Authored by Daniel Poliquin, principal of Deloitte & Touche LLP.

I’ve seen this situation again and again: After investing thousands — often millions — to equip their enterprise with automated identity and access governance technologies, the organization’s system is breached. How does this happen?

A closer look may show that even though approval processes were followed, access requests were routinely approved because no one really understood what the approvals meant. The rubber stamp may satisfy audit requirements, but it doesn’t reduce business risk. In fact, it may increase risk by giving leaders a false sense of comfort.

Lessons From the Front Line of Identity and Access Governance

The problem usually begins when a company approaches identity and access governance as a technology project when it’s really a business transformation program. To make lasting change and truly reduce business risk, people across the organization have to alter what they are doing and, most importantly, understand why they are doing it.

Here are few lessons I’ve learned over 16 years of focusing on identity and access management as a cyber risk professional.

Understand the Business Requirements

Unless the final solution meets the needs of the business, it will likely fail. A steering committee made up of business leaders who have skin in the game can provide ongoing guidance to the project sponsor.

A customer or user advisory board is also valuable. This group can provide input as the program is developed and ensure that the final solution will meet its needs. The goal is to get the final users to embrace it and influence their peers to do the same.

Start With the End in Mind

Before you begin, work with stakeholders to create a clear vision of the end state you’re working toward. Identify the gaps you’ll need to fill, and then develop the road map you’ll follow to get there. This may sound like Project Management 101, but you’d be surprised how many organizations skip this important step and implement quick fixes that often complicate the problem down the road.


Business leaders evaluate investments, whether it’s an equipment purchase or business transformation project, based on their return on investment (ROI). They also like to measure progress as a program evolves.

You’ll need to define and measure the key metrics that quantify the project’s business value. For example, you may want to track the time required to establish new user access or user certification, determine if fewer people are required for the initiative and reduce calls to the help desk.

Keep It Simple

It’s human nature to resist change, so organizations are often tempted to customize the new technology solution to replicate what they were doing in the past. And guess what? The issue doesn’t go away. Stick with what works for the market and only customize if the change will create real business value.

Use Targeted Communications

Your steering committee members and customer advisory group can be invaluable when it’s time to roll out the program. Encourage them to share their enthusiasm and support with their users and peers. As you go live, customize communications to different groups and entities to effectively emphasize how the change will improve their work lives.

Know Nothing Is Perfect

Of course, make sure your solution is well-tested and piloted. But at some point, you’ll just need to jump in knowing that some unexpected issues are likely to emerge. Listen to feedback from your user groups and respond promptly with fixes and enhancements. Most importantly, rack up a few quick wins and build from there. Improvement is a project that never ends.

Learn More at InterConnect 2017

Attend IBM InterConnect 2017 in Las Vegas to join me and Andrea Rossi, vice president of identity governance and intelligence sales at IBM, as we discuss how leading organizations are dealing with identity governance. Our presentation, “The Good, the Bad and the Beautiful: The Saga Continues With Episode Three,” will touch on how identity governance initiatives often force different groups to work together despite their separate priorities, and we’ll share a customer case study. Join us on Monday, March 20 at 3:15 p.m. in Mandalay Bay’s Palm B.

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…