization will be faced with sooner or later:

1. Drain the swamp

Organizations must look at legacy systems and technical debt as a growing source of risk and liability to the business. Not only can talent be expensive, in some cases it’s impossible to find. End-of-life systems left unpatched can leak sensitive data and ultimately become a liability. Draining the swamp – eliminating the highest risk systems first – requires political astuteness and strong leadership to pull the organization into the future.

2. Make a Managed Services Provider a strategic partner

Juniper Research estimates that cybercrime will cost businesses around the world over $2 trillion by 2019. Despite the significance of this threat, not every organization can boast about their in-house security operations team.

Managed security service providers (MSSP) are to IT departments what Airbnb is to the travel and hospitality industry. MSSPs are not only an excellent option for companies that are having difficulties hiring in-house security personnel, but they often have specialized expertise and a purview of threat intelligence provided by third parties that many organizations are not routinely exposed to.

3.) Implement an Identity PMO

IAM strategy can no longer be created in a vacuum without severe consequences. A program management office, or PMO, can help to bring order to the chaos, and ensure that investments and activities are aligned across business units. When an effective PMO is in place, it will help minimize risk while maximizing the return on investment in IAM over the long haul.

As IT leaders, we need to set egos aside and foster a culture of collaboration, develop talent management skills and accelerate the process integration needed to scale today’s global businesses. As more organizations move sensitive data and critical workloads to the cloud, management issues take center stage. Simply throwing more money and technology at the problem does not guarantee success.


Steve is obsessed with helping transform business by building trust, reducing operational risk and improving user experiences with modern identity & access management. Founder & President of Forte Advisory, he has been a member of the IAM community for 18+ years with a focus on program management, enterprise architecture, and operational excellence for the world’s largest companies in telecommunications, financial services, high tech and Big 4 consulting.

Steve was formerly CEO of VeriClouds and a Director of Cybersecurity & Privacy at PwC. Prior to PwC, he was the head of IAM at VMware (one of the four largest enterprise software companies) where he designed and managed customer and partner facing systems. Prior to joining VMware, Steve was a consultant at Oracle where he led deployments for strategic accounts in the manufacturing and high tech sectors.

As an advisory board member, Steve has helped founders with the development of strategic relationships, business development, market and capital strategy, product design channel and sales strategies. Startups he has helped include Seattle based VeriClouds, and Palerra, the leading cloud access security broker and pioneer of the API-based CASB solution. (Palerra was acquired by Oracle in October, 2016.)

Steve is available for strategic consulting and private workshops at his clients offices throughout the US and Canada. You can reach Steve by clicking the envelope icon above.

The opinions expressed in this blog are those of Steve Tout and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.