May 23, 2019 By Marc von Mandel 4 min read

co-authored by Jill Dhillon

Every chief information security officer (CISO) knows that identity and access management (IAM) is a critical component to safeguarding the organization’s systems, data and applications from unauthorized users. But IAM programs are becoming increasingly challenging due to the complexity of more devices, applications, information, users and data privacy regulations.

Organizations need new and innovative solutions to these challenges and a way forward to develop tools that will meet user needs, provide long-term business value, reduce IT management costs, enhance employee productivity and increase compliance efficiency.

Apply Enterprise Design Thinking to Identity and Access Management

I sat down with Jill Dhillon, global director of Enterprise Design Thinking for IBM Security, to talk about how organizations are using Enterprise Design Thinking to uncover and solve modern IAM challenges. Here’s what she had to say.

Question: How can clients use Enterprise Design Thinking to uncover modern identity and access management challenges?

Dhillon: Enterprise Design Thinking helps us identify the right problem to solve. So, in other words, we start by framing the problem to generate alignment and begin the work. How do we frame the problem? One option is to take a stakeholder mapping approach, which will include sponsor users who are experiencing the challenge.

We conduct user research and bring the insights into the design thinking session where we collaboratively refine the problem statement further if warranted. We move forward from there and dive more deeply into the problem as a group, then use a variety of structured, highly interactive activities to prioritize ideas and ways to solve the problem.

How does Enterprise Design Thinking build stakeholder buy-in for these new and innovative ways of managing identity?

With complex technological environments, often teams don’t have the opportunity to cross-communicate or collaborate deeply in a real-time sense. They are working in silos, and often asynchronously. Whether it’s executive leadership, middle management, engineering or people who are client-facing, there can be impacts and barriers to progress. Enterprise Design Thinking allows us to dissolve those silos, listen to one another and craft solutions collaboratively in an accelerated way. Engaging users is an additional stage we infuse when we practice design thinking as it enables us to learn about their current experience and generate tremendous amounts of insight, which influences the solution design.

The approach also affords an anonymized, democratized way of sharing points of view. So, for example, if a stakeholder has more information than another stakeholder or a leader has a specific target or agenda, it gets shared, discussed, diverged and converged with other points of view. The approach enables alignment where all expertise and supporting data is leveraged and considered through use of the design thinking framework. We have a chance to talk about these points of view, pull them apart, put them back together and then come up with a game plan that makes sense based on all the dynamics and all the information that comes forward in the process.

In terms of IAM, so many of the challenges can be addressed in a programmatic approach. Enterprise Design Thinking allows stakeholders to see into the various levels and co-create solutions that are needed to get the whole IAM program to work. It’s about dissolving the silos, working collaboratively and getting a line of sight into the entire end-to-end experience for IAM.

How would you start an Enterprise Design Thinking for IAM session for a client?

We start with the client innovation teams and collaborate across the organization with all subject matter experts. This session focuses on strategy which results in a programmatic approach and phased road map with specific activities and tasks required for implementation.

A key success factor for any design thinking initiative is enlisting executive sponsorship. Programs are most successful when these leaders are highly visible, collaborative and willing to provide feedback on an iterative basis. IAM leaders and their stakeholders are usually eager to participate because they co-create solutions and actionable takeaways with owners, as well as accountability. They learn about barriers, how to manage risks in a more informed way, and how to build communication channels with direct and instant feedback. It accelerates everything for the organization, helps enable change management approaches in new ways. There often are much higher levels of success, such as quicker implementations, reduced risk and cost savings.

We had a client recently that had a pilot in flight. They wanted to host a series of design thinking sessions to bring more subject matter expertise to the table, calibrate the pilot, learn how users were experiencing it, how they could expand the pilot in future release cycles. In just a couple of days, with about 15 people supported by good workshop design, this client said they would have never been at this stage or accomplished all the strategic work without Enterprise Design Thinking. It would have taken them months or even years, and they wouldn’t have had all the insights that led to a highly improved next iteration.

So, Enterprise Design Thinking was an accelerator and provided a feasible action plan. It’s all about feasibility in relation to impact and solving pain and inefficiencies. When you have a workable action plan, you can align resources for future implementations.

Ultimately, it’s people that are designing the technology, and we need human-centered design when solving problems. The more direct user insight we can bring into the sessions, the more effectively we can solve the challenges with people, process or technology. Often, we’re working with the context and complexity of all those dynamics at play. They are addressed as part of the overall solution as well.

Innovate to Solve Modern IAM Challenges

With Enterprise Design Thinking for IAM, security and IT teams can uncover and solve modern IAM challenges in an innovative and unique way. The framework guides stakeholders to focus on framing the right problem and collecting valuable insights from users and helps craft more effective solutions collaboratively.

Design an IAM program optimized for your business

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today