February 6, 2019 By Marc von Mandel 7 min read

Co-authored by Kevin Pratt.

Identity and access management (IAM) should be a seamless part of employees’ day-to-day activities and your organization’s overall security posture. An IAM program controls and administers the access users have to an array of critical systems and data. If your users have difficulty accessing systems and applications with an IAM solution in place, your security posture can suffer. For example, employees may go around established security policies and leverage shadow IT applications to get their jobs done faster.

Many identity programs struggle to gain user acceptance because IAM is a particularly challenging field within security. If you don’t start by following IAM best practices and understanding the business’ goals and users’ needs and requirements, you may find it difficult to gain the levels of user adoption necessary to make an IAM program successful in the long term.

Infuse Empathy Into Your IAM Program Using the Enterprise Design Thinking Framework

Kevin Pratt, senior managing consultant in identity and access management at IBM, has heard countless stories from clients who tried to deploy an IAM tool without first considering users’ needs and their related pain points. I found his advice to be particularly insightful, so I asked him to sit down for an interview to talk about some critical considerations for designing a world-class IAM program.

Question: How would you explain Enterprise Design Thinking to a first-time client?

Pratt: Enterprise Design Thinking is an approach that helps us align IAM projects to the business by focusing on user outcomes. This approach helps us achieve better user experiences, delivers programs at scale and does this in a faster time frame.

With Enterprise Design Thinking for IAM, we first seek to understand what problem we are solving, the different stakeholders that are interacting with and impacted by IAM programs, then identify user needs, pain points and wants. These insights help us to work collaboratively with our clients to identify the right problem to solve, and secondly, correctly design and align user needs to the business. Understanding this convergence of needs across all three dimensions is key to designing a successful IAM program.

Give an example of a time a client used Enterprise Design Thinking to understand what users really want. What was the result, and how did it compare to clients that didn’t focus on IAM best practices?

IAM projects usually fail due to lack of user acceptance. IAM user acceptance can be especially challenging when balancing project and security requirements with the user experience.

So, if you take time, in the beginning, to align IAM work with the needs of your users and the business, you give your users a sense of ownership of the IAM work and build a foundation for a true partnership between the users, the business and IAM practices. As mentioned, these are key to building and executing a successful IAM program.

One client example that comes to mind is a health care organization that was adopting single sign-on (SSO) and wanted to leverage biometrics by using fingerprints. However, many users, like doctors and nurses, have to wear gloves at all times when working with patients and can’t always authenticate their identity with fingerprints.

We quickly identified in a design thinking session that these users needed a different way to authenticate, like a face or iris scan. Rather than deliver an authentication solution that met security requirements but did not meet critical end user requirements, we immediately identified that the end users’ needs did not align. These insights were leveraged to build a set of requirements which would result in seamless user adoption.

Tell me about a time when an organization didn’t obtain stakeholder buy-in.

We hear these stories over and over …

One example in particular comes to mind: A client was building an IAM product that would onboard and offboard users — essentially a robust identity governance and administration solution. A month before the go-live date, a human resources executive went to the C-suite and said that the IAM group forgot to include them at the right level in the conversations around the project requirements. In this situation, HR was particularly concerned about employee transfers, leaves of absence and other temporary leaves because of the access retained by the employees, which puts the business at unacceptable risk. These user requirements weren’t incorporated at the level that HR wanted.

As a result, the project was stopped by the business right before the go-live date, and the project hasn’t moved forward a year later.

Many times, IAM projects do not correctly involve the right stakeholders at the right level. Therefore, it becomes imperative that the right stakeholders are included from the beginning. As an IAM practitioner, it’s your responsibility to walk through the user life cycle process with line-of-business (LOB) executives and other key stakeholders.

All too often, IAM specialists are laser-focused on security requirements and user onboarding. Of course, IAM needs that particular information. However, where you encounter trouble is when IAM experts are not paying attention to what the lines of business are doing with the data.

If you’re only concerned with security, you’re missing an essential component. An Enterprise Design Thinking for IAM session takes you out of the security silo and immerses you, your IAM stakeholders and collaboration teams into the lives and personas of the users that will interact with the new IAM technology. Too many times it is missed during a deployment.

What’s one of your favorite Enterprise Design Thinking exercises? Discuss the approach and why it’s helpful for clients.

