Authored by Daniel Poliquin, principal of Deloitte & Touche LLP.

I’ve seen this situation again and again: After investing thousands — often millions — to equip their enterprise with automated identity and access governance technologies, the organization’s system is breached. How does this happen?

A closer look may show that even though approval processes were followed, access requests were routinely approved because no one really understood what the approvals meant. The rubber stamp may satisfy audit requirements, but it doesn’t reduce business risk. In fact, it may increase risk by giving leaders a false sense of comfort.

Lessons From the Front Line of Identity and Access Governance

The problem usually begins when a company approaches identity and access governance as a technology project when it’s really a business transformation program. To make lasting change and truly reduce business risk, people across the organization have to alter what they are doing and, most importantly, understand why they are doing it.

Here are few lessons I’ve learned over 16 years of focusing on identity and access management as a cyber risk professional.

Understand the Business Requirements

Unless the final solution meets the needs of the business, it will likely fail. A steering committee made up of business leaders who have skin in the game can provide ongoing guidance to the project sponsor.

A customer or user advisory board is also valuable. This group can provide input as the program is developed and ensure that the final solution will meet its needs. The goal is to get the final users to embrace it and influence their peers to do the same.

Start With the End in Mind

Before you begin, work with stakeholders to create a clear vision of the end state you’re working toward. Identify the gaps you’ll need to fill, and then develop the road map you’ll follow to get there. This may sound like Project Management 101, but you’d be surprised how many organizations skip this important step and implement quick fixes that often complicate the problem down the road.


Business leaders evaluate investments, whether it’s an equipment purchase or business transformation project, based on their return on investment (ROI). They also like to measure progress as a program evolves.

You’ll need to define and measure the key metrics that quantify the project’s business value. For example, you may want to track the time required to establish new user access or user certification, determine if fewer people are required for the initiative and reduce calls to the help desk.

Keep It Simple

It’s human nature to resist change, so organizations are often tempted to customize the new technology solution to replicate what they were doing in the past. And guess what? The issue doesn’t go away. Stick with what works for the market and only customize if the change will create real business value.

Use Targeted Communications

Your steering committee members and customer advisory group can be invaluable when it’s time to roll out the program. Encourage them to share their enthusiasm and support with their users and peers. As you go live, customize communications to different groups and entities to effectively emphasize how the change will improve their work lives.

Know Nothing Is Perfect

Of course, make sure your solution is well-tested and piloted. But at some point, you’ll just need to jump in knowing that some unexpected issues are likely to emerge. Listen to feedback from your user groups and respond promptly with fixes and enhancements. Most importantly, rack up a few quick wins and build from there. Improvement is a project that never ends.

Learn More at InterConnect 2017

Attend IBM InterConnect 2017 in Las Vegas to join me and Andrea Rossi, vice president of identity governance and intelligence sales at IBM, as we discuss how leading organizations are dealing with identity governance. Our presentation, “The Good, the Bad and the Beautiful: The Saga Continues With Episode Three,” will touch on how identity governance initiatives often force different groups to work together despite their separate priorities, and we’ll share a customer case study. Join us on Monday, March 20 at 3:15 p.m. in Mandalay Bay’s Palm B.

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read