Authored by Daniel Poliquin, principal of Deloitte & Touche LLP.

I’ve seen this situation again and again: After investing thousands — often millions — to equip their enterprise with automated identity and access governance technologies, the organization’s system is breached. How does this happen?

A closer look may show that even though approval processes were followed, access requests were routinely approved because no one really understood what the approvals meant. The rubber stamp may satisfy audit requirements, but it doesn’t reduce business risk. In fact, it may increase risk by giving leaders a false sense of comfort.

Lessons From the Front Line of Identity and Access Governance

The problem usually begins when a company approaches identity and access governance as a technology project when it’s really a business transformation program. To make lasting change and truly reduce business risk, people across the organization have to alter what they are doing and, most importantly, understand why they are doing it.

Here are few lessons I’ve learned over 16 years of focusing on identity and access management as a cyber risk professional.

Understand the Business Requirements

Unless the final solution meets the needs of the business, it will likely fail. A steering committee made up of business leaders who have skin in the game can provide ongoing guidance to the project sponsor.

A customer or user advisory board is also valuable. This group can provide input as the program is developed and ensure that the final solution will meet its needs. The goal is to get the final users to embrace it and influence their peers to do the same.

Start With the End in Mind

Before you begin, work with stakeholders to create a clear vision of the end state you’re working toward. Identify the gaps you’ll need to fill, and then develop the road map you’ll follow to get there. This may sound like Project Management 101, but you’d be surprised how many organizations skip this important step and implement quick fixes that often complicate the problem down the road.

Measure

Business leaders evaluate investments, whether it’s an equipment purchase or business transformation project, based on their return on investment (ROI). They also like to measure progress as a program evolves.

You’ll need to define and measure the key metrics that quantify the project’s business value. For example, you may want to track the time required to establish new user access or user certification, determine if fewer people are required for the initiative and reduce calls to the help desk.

Keep It Simple

It’s human nature to resist change, so organizations are often tempted to customize the new technology solution to replicate what they were doing in the past. And guess what? The issue doesn’t go away. Stick with what works for the market and only customize if the change will create real business value.

Use Targeted Communications

Your steering committee members and customer advisory group can be invaluable when it’s time to roll out the program. Encourage them to share their enthusiasm and support with their users and peers. As you go live, customize communications to different groups and entities to effectively emphasize how the change will improve their work lives.

Know Nothing Is Perfect

Of course, make sure your solution is well-tested and piloted. But at some point, you’ll just need to jump in knowing that some unexpected issues are likely to emerge. Listen to feedback from your user groups and respond promptly with fixes and enhancements. Most importantly, rack up a few quick wins and build from there. Improvement is a project that never ends.

Learn More at InterConnect 2017

Attend IBM InterConnect 2017 in Las Vegas to join me and Andrea Rossi, vice president of identity governance and intelligence sales at IBM, as we discuss how leading organizations are dealing with identity governance. Our presentation, “The Good, the Bad and the Beautiful: The Saga Continues With Episode Three,” will touch on how identity governance initiatives often force different groups to work together despite their separate priorities, and we’ll share a customer case study. Join us on Monday, March 20 at 3:15 p.m. in Mandalay Bay’s Palm B.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today