New Study Says Companies Lack Necessary Data, Technology to Address Insider Threat

Research Confirms Most Organizations Rely on Manual Controls, Remain Ill-Equipped to Meet Complex Identity Compliance Challenges

ELK RAPIDS, Mich. and AUSTIN, Texas, March 5, 2007 – According to a new study by privacy and information management research firm the Ponemon Institute, nearly 60 percent of US-based businesses and government agencies believe they are unable to effectively assess or quantify "insider threat" risks within their organizations – leaving them open to privacy breaches, failed audits and potential fraud or misuse of data. And although more than 70 percent of respondents confirm that identity compliance activities are strategically important, 58 percent still rely on manual processes to audit and control user access to critical enterprise systems and data resources.

Commissioned by SailPoint Technologies, the Survey on Identity Compliance examines the responses of more than 600 US-based senior information security professionals, pointing to inefficient processes, insufficient data and the lack of collaboration between business and IT groups as the leading causes of risk across the enterprise.

Analysis of the survey suggests that despite healthy budget allocations, the state of identity governance, risk management and compliance initiatives remains a serious challenge.

Key findings include:

• 71 percent of respondents confirm that identity compliance activities are strategically important, resulting in an average of 28 percent of total IT compliance budgets being earmarked for such initiatives.
• 64 percent of respondents say they have deployed an identity and access management (IAM) solution, a category that includes access control, password management, provisioning and role management. Nevertheless, almost 60 percent of respondents say their companies are unable to effectively focus IAM controls on areas of the greatest business risk.
• This limitation is viewed as severe: over 80 percent of respondents either strongly agree or agree that risk should be a determining factor in driving identity compliance activities.
• Respondents cite numerous inefficiencies in their organizations’ IAM compliance processes:
  • 58 percent use mostly manual methods.
  • 87 percent employ a decentralized strategy.
  • 51 percent take a detective (or reactive) approach.
• Although findings show that responsibility for identity compliance is shared across business, IT and audit/compliance groups, collaboration among them is very weak. 42 percent of respondents say that collaboration rarely occurs, while another 23 percent say it never occurs.

"Our findings point to a number of barriers preventing the implementation of effective identity management and proactive safeguards for securing sensitive corporate data against insider risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute.  “In order to assess risk, and identify and address identity management shortcomings, organizations must have access to data and appropriate coordination across business units. Our research shows that, for too many companies, this is simply not happening."

"As the complexity of identity management has increased, so have the inherent risks, media attention and public scrutiny associated with corporate compliance initiatives," said Jackie Gilbert, vice president of marketing and founder of SailPoint. "SailPoint helps companies focus compliance efforts on the greatest areas of business risk in the organization, with cross-disciplinary involvement from business, IT and audit groups. Our goal is to give organizations a sustainable approach to compliance that is cost effective, automated and systematically reduces risk exposure."

Copies of the Survey on Identity Compliance are available through the Ponemon Institute and through SailPoint.

About The Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About SailPoint

SailPoint Technologies, Inc. develops software with unique “Identity Intelligence” that helps organizations achieve regulatory compliance, improve internal controls and manage risks associated with the proliferation of enterprise-wide identity data. Founded in December 2005, SailPoint is based in Austin, Texas.