Authored by Daniel Poliquin, principal of Deloitte & Touche LLP.
I’ve seen this situation again and again: After investing thousands — often millions — to equip their enterprise with automated identity and access governance technologies, the organization’s system is breached. How does this happen?
A closer look may show that even though approval processes were followed, access requests were routinely approved because no one really understood what the approvals meant. The rubber stamp may satisfy audit requirements, but it doesn’t reduce business risk. In fact, it may increase risk by giving leaders a false sense of comfort.
Lessons From the Front Line of Identity and Access Governance
The problem usually begins when a company approaches identity and access governance as a technology project when it’s really a business transformation program. To make lasting change and truly reduce business risk, people across the organization have to alter what they are doing and, most importantly, understand why they are doing it.
Here are few lessons I’ve learned over 16 years of focusing on identity and access management as a cyber risk professional.
Understand the Business Requirements
Unless the final solution meets the needs of the business, it will likely fail. A steering committee made up of business leaders who have skin in the game can provide ongoing guidance to the project sponsor.
A customer or user advisory board is also valuable. This group can provide input as the program is developed and ensure that the final solution will meet its needs. The goal is to get the final users to embrace it and influence their peers to do the same.
Start With the End in Mind
Before you begin, work with stakeholders to create a clear vision of the end state you’re working toward. Identify the gaps you’ll need to fill, and then develop the road map you’ll follow to get there. This may sound like Project Management 101, but you’d be surprised how many organizations skip this important step and implement quick fixes that often complicate the problem down the road.
Business leaders evaluate investments, whether it’s an equipment purchase or business transformation project, based on their return on investment (ROI). They also like to measure progress as a program evolves.
You’ll need to define and measure the key metrics that quantify the project’s business value. For example, you may want to track the time required to establish new user access or user certification, determine if fewer people are required for the initiative and reduce calls to the help desk.
Keep It Simple
It’s human nature to resist change, so organizations are often tempted to customize the new technology solution to replicate what they were doing in the past. And guess what? The issue doesn’t go away. Stick with what works for the market and only customize if the change will create real business value.
Use Targeted Communications
Your steering committee members and customer advisory group can be invaluable when it’s time to roll out the program. Encourage them to share their enthusiasm and support with their users and peers. As you go live, customize communications to different groups and entities to effectively emphasize how the change will improve their work lives.
Know Nothing Is Perfect
Of course, make sure your solution is well-tested and piloted. But at some point, you’ll just need to jump in knowing that some unexpected issues are likely to emerge. Listen to feedback from your user groups and respond promptly with fixes and enhancements. Most importantly, rack up a few quick wins and build from there. Improvement is a project that never ends.
Learn More at InterConnect 2017
Attend IBM InterConnect 2017 in Las Vegas to join me and Andrea Rossi, vice president of identity governance and intelligence sales at IBM, as we discuss how leading organizations are dealing with identity governance. Our presentation, “The Good, the Bad and the Beautiful: The Saga Continues With Episode Three,” will touch on how identity governance initiatives often force different groups to work together despite their separate priorities, and we’ll share a customer case study. Join us on Monday, March 20 at 3:15 p.m. in Mandalay Bay’s Palm B.