July 25, 2016 By Laurène Hummer 4 min read

It takes a lot to come in first and win the gold: dedication to your sport, hours upon hours of training, resilience in the face of naysayers or competitors who might not always take the high road and, of course, a mature identity and access management (IAM) program, optimized and fine-tuned to your business environment and objectives.

Now, that last one won’t be of much help to athletes in Rio this summer. But if your sport happens to be played in an office, a mature IAM program will be your best weapon to beat your competition and lead your organization to greater business results.

IAM as a Competitive Advantage

Most companies have IAM programs that do the basics: provision and manage user access, protect sensitive data with some safeguards such as strong authentication or password rules, manage audit cycles, etc.

However, IAM programs are also at the core of achieving critical business objectives that are relevant to every high-performing organization. As a result, organizations that fine-tune their IAM programs with much deliberation and scrutiny can be at a real competitive advantage in the race to achieve strong business performance.

A mature IAM program optimized to a business’s objectives and the unique circumstances surrounding it can minimize the risk of data breaches involving identities. It can enable productivity and collaboration, driving market-leading innovation. It can also ensure regulatory compliance is systematically achieved and maintained while minimizing the costs of performing audits.

Watch the on-demand webinar to learn more about winning an IAM Gold Medal

Four Steps to Maturing Your IAM Approach

All of this makes sense in theory. But for most organizations, getting from their current program to one that creates measurable value can seem like an impossible task. Many deploy a new point solution to fix each pressing pain or issue, contributing to a fragmented IAM landscape that fails to meet objectives.

Businesses that take a deliberate approach to mature their IAM programs will see their IAM investments grow from providing them the bare minimum function to creating real value.

1. Evaluate

This first step encompasses two types of evaluations: First, start with your key business goals. Are you prioritizing compliance? Are there regulations that drive your business? Is security a focus? Who are your users, and what would they need to be most productive?

Prioritize these objectives, depending on the unique circumstances of your organization, your industry and the geographies you operate in. Evaluate where you need to make improvements relative to how you operate today.

The second evaluation looks at the health of your current IAM program. Assess the key gaps and their impact on the organization and its ability to reach the business and IT goals you laid out in the first evaluation.

Often, a side benefit of this exercise is the ability to clearly articulate the connection between the budget allocated to an IAM program and a clear return on the investment in the form of the business objectives that will be met. An increase in productivity can lower costs and boost revenues. A reduced risk of breaches can be quantified, and so can compliance efforts.

Coach’s Tip: One Size Does Not Fit All

Take a small biotech firm in Boston, for example. It has only one office and everyone collaborates on-site. It is driven by HIPAA regulations. The business value is entirely based on proprietary research. This company will have one set of needs with a strong focus on security and compliance.

By contrast, a global organization with an established work-from-home culture and many business partners collaborating with regular employees will have vastly different requirements. The organization’s security experts will need to consider enabling end user access in addition to security and compliance.

2. Design

Once you’ve determined where you are and where you want to be, design the IAM program that can take you there. Then put together a prioritized road map, timeline and budget to support your vision.

Within that framework, existing assets can be evaluated to optimize their value, reduce inefficiencies and become more cost effective. A plan to roll out new solutions can be put in place with integration in mind so controls are consistently enforced and silos of IAM are eliminated. Key criteria can be identified to make vendor and technology selections for future purchases.

The end result is a prioritized road map and a clear timing plan that ensure existing technologies are leveraged and new ones implemented in the right order. This results in high rates of success and positive return on investment.

Coach’s Tip: Say No to Silos

IAM is closely tied to other vital programs in your organization, especially if your major business objective is to decrease your overall risk exposure.

Think of how efficiently your programs run together and how your IAM program is contributing to overall risk relative to risk management, compliance, audit programs, etc. Comparing this effectiveness to the level of investment you have made in the solution can also help you understand whether you are maximizing the value of your current assets or if you need to reprioritize your spending.

3. Execute

Once the strategic work of steps one and two is concluded, it can be used as a solid foundation upon which to complete the third step: executing on the plan to bring together the products, processes and people necessary to bring the strategy to life. With appropriate buy-in, expectations and preparedness, projects can be approached methodically and with great success.

Coach’s Tip: Vet Your Vendor

Just as your IAM strategy is meant to meet your goals now and in the future, find products and solutions that will grow in the right direction. Ask about the most recent releases and what the vendor considers to be the most innovative new features. When you compare it to their stated road map and vision, it will help you get a sense of whether the vendor is working to deliver on those lofty goals.

4. Take Action Now

Don’t wait for the next fire drill to take action.

As the best athletes in the world come together in Rio this summer for the most important performances of their lives, let them inspire you to take the first step to an IAM gold medal. Look at how things are going in your organization and check to see if there are any signs your IAM program could be leaving you exposed to risks, such as an insider threat.

To learn more about this approach and how you can apply it to your organization, watch the on-demand webinar, “The Games Are Coming – Reach For An IAM Gold Medal.”

Read the white paper: Designing an IAM program optimized for your business

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today