Addressing Identity Governance In the Land Down Under
I recently sat down with the CISO of one of our Australian customers for a deeper look into the successful identity program he championed. Here is an edited version of our conversation.
What were the business drivers for your identity program?
We were looking to develop a sophisticated identity governance strategy requiring an overhaul of our current joiners, movers and leavers processes. We set out to replace a customised Lotus Notes database which was being used as our access request solution. This process allowed employees to request access to business applications but was not integrated with our HR system to provide an audit trail for employees who joined the business, moved departments or left the organisation. Certifying employee access on a quarterly basis took four months to run a campaign for 5,000 identities and 100,000 system entitlements. Staff and trusted third parties were so disengaged with the entire process which lead to the integrity of decisions and data being a risk.
What steps did you take to gain support for the program?
I led the effort to find an identity solution that could automate user provisioning for applications, streamline access requests and approval processes, improve the user experience, reduce manual intervention, as well as reduce risk and demonstrate compliance. I took this tall order to the board, explaining the necessity of taking an enterprise risk management lens to managing access to applications and data from a compliance and business process perspective. Through my research, I reasoned that a new automated solution would save us $250K per year on resource and licensing efficiencies.
We adopted SailPoint’s identity governance platform to address these challenges. Within six months we went from approval to launch, onboarding our 10 most critical applications for compliance obligations first. Our first certification campaign took three weeks with over a 90% completion rate – a massive improvement from the four months it previously took. We can now confidently say we have a better user experience, more engagement from employees and managers, and automation from a single source of truth.
What were your goals for the program?
Security and risk reduction were the main focus for this program. We sought an identity program that secured the organization while enabling the workforce to move at the speed the business and clients required, whilst also meeting heavy compliance obligations. The board and executive team provided full support.
How did your estimated return on investment measure up?
My initial projection of saving approximately $250K per year is actually closer to $410K per year to date. Lotus Notes licensing costs were reduced, and staff productivity increased drastically due to the user access reviews being so easy to perform. An outsourced provider that managed the service desk charged per email or phone call. When access became automated, that cut associated costs down tremendously as the requests did not need to be processed by the outsource service provider. The time saved has also been impressive. The certification process had a four-month duration and now takes three weeks with a 90%-95% completion ratio – which is only going up in subsequent reviews. Two full-time employees were reallocated to other projects and when the program was expanded to our UK business, that team didn’t hire any external technical resources, project managers. This effectively saved hundreds of thousands of dollars in project costs.
How does this program set you apart from the rest of your industry?
With our identity program in place, our compliance reviews show how this technology has set the bar for our industry. Our program upgrade led us to be in the upper quartile for GS007 which is a controls audit performed by independent auditors each year for the financial auditors of their clients. This year, for the first time ever, there were no audit findings for user access controls. We also had zero user access issues for terminated staff with active access as well. Auditors once mentioned that for a company of our size and complexity we would never have zero user access control findings. We attribute this success to SailPoint, the efficiency gained in onboarding and offboarding, and the data that was cleansed as part of the implementation process.
How did you manage change and win staff over with the new technology?
In a similar fashion to the rest of our approach, my team implemented a thorough education process prior to SailPoint going live. We had a communication campaign leading up to the launch including emails from their Chief Executive educating employees on how this will change the way the business operates and the importance of them getting on board.
Lunch and learns were also held at every office across the country allowing employees to see first-hand the benefits they were going to experience.
Online learning modules were built in their learning management system that employees were required to complete.
For awareness purposes, posters were also put up in the offices to get the organization excited for the launch.
How was the business case pitched to other senior stakeholders? How did you gain executive sponsorship?
The entire process took about 6 months. When we approached the executive team, the budget for the following year had been padded with the investment needed for the program and the hearts and minds of the executives had been sold based on the business benefits, ROI, audit support, enhanced security and improved user experience the automation and governance would bring. Our discussion focused on the business benefits and how a financial services organization needed enterprise-level technology to thrive and compete in the world we know today. Once the executive team gave their full support, the board provided their endorsement and the project team executed on the vision, allowing us to take our identity program to the next level.