Success in security depends on working with others. Getting their support on key initiatives to better protect what matters.How do you do that?I recently talked with Kevin Cunningham (Linkedin), President & Co-Founder, SailPoint about the challenge for security leaders to connect with others and get support. With an impressive background that includes founding and marketing Waveset and then co-founding and leading Sailpoint, Kevin understands the importance of getting others on board with your mission.We started our discussion with an acceptance that the perimeter approach isn\u2019t working. SaaS adoption continues and is increasing. And while the expansion of business is great for us; it\u2019s also good for attackers, too.That creates a unique pressure on identity. It is the common line - especially as more of our systems are outside of our non-existent perimeter. It creates a need to know how to manage the identity and to better control access.Kevin explains the details below.How does identity create an opportunity to bring security and the business together?Historically, the business side of an organization has viewed security programs as a hindrance \u2013 something that at best must be tolerated (and in the worst of cases, ignored), in the interest of more pressing business needs and priorities. To be fair, an over-zealous security program can limit the productivity of business users. But at the same time, a program that is too lax puts the organization at risk. The key is to strike a balance \u2013 to minimize the impact to (or even boost) the productivity of business users while managing risk to an acceptable level for the organization. \u00a0A sound Identity management program provides security teams the opportunity to strike this balance. \u00a0The reality is that security needs business participation in the management of identity. \u00a0It\u2019s the people in the line of business who are doing the hiring and transferring of people, forming relationships with strategic partners, doing mergers and acquisitions, etc. Those people know better than IT who should have access to what. But security must make participation in these processes E-A-S-Y and beneficial. Business people have little tolerance or time to learn new skills just to help the security team.The key for security groups is to provide visible benefit to the business, while at the same time enforcing the security needed to manage risk. Examples of these benefits include self-service capabilities for gaining access to applications and managing their own passwords, as well as streamlining the onerous task of reviewing access privileges (as many organizations are required to do periodically). An effective identity management program delivers these benefits to the business while at the same time allowing for the behind-the scene controls that manage risk to an acceptable level for the organization. In this way, the effective management of identities can be viewed as a business enabler, as opposed to a hindrance.It seems this is a second (or third) chance for a lot of companies. Is it getting easier to tackle identity projects?Managing identities is one of those things that appears straightforward on the surface, but can be extremely complex once you dig under the covers. In complex environments, it\u2019s not unusual to find hundreds (if not thousands) of applications \u2013 each with their own security models and many different types of users (employees, contractors, business partners) with very specific access needs. And these users are fluid: new people are coming on board all the time, people are changing jobs, people are leaving an organization, mergers and acquisitions are occurring, and business partnerships are created and dissolve. There are lots and lots of moving parts to be managed on a continuous basis. And rarely is the same person represented in all these systems by the same user ID. So it\u2019s not surprising that some companies struggle mightily with an effective identity management program.In my years of experience, the biggest differences between those that are highly successful, and those that continue to struggle year after year, break down into three categories: people, process and technology. Identity Management programs that are successful are typically led by strong individuals who have backing at a very high level in the company. Missing either of these elements, and the distributed nature of the identities across the enterprise means an uphill battle.As far as processes go, I\u2019ve seen several people take the approach of \u201cpaving the cow path,\u201d that is automating existing (and outdated) processes with an automation tool. \u00a0What you can end up with can be an automated mess. \u00a0Successful identity projects take a hard look at existing processes and examine whether there are changes required to modernize or streamline. And lastly, the technology chosen can have a significant impact on the outcome of an identity program. \u00a0It\u2019s imperative to understand underlying architecture. (i.e. How was the solution built? Through acquiring and knitting together multiple solutions or designed from the ground-up in a purposeful manner?) \u00a0Ensuring that the solution is well architected is key to avoiding an identity management nightmare.Security leaders realize they can\u2019t be the team of no. How can they navigate the complexity of identity while meeting business needs?First and foremost, security leaders and teams must accept that the business will continue to evolve and adopt new technologies \u2013 with or without their involvement. The migration to the cloud and SaaS is happening and BYOD is a fact of life in most organizations. So there\u2019s no sense in pushing back on these initiatives. Instead, security teams should find ways to facilitate new technology adoption in ways that allow them to partner with the business on this journey.A centralized identity management strategy provides the security team with the ability to facilitate the deployment, adoption and management of these new technologies. With this kind of partnership, everybody wins. The business gets a set of automated capabilities that allow them to easily onboard users to these new technologies, manage them over time, and provide powerful self-service capabilities for password management and access request \u2013 all big gains for the business. \u00a0At the same time, the security team gains the visibility, policy enforcement, and control over these new technologies.The key is taking the time upfront to explain the value proposition to the business stakeholders. It\u2019s a frank conversation they will enjoy.Why is a centralized viewpoint of identity essential in the our current landscape?We live in a time of openness and collaboration, which is good for business. It allows companies to expand and grow \u2013 both organically and inorganically. More and more companies are embracing broad information sharing both internally and with business partners. At the same time, from a security perspective the physical network perimeter has disappeared. \u00a0People are using their own smart phones, laptops, and tablets to access corporate assets and more and more of these assets are cloud-based \u2013 beyond the protection of the corporate firewall. Often one\u2019s identity is the only common element linking all this together, so managing it effectively is of paramount importance.At the same time, the threats have never been greater or more sophisticated. For example, Google recently reported that they experience 4,000 state-sponsored cyber attacks per month. The dark web is full of identities for sale that have been stolen by organized criminals. For most companies, the time to detect an attack hovers around 150 days. The longer an attacker lingers in the network, the more time they have to move around and steal information. Oftentimes, an attacker achieves this with compromised identities.Each department within the organization should care if they\u2019re creating risk. And that caring comes through education and a culture of security that\u2019s created by security teams and executive leadership together.What does it take to check your current approach and get started on the path to better identity management?It all starts with self-assessment. As a security leader, ask yourself these simple questions: Does my organization have an understanding of who has access to what? Do I know whether it\u2019s appropriate given their relationship to my business (be they employee, contractor or customer?) Do I have a way to enforce controls and security policies over access at an enterprise level? And how do I manage identities over the course of a user\u2019s life cycle with the organization?If I\u2019m a security leader and I can\u2019t answer these questions adequately, I need to take this to executive leadership and admit, \u201cWe can\u2019t quantify what our risk profile is.\u201d Visibility is key \u2013 and that\u2019s where you want to start. Once you have centrally gathered identity information from your applications (new and legacy), databases, directories and other enterprise resources, you can start to apply the necessary controls and process automation across its management.