CIOs salivating at the potential benefits of identity management urgently need to get their business processes in order if they want to reap substantive and measurable ROI, according to IBM Tivoli's visiting large enterprise and government security and ID management executive Bob Kalka.
Kalka — a straight-talking Texan with a low hype threshold — warns that it's all too easy for non-IT management to fall into the trap of treating symptoms — such as orphan user-Ids — which IT security audits highlight, rather than the cause: poor underlying business processes that keep generating them.
"When a customer fails an IT security audit they [often] put together a tiger team to fix these exposures. If the process [which resulted in the failure] isn't correct, then it's garbage-in, garbage-out. You've got to have an established, congruent and consistent business process," Kalka says.
This means, Kalka says, looking at security and identity management from the perspective of liability rather than that of risk — and readily admits it's all too easy to blow serious budget on metric resistant activities such as risk mitigation.
"Risk is really just the front-end, and comes from liability. There are companies out there that are wasting money protecting things that have no liability . . . so you have to look at the business processes that generate [your] liability," Kalka says.
Queried about whether IBM's ongoing relationship with Westpac is yielding any identity management benefits, Kalka will speak in generalities only. "Financial institutions are the first to realise that you REALLY secure stuff that generates a lot of liability," adding that savings generated by the necessary house-cleaning that accompanies ID management also provide a strong savings driver for large organisations.
In terms of manufacturing solutions fitted to purposes rather than vice versa, Kalka says the Tivoli user base keep its concerns candid. "For instance, with Tivoli Privacy Manager, we base it on a customer council — which [in Australia] includes the Health Insurance Commission. It's a product requirements vehicle that helps manage the application to data management layer."