A CISO’s View of Successful Identity Governance
In a modern enterprise, a CISO’s job is a complicated one. With the increasing risk of cyberattacks, and need for a flexible work environment, security and accessibility are in a never-ending competition. Every organization’s IT infrastructure is different, but most CISO’s would agree that a secure enterprise has a strong identity governance program at the center of its security strategy. We had a SailPoint customer – the CISO of a Fortune 200 company speak to us, and this is what he shared.
There are a number of reasons why CISOs suffer from loss of sleep. In the wake of security breaches being a common occurrence, the implications of a breach are also increasing. But because of the frequency, when we hear about a breach the shock we used to feel has lessened. He has reason to worry according to SailPoint’s Market Pulse Survey, which revealed that 67% of IT leaders surveyed reported their company had been breached in the last year. “Reputational compromise, financial implications and productivity loss are the major areas of damage a security breach can cause. Preparing my organization for the changing IT landscape and the potential havoc of a breach is my top priority,” he said.
According to AT&T’s Cybersecurity Insights 2017 report, cybercrime damages are expected to rise to $6 trillion annually by 2021. If your organization has inadequate controls in place or weak password management, you risk becoming part of that statistic. Most CISO’s would argue that mitigating risk goes back to implementing strong access controls and building an employee culture with a deep understanding of password hygiene. One of the ways he believes an organization can drive organizational efficiency with their identity program is through self-service password management. The advice he’s shared with his peers is, “Self-service password management (can be) a significant value proposition….driving ROI for an organization”.
Mitigating risk also goes beyond provisioning access to applications. The volume of unstructured data produced within an organization increases exponentially each year. The biggest risk with unstructured data is the massive lack of visibility and the resulting lack of control. By extending your identity governance program to unstructured data, you are also able to manage files shared, moved and stored on Sharepoint sites and other applications housing these files.
Once you decide your organization needs to implement an identity program, or update a legacy environment, now what? Identity programs when done right take time and a team of qualified people behind them. This CISO has implemented or advocated for identity governance programs at several large global brands, opting for different deployment methods at each unique organization. “The requirements for an identity program vary from organization to organization, but what is important across the board is to find an identity vendor that will become a long-term partner,” he recommended. At his current organization, the identity program’s goal was security and risk management. They were replacing a legacy environment and looking to improve user experience, enhance controls and gain audit/regulatory support. He heavily weighed each of these requirements when looking at identity vendors to partner with.
If you are a CISO putting together your case of an identity program, he believes you should carefully consider your top requirements, your industry’s regulatory environment, as well as a vendor that you can partner with through the process. “We were working against an aggressive timeline to get our identity program up and running. I needed a solution that we could quickly deploy and would also show its value in a short amount of time”, he shared. For that reason, this organization went with a SaaS solution. Regardless of the deployment method, take this CISO’s advice and gain a clear vision of your strategy, as well as a team of identity professionals you can partner with to build a secure and successful identity program.