Accenture’s Simon Gooch Shares Accenture’s look into Its Identity Management Transformation
Like many large enterprises, Accenture’s internal identity and access management efforts grew organically throughout the organization. For a long time, that certainly served the company well, but as businesses become increasingly digital it makes more sense to govern identity management centrally so that access is managed both strategically and consistently.
That’s the job Accenture’s Simon Gooch, global identity and access management CIO, was tasked with in January 2018. In this interview we discuss how Simon and the Accenture identity team developed their strategy to centralize identity management, how they are achieving that goal, and what their planned focus is for the years ahead.
Simon, thanks so much for taking the time to share your story. Can you first tell us a little about your start in enterprise technology?
My degree was in sports science and sociology. I had no interest in technology as a career for quite a long time. I was a heavy user of technology, but I never considered it as a career. But, ultimately, once I completed my education and earned my degree, I realized that I’d made a fundamental mistake in terms of my chosen career.
I reevaluated what I wanted to do. I’d always used technology and it always held my interest, so I did a bit of cramming and learned a bit about enterprise technology, then applied to join Accenture.
As a result, I’ve worked for Accenture for the majority of my working life. I started in application development and moved, over the course of five years, into the consulting practice at Accenture with a focus on IT transformations. In that role I helped deliver the technology aspects of the work we do. I would spend time helping our clients adopt and use whatever we were delivering. It might be an SAP system or a CRM system or some other big deployment. Ultimately, my job was to help consume, maintain, and support these systems. I did that for a few years.
How and when did the effort to centralize identity management get underway?
This effort got underway about 24 months ago. I started to make a lot of noise about how we weren’t thinking about access in a way that was consistent with how the services really needed to be architected, strategized about, and delivered—and how this was becoming a big potential barrier for Accenture.
We didn’t have anyone that owned the end-to-end identity vision and strategy through to the delivery of service. That’s such an important area, and I spent so much time saying that this was a problem that they eventually gave me the job.
I started in January 2018, first building the structure for the program and getting a direction in place for our identity and access management program. Essentially, it was pulling all of these different bits of identity management together from across our organization. Part of the challenge here was that the ownership of identity was distributed. We spent a lot of time centralizing it.
That’s where we sit now. We now have a single organizational structure with a single delivery model. And we have a road map for the things that we’re going to work on in the near future.
For our current fiscal year, we sought funding for things we want to do over the next 12 months. Much of that work will center around working with the key stakeholders in the various business units to flesh out our future strategies.
What were the primary catalysts to centralize Accenture’s internal identity management program?
There were a few catalysts here. One of them was that, like most large organizations—probably three or four years ago—we started this significant journey focused on transforming the way we thought about, and managed, security risk.
And there the identity and access aspect of security was lagging. We, and other organizations, were focusing significantly on the pure security elements, typically things like patching and cloud platform security—whatever the focus might be, depending on the organization.
For me, it was simple: Without understanding who you’re giving access to, you undermine the principles of security. While you may put security technology in place, it may not be effective if you don’t know how it’s being used and, in effect, who’s using it—and who is accessing systems and data.
That left a big question mark for me: How effective could security be without an identity and access management framework in place that would help us in the future?
What was your strategy to get identity from where it was to where you knew you wanted it to be?
The good news for me was that Accenture has a very strong security practice and, within that practice, a very strong identity practice. The obvious starting point for me was to collaborate with our identity practice, asking them to look at ourselves as if we were a client, design a plan for us, and then deploy the technology. From there they would help us create an organizational structure and a sound set of priorities.
That’s great. From there were there any foundational areas in identity that you chose to focus on first?
It was getting those people in place that were about to not only help us get into shape to drive it into the future, but also work in an environment that wasn’t greenfield. It’s not an easy task to reshape identity while people are working on existing technology. It’s a lot like fixing a car while it is in motion.
We had to decide on the tactics that we wanted to achieve in the next year, such as meeting the business needs in terms of improving the way the Accenture business runs and securing the Accenture business. Those are the two fundamental tenets for me.
While we view ourselves in a place where we definitely have better control and oversight in identity, we need to continue to expand that to deal with more systems—more systems in the clouds and more complex interactions between things like business partners. That’s the other key component of our focus: continue to build out and support those business services and technologies.