SailPoint Survey Confirms Roadblocks to Effective IT Risk Management

AUSTIN, Texas, December 16, 2009 – SailPoint's Q4 2009 Market Pulse Survey results are in and confirm an age-old issue: line of business managers and IT still don't speak a common language, and the communication gap creates greater risk of corporate data breaches, internal sabotage, or fraud.

The Q4 2009 survey asked companies several questions about the compliance processes they use to verify that employee access to sensitive applications and data is aligned with business policy. The good news is a majority of respondents in fact do conduct regular access certifications for compliance and IT audits. However, there is clear evidence business users involved in these processes don't fully understand what they are certifying.

More than 50 percent of the companies surveyed confirmed that IT is responsible for ensuring the security and managing the risk around sensitive applications and data, but a large number of companies (42 percent) reported shared responsibility and accountability with business managers. A majority of respondents indicated clear concern that IT-level information is not always understood by the people responsible for reviewing and approving access privileges. In fact, nearly 75 percent of the respondents believed business managers don't understand the technical descriptions of the access privileges they certify.

Reviewing and certifying user access privileges is a key component of a successful corporate identity governance strategy. Understanding and validating that access privileges align with a user's job function is a critical requirement of legislation such as Sarbanes-Oxley, PCI and HIPAA. By regularly validating the appropriateness of user access privileges, organizations can effectively reduce the chances of non-compliance and improve overall risk posture.

"The good news is that companies are following good governance practices by conducting regular access certifications, and they are involving business managers who understand the risks associated with sensitive applications based on asset value, privacy requirements, or potential fraud," said Jackie Gilbert, vice president of marketing and cofounder at SailPoint. "The challenge is that the underlying identity data that describes 'who has access to what' is very technical and is not easily understood by non-technical workers. As the survey illustrates, this 'translation gap' means that managers often don't understand what they're approving – which significantly undermines the value of doing certifications."

According to the survey, 61 percent of the companies reported that they use manual or homegrown processes to manage a company's access privileges. It also revealed that only 14 percent of the respondents believe they have adequate controls in place to address the risk of insider threats in 2010. This sentiment mirrors findings in the May 2009 Market Pulse Survey, showing that seven months later, companies still haven't addressed the very real challenges of insider threats.

"Manual and homegrown certification processes are often ineffective and more expensive to conduct," said Gilbert. "To ensure that adequate controls are in place, companies need an identity governance solution that translates technical identity data into business terms to help managers understand the access privileges they're approving and certifying. These solutions replace time-consuming, manual processes with an automated and repeatable one that ultimately lowers costs as well."

SailPoint's Market Pulse Survey was conducted in November 2009. The 150 respondents, primarily IT management, work at Global 1000 companies across several industries, including banking, financial services, insurance, telecom and manufacturing. Sixty percent are based in the United States, with the remainder from Europe and Australia. The survey is the third in a series designed to explore how companies are approaching identity governance and examine the economy's impact on compliance initiatives in large enterprises.