Identity governance: It’s all about the people

Author: John Havers, CEO, First Point Global

New technologies like bring your own identity (BYOI) provide the agility that organisations need to compete in the digital economy, as Jan Zeilinga demonstrated in last month’s blog. But let’s not forget that getting the house in order is an important prerequisite to going “digital”. Employees and contractors need access to the right information to do their jobs, and organisations need to ensure that digital assets are used appropriately.

Without an identity and access governance (IAG) solution, policies and controls designed to mitigate access risk must be performed manually. At best this is a drag on agility but at worst it is a serious security issue. Thankfully, IAG solutions which improve and automate these processes are no longer something that only large organisations can afford.
Whether deployed in the cloud or on-premise, the tricky part about identity and access governance is no longer the technology, which is quite mature, or even the processes. As a new research-based white paper from First Point Global and our partner SailPoint shows, it’s the people part that is the real challenge. This publication is rich in findings and advice from practitioners at organisations who pioneered IAG in Australia – the top financial institutions. Some key findings are summarised below:
1.Address the people component as a first priority
IAG projects often struggle when the project team doesn’t truly understand the business needs, the complex rules and politics of the organisation, or the points of view from various stakeholders. IAG projects typically require the participation of many different groups that must work together to ensure success. There is often a large gap between the technical side of the house and business users who may not understand or care about IT and security issues. Addressing these people challenges with “eyes wide open” is a critical success factor.
2.Choose your IAG leader carefully
With this in mind, practitioners interviewed for the white paper recommended choosing leaders who have experience leading large, cross-functional programs – that are skilled at “getting things done”. This type of leader will not shy away from the people and change management side of the job.
3.Find and maintain strong executive sponsorship
Changing business processes and people’s behaviour is a difficult task. Executive leadership is needed to convince the organisation of the strategic importance of the project, ensure adequate IT staffing, mediate departmental conflicts and set priorities.
4.Avoid the “big bang” approach; start small and build momentum
Key recommendations from interviewees included:
  • Scope the project in small phases that can be completed in weeks – try for as small a scope as you can.
  • Go after the “low hanging fruit” first. For some organisations, this means starting with the friendliest business units; in others, it means starting with applications that are easiest to integrate with the IAG tool.
  • Promote your early successes to build support and expand your scope to more applications and business units.
5.Work to achieve business accountability
Managing user accounts and privileges – and ensuring effective access control – is not commonly embraced by business users. In many of the organisations interviewed, IT staff assumed responsibility for identity and access governance. Business application owners were not held accountable for ensuring adequate governance and compliance with internal controls. As a result, IT had responsibility for what were actually business risks. To be successful, accountability for risk had to be shifted to the rightful owners on the business side of the house. Best practices on how to achieve this included using approaches tailored to each business unit. Some groups will respond to the threat of negative audit findings; others will be motivated to reduce the burden of compliance activities like user access reviews.
Bottom line: The white paper provides a unique opportunity to learn about identity and access governance challenges and the best practices to overcome them from leading Australian organisations. If you are planning, implementing or extending an IAG solution, I strongly recommend that you download it.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Enex TestLabIdentity governanceIAG solutionsIAG solution(BYOI)First point globalSailPointCSO Australiabusiness risks

More about CSOEnex TestLabFirst Point GlobalIAG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Havers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place