I’m out in beautiful San Diego at the Gartner Catalyst conference – a great chance to meet face-to-face with our customers, partners, and analysts. On day one of the conference, one of our clients, a major U.S. financial institution, presented a case study on how SailPoint is helping the bank solve its identity governance challenges and achieve efficient, sustainable SOX compliance. I don’t have permission to name our customer presenter, so I’ll refer to her as “Sunny.” Sunny presented a very compelling overview of the bank’s journey over the last year – sharing how taking a risk-based approach to identity governance helped the company focus on the most critical exceptions and risks and improve compliance processes.
The Process – Identifying Top Priorities
Sunny began by describing how the bank embarked on the process of aggregating and correlating entitlements from 46 key financial applications to improve oversight and fully automate its access certification process. One of the bank’s primary goals was to focus on the high-risk business applications that needed the most scrutiny, and at the same time, improve their focus and decision-making by reducing the number of certifications that business users had to perform.
The Challenges – Dragged Down by Manual Processes and Lack of Context
Sunny then shared several of the challenges that the bank had to overcome to better address its compliance and security requirements. Prior to implementing SailPoint IdentityIQ, the company performed access certifications using time-consuming spreadsheets sent through email and battled with error-prone, inefficient manual processes. The process was so incredibly slow and labor-intensive, that the bank could only certify its critical applications once a year – which was not acceptable to meet compliance requirements. There also continued to be a lot of frustration throughout the company around certifying user access, because some of the entitlements were so cryptic that business users could not understand the descriptions and didn’t know what they were signing off on.
Quick Wins: First and Lasting Impressions
For me, the most interesting part of the presentation was hearing about the “quick wins” the bank has achieved since rolling out SailPoint. For example, the bank achieved a 99.9% completion rate on its first certification (only one manager out of 2,000 did not complete his access review – and he only had 4 employees). It was also refreshing to hear that the bank has experienced an overwhelming amount of buy-in from business users. In fact, Sunny said the bank’s business users actually thanked the IT team (how often does that happen?). Business units have also said that the IdentityIQ training was the best training they’ve ever had! In fact, the company is so pleased with IdentityIQ that additional business units have now asked to be included in the new and improved access certification process.
The Benefits – A Sustainable Approach to Compliance
The biggest takeaway from Sunny’s presentation is that by using a risk-based approach, the bank’s business users are now able to prioritize their compliance activities and focus controls on the users and resources that represent the greatest potential risk to the business. The bank plans to expand its risk-based approach in the future by focusing on high-risk privileged access and to move toward more frequent certification cycles to mitigate risk.
Learn More about Our Customer Successes
For those of you who didn’t attend Gartner Catalyst, you can find more information about SailPoint customers by reading our customer success stories, which captures best practices from our customers on many of the topics Sunny addressed.