Business Process Key to ID Management Payback

CIOs salivating at the potential benefits of identity management urgently need to get their business processes in order if they want to reap substantive and measurable ROI, according to IBM Tivoli's visiting large enterprise and government security and ID management executive Bob Kalka.

Kalka — a straight-talking Texan with a low hype threshold — warns that it's all too easy for non-IT management to fall into the trap of treating symptoms — such as orphan user-Ids — which IT security audits highlight, rather than the cause: poor underlying business processes that keep generating them.

"When a customer fails an IT security audit they [often] put together a tiger team to fix these exposures. If the process [which resulted in the failure] isn't correct, then it's garbage-in, garbage-out. You've got to have an established, congruent and consistent business process," Kalka says.

This means, Kalka says, looking at security and identity management from the perspective of liability rather than that of risk — and readily admits it's all too easy to blow serious budget on metric resistant activities such as risk mitigation.

"Risk is really just the front-end, and comes from liability. There are companies out there that are wasting money protecting things that have no liability . . . so you have to look at the business processes that generate [your] liability," Kalka says.

Queried about whether IBM's ongoing relationship with Westpac is yielding any identity management benefits, Kalka will speak in generalities only. "Financial institutions are the first to realise that you REALLY secure stuff that generates a lot of liability," adding that savings generated by the necessary house-cleaning that accompanies ID management also provide a strong savings driver for large organisations.

In terms of manufacturing solutions fitted to purposes rather than vice versa, Kalka says the Tivoli user base keep its concerns candid. "For instance, with Tivoli Privacy Manager, we base it on a customer council — which [in Australia] includes the Health Insurance Commission. It's a product requirements vehicle that helps manage the application to data management layer."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Julian Bajkowski

Latest Videos

More videos

Blog Posts