There are several unique factors driving demand for IAM technologies at enterprise organizations today. Notably, the problem IAM addresses is unique. Unlike other technology implementations, IAM should be considered a process, not a project. A project has a specific end date, but a process is fluid and always changing.
Most CISOs will agree there are few things more fluid in an organization than user access and employee status. At the most basic level, this explains why organizations such as SANS, Gartner and PWC continue to report IAM as a top corporate priority. However, there are other factors contributing to the market demand for IAM.
PACE OF CHANGE AND INNOVATION IN BUSINESS Nearly every business trend today directly complicates a company’s identity and access management program. Many organizations struggle to keep up with changing trends that directly impact not only the information security program, but the business as well.
The process of managing identities is made more cumbersome by: • Digital Transformation and Cloud Computing • Shadow IT • Mobility • Bring Your Own Device • Internet of Things
TECHNOLOGY ADVANCEMENTS IN THE MARKET Many CISOs agree that early IAM solutions such as single sign-on and password managers are incapable of meeting the requirements of today’s enterprise. New solutions leverage artificial intelligence, biometrics and machine learning to more smartly manage identities and assign access.
It is important that security leadership fully understand the implications of each solution and the technical and business impact on their own programs. Not only do they need to understand this, but they must balance how IAM solutions impact other technologies and parts of their infrastructure.
As technology advances, CISOs are making decisions on the appropriate IAM solutions to end of life, and where to make new investments.
EXECUTIVE-LEVEL REQUIREMENTS FOR IAM As Michael Dent, the CISO of Fairfax County, Virginia explains, “Sometimes identity and access management presents an organizational dilemma. Who owns it? Security or IT? Sometimes it seems like if it breaks I own it, and when it does its job, IT owns it. In the end, though, our leadership is clear that identity is a security issue. Users gain access to data on a need to know basis.”
In reality, the Chief Information Officer, Chief Compliance Officer and Vice President of Human Resources all have a stake in investing in strong IAM tools. While too many cooks in the kitchen can sometimes make IAM difficult to manage, CISOs that take a collaborative approach with their business partners are often rewarded with executive-level sponsorship for IAM investments. To become a collaborative partner to other parts of the business when it comes to IAM decisions, CISOs must understand the needs of each business unit. Gaining a full grasp of their concerns and objectives ensures a cohesive approach. In the end, this results in clear priorities laid out from the beginning of decision-making, and a proactive and productive outcome.
For example, the Vice President of Human Resources can often lay claim to managing employee access to systems. It is often left to them to notify IS to turn off access to the network. However, IAM solutions automate previously manual notification processes that historically have been to blame for system breaches by disgruntled employees.
BOARD-LEVEL CONCERN Access management is also a top consideration at the Board-level for many companies.
Tony Meholic, CISO of The Bancorp Bank explains, “The one issue that gets the most attention from the Board of Directors is user access. Incidents like Heartbleed made the Board extremely interested in understanding our preparations around access management controls and limiting our exposure.”
As CISOs align their security programs with the businesses’ strategic priorities identity and access management takes on a heightened role in security programs.
Stay up to date with cyber security trends and more