Best Buy, Cognizant, and ExxonMobil talk all things identity security
Security leaders share their experiences overcoming roadblocks and building a solid business case for identity security
Identity security is a critical part of the dynamic digital landscape and is essential for risk mitigation, compliance, and operational efficiency. It’s an enabling technology that provides greater security for organizational resources and a foundation for greater agility and ability to react to future business needs.
Yet, as powerful as identity security can be, our recent Horizons of Identity report, surveying 375 identity security decision-makers revealed a number of challenges, including:
- Security professionals are struggling to communicate the business value of identity
- Most companies are at ground level, 4 in 10 companies are in the early stages of their identity security journey
- Even mature companies cover less than 70% of the identities in their organization
A result is that many IT leaders struggle to overcome roadblocks in their identity security journey, such as budget constraints, limited sponsorship focus, access to technical talent, and a lack of consideration of organizational changes on access models.
In short, identity security is critical for an organization’s long-term growth and agility, but many organizations have roadblocks limiting its effective implementation.
Luckily, SailPoint customers and some of the world’s most complex organizations are leading the way in showing how identity security can become an effective solution for both business and IT. During Navigate 2023, security leaders from Best Buy, Cognizant, and ExxonMobil shared their first-hand experience and on-the-ground tips for overcoming roadblocks and building a solid business case for identity security.
How to identify the right priorities and keep stakeholders involved
A critical mistake some organizations make regarding identity security is looking for a simple solution to a complex problem. In reality, an effective and strategic solution to identity security is rarely straightforward.
To get some perspective on how leading organizations are solving complex identity security challenges, we asked Greg Handrick, Engineering Director, Identity & Access Management at Best Buy and Gary Remy, Senior Director, Global Head of Identity & Access Management at Cognizant for insights into how they’ve successfully secured the proper priority for identity security and gained the involvement of key business stakeholders.
“We started off with stakeholders in information security and IT operations but realized pretty quickly that to be successful, we need more. So, we brought in representatives from compliance, HR, and our user base.”
Greg Handrick, Best Buy
Handrick’s team further found that it was essential to make sure stakeholder efforts were balanced, and that it was necessary to bring everyone to the table. “We have a steering committee where we bring those stakeholders together on an easy six-week cadence for an hour. It enables everyone to discuss any problems and challenges as well as our current goals and allows us to define our priorities,” said Handrick.
For Gary Remy and Cognizant, an essential part of their approach with stakeholders is recognizing that each one has different objectives and drivers. “Since no two stakeholders are alike, we’re always looking at exactly what they’re trying to achieve and how we can help them through identity security. It helps anchor us back to the challenge we’re trying to solve and the outcomes we focus on.”
Cognizant has multiple ways of engaging with stakeholders. “We’ve started taking a high-touch, high-engagement approach to everything we do,” said Remy. “We have an IAM road show that goes out to different senior-level leadership groups across the firm and a technical working group that can get more hands-on. We also engage with our Strategic Risk Committee and Executive Oversight Committee.” All that work pays off.
“There’s a lot of heavy lifting we have to do to prepare for those engagements, but the outcomes from them ultimately end up benefiting us with high visibility and high engagement and help us drive better timing and better outcomes.”
Gary Remy, Cognizant
The end effect of all that engagement for Cognizant, and having their stakeholders engaged and having a seat at the table, is an identity security journey that’s more collaborative and more unified in its approach.
Top things to do and pitfalls to avoid
Identity security can be a complex problem for organizations to solve. But to gather consensus with stakeholders, IT leaders often need to present simpler solutions to help get them on board. In reality, identity security is an ongoing journey that the best companies will continue to refine as they go.
To learn how leading companies have cracked the code and implemented a robust and ongoing identity security program, we asked Larry Klein, Manager, Identity Governance and Administration at ExxonMobil, and Greg Handrick from Best Buy to share their top tips and pitfalls to avoid.
“My first suggestion for organizations is to focus on process simplification and harmonization,” said Klein. “It’s not just taking great technology and implementing it; you have to focus on redoing complex processes that are causing support nightmares.”
For ExxonMobil, the identity security program has given Klein’s team the authority to challenge any process and identify new, more efficient ways to design them. Occasionally, changing some processes may result in too much risk, so those are left as is. Otherwise, Klein’s team is able to streamline and simplify processes as they deploy identity security.
From Handrick’s perspective at Best Buy, the first tip for success is understanding the environment—the technology, the stakeholders, the business objectives, and how things might evolve. His second tip is to tailor your identity security message for your audience—recognize that how you discuss with the CFO will differ from how you discuss it with someone in marketing.
“My third top tip is to always deliver on the basics,” said Handrick. “Nobody will want to talk strategy with you if you can’t deliver the ability to create an account accurately and timely every time.”
Organizations are also advised to focus on change management for success. “We’re on a multi-year journey to replace over 20 different in-house custom-built apps while redesigning over 50 processes, so it’s going to take time,” said ExxonMobil’s Klein. “You have to plan for evolution and having multiple rollouts, multiple changes, and have a good change management plan, along with empathy for your business units.”
Klein also points out the value of having a people strategy. How are you going to staff the project? Are you using internal employees, external vendors, or partners? And what type of training is needed, and how will the vendors know about company culture?
“The key is to have all that laid out ahead of time as well as a people development strategy that allows for people to leave and join the project and company in ways that don’t impact the transformation.”
Insights into how identity security enables the business
Ultimately, all the questions about the value of implementing identity security come down to its impact on the business. To gain perspective on that issue, Gary Remy from Cognizant and Larry Klein from ExxonMobil shared their perspectives on the business impact of their identity security programs.
“We’re definitely getting good feedback and support from our C-suite,” said Remy. “It lets us shift from a tool-centric approach to a more outcomes-based approach, so we’re talking more about why we’re doing it and the business purpose.”
Just as important, Cognizant’s identity security program is gaining internal visibility so that everything from the company’s development practice to its client audit team is reaching back to the internal IAM team for subject matter expertise and getting them involved with clients on various identity topics.
For Klein and ExxonMobil, central administration is crucial to senior leadership. “The concept of one team handling all the practices and policies certified by risk management instead of every team trying to figure it out, or not doing it, is huge,” said Klein. A second significant value is auto-assigned access.
“If we can get away from having to request and provision 2,000 requests a day manually and move to a more automated assignment of access, it will give time back to the business.”
Larry Klein, ExxonMobil
How to overcome the knowledge gap
An essential step in achieving identity security success for any company is overcoming the knowledge gap between the IT department and various stakeholders, especially when everyone has expertise in different areas.
“Not everyone you talk to is going to understand identity security the way we do,” said Best Buy’s Handrick. “That’s why I follow Steven Covey’s advice to seek first to understand and then to be understood. It’s valuable to talk to the stakeholders—figure out their goals, challenges, business drivers, and pains so it can inform what you do.”
Another tip is tailoring your message. “We have all these different engagement channels, and we’re constantly communicating to different stakeholders in a myriad of ways, whether it’s the value that the solution will bring to them or an explanation of why we have to put some level of control in place,” said Cognizant’s Remy. “Overall, you want to simplify and standardize the message to what the audience can understand.”
Unblocking identity security
Successful identity security projects require attention to detail, good communication skills, and the right technologies. However, by following best practices and learning from leading companies that have already succeeded in deploying identity security, organizations of any size can increase their security while building an agile, unified identity platform that supports future growth.
Watch the Navigate 2023 customer panel that featured Best Buy, Cognizant, and ExxonMobil.
Discussion