One of the most helpful exercises I’ve seen is the empathy map. It enables you and your business to gain a better understanding of the user and their specific needs. It starts with identifying the user that will interact with systems and asks a series of questions.

Ideally, impacted users, or what are referred to as “sponsor users,” are invited to the design thinking sessions, interviewed in advance or the design thinking work is “played back” to them on a regular basis. This results in the user’s voice being present throughout the collaboration process, and the insights which surface as a result of their involvement are continually infused into planning in an iterative manner.

These questions are not just about IAM. The questions get into the user’s life. Sample questions might be:

  • Do employees work remotely?
  • Do employees spend time traveling?
  • Do employees spend time at the office?
  • What is the office environment like?
  • What is your sponsor user thinking, feeling, saying and doing in the context of the problem you’re solving for?

The goal is to develop a robust frame of reference which accurately represents the user.

Then, you put your answers into a grid and identify what your users say, think, feel and do. In the middle of this, we have a picture of this person or user (see image below). The goal is to immerse ourselves into the lives of users.

Design an IAM program optimized for your business

More often, it’s fairly easy to fill in the “says” section because we know what they said. But we have to take it further and understand what the users are thinking. This requires getting into the mind of the users and including them as a part of the exercise so that the entire team can understand and verbalize what the users are thinking.

Then you move into how they feel. Users often feel frustrated about security solutions, but nobody on the security side usually explores those frustrations. Lastly, what does the user do? If this solution causes a problem, what will the user actually do? This often includes users finding creative ways to bypass our security controls. You need to understand what the negative consequences are for an IAM program failure. You may be able to identify those risks and stop them before they happen.

Once we have these identified, we then start to cluster, remix and group the needs and pains on the empathy map. By grouping like needs and pain points for numerous personas representing users, you begin to see common issues across different users by what they’re saying, thinking, feeling and doing. This exercise allows you to first identify themes in common, then prioritize the problems and determine which ones to solve first. It helps you answer the question that most often comes up: “How do we best address this?”

In summary, an empathy map is a fantastic way to get a deeper understanding of these users that will interact with your IAM processes and technologies.

After you’ve completed this exercise, one thing that can happen is you can have information overload. There may be so many needs and pains that an organization doesn’t know where to start. That’s where the prioritization grid can come into play.

Essentially, you take all the information gathered from the empathy map and put it into a grid that measures the impact on the user. You want to understand the feasibility of each issue. Only having the information from the empathy map isn’t enough — it is only one piece to ensuring user understanding. You need to be able to prioritize the needs and pains, identify what are the real impacts and what the feasibility is for fixing these.

It is important to note that prioritization grids are not limited to use after an empathy map exercise. They can be leveraged as a next step in many other stages of Design Thinking iteration, such as for prioritizing ideas, identifying and managing risk, and developing initial road maps and action plans.

These two exercises are very effective as part of a wider Enterprise Design Thinking approach that drives the engagements from beginning to end. It’s important to realize that Design Thinking isn’t just a workshop and an exercise or two; rather, it’s a completely different way of working with clients.

Why do you think Enterprise Design Thinking helps to build a more successful IAM program?

Enterprise Design Thinking focuses on user outcomes instead of just security outcomes. IAM tools do not exist in a userless vacuum. So, it’s vital for IAM practitioners to include users in their IAM discussions and programs. There’s not a good track record of this happening to date — we can do better for our clients by leveraging the Design Thinking framework and beginning to practice first with our own teams. Try an empathy map in practice to get a start.

At the 2018 Gartner IAM Summit in Las Vegas, we had a workshop where attendees chose a user (CISO, IAM admin, incident response analyst or customer) framed by a design prompt or common problem experienced by those stakeholders to focus on while putting together an empathy map. We had mostly security practitioners in the room.

Unsurprisingly, the user that was chosen by the least number of attendees was the customer. It can be difficult for IAM practitioners to relate to our customers and users. This we are hoping to change by virtue of exposing our IAM practitioners to the framework and how best to leverage it.

With Enterprise Design Thinking, we don’t have to guess what each user wants. We take the time to get to know the users, and this allows us to identify the right problem to solve, correctly align with the users and business, and identify a solution that meets the security requirements, addresses user needs and the needs of the business.

Design an IAM program optimized for your business

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today