Authored by Daniel Poliquin, principal of Deloitte & Touche LLP.

I’ve seen this situation again and again: After investing thousands — often millions — to equip their enterprise with automated identity and access governance technologies, the organization’s system is breached. How does this happen?

A closer look may show that even though approval processes were followed, access requests were routinely approved because no one really understood what the approvals meant. The rubber stamp may satisfy audit requirements, but it doesn’t reduce business risk. In fact, it may increase risk by giving leaders a false sense of comfort.

Lessons From the Front Line of Identity and Access Governance

The problem usually begins when a company approaches identity and access governance as a technology project when it’s really a business transformation program. To make lasting change and truly reduce business risk, people across the organization have to alter what they are doing and, most importantly, understand why they are doing it.

Here are few lessons I’ve learned over 16 years of focusing on identity and access management as a cyber risk professional.

Understand the Business Requirements

Unless the final solution meets the needs of the business, it will likely fail. A steering committee made up of business leaders who have skin in the game can provide ongoing guidance to the project sponsor.

A customer or user advisory board is also valuable. This group can provide input as the program is developed and ensure that the final solution will meet its needs. The goal is to get the final users to embrace it and influence their peers to do the same.

Start With the End in Mind

Before you begin, work with stakeholders to create a clear vision of the end state you’re working toward. Identify the gaps you’ll need to fill, and then develop the road map you’ll follow to get there. This may sound like Project Management 101, but you’d be surprised how many organizations skip this important step and implement quick fixes that often complicate the problem down the road.

Measure

Business leaders evaluate investments, whether it’s an equipment purchase or business transformation project, based on their return on investment (ROI). They also like to measure progress as a program evolves.

You’ll need to define and measure the key metrics that quantify the project’s business value. For example, you may want to track the time required to establish new user access or user certification, determine if fewer people are required for the initiative and reduce calls to the help desk.

Keep It Simple

It’s human nature to resist change, so organizations are often tempted to customize the new technology solution to replicate what they were doing in the past. And guess what? The issue doesn’t go away. Stick with what works for the market and only customize if the change will create real business value.

Use Targeted Communications

Your steering committee members and customer advisory group can be invaluable when it’s time to roll out the program. Encourage them to share their enthusiasm and support with their users and peers. As you go live, customize communications to different groups and entities to effectively emphasize how the change will improve their work lives.

Know Nothing Is Perfect

Of course, make sure your solution is well-tested and piloted. But at some point, you’ll just need to jump in knowing that some unexpected issues are likely to emerge. Listen to feedback from your user groups and respond promptly with fixes and enhancements. Most importantly, rack up a few quick wins and build from there. Improvement is a project that never ends.

Learn More at InterConnect 2017

Attend IBM InterConnect 2017 in Las Vegas to join me and Andrea Rossi, vice president of identity governance and intelligence sales at IBM, as we discuss how leading organizations are dealing with identity governance. Our presentation, “The Good, the Bad and the Beautiful: The Saga Continues With Episode Three,” will touch on how identity governance initiatives often force different groups to work together despite their separate priorities, and we’ll share a customer case study. Join us on Monday, March 20 at 3:15 p.m. in Mandalay Bay’s Palm B.

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today