Getting Real about Transparency: What You Can’t See May Bite You

In SailPoint’s second Market Pulse Survey (announced yesterday), we asked Global 2000 companies about how they are managing IT risk given the economic downturn and resulting corporate churn. Not surprisingly, given the recessionary budgets and resource allocations these companies are facing, the survey showed that companies remain very exposed to the risks of insider threats – fraud, IP theft, and sabotage.

Here’s what we learned from the responses of 125 directors of IT at Global 2000 companies:

  • Only 14% of organizations feel they have adequate controls in place to address the risk of insider threats.
  • 57% of companies don’t have enterprise-wide visibility into their company’s user access privileges.
  • Although almost half of the respondents have faced a major layoff in the last six months, 42% of the responding companies do not have the ability to promptly remove user access when a layoff occurs.
  • Nearly 50% of the respondents either do not have, or underfund, the IT risk management function.

My overall take away from the survey is that companies simply do not have the transparency they need to effectively manage worker access to sensitive data and applications, especially in this time of escalated business risk (constrained IT budgets, high workforce churn, worker malaise, etc.). Verizon’s latest data breach study reveals the grim fact that in 2008, more electronic records were breached than during the previous four years combined. What caught my interest about that report was the conclusion that mistakes and oversight failures hindered security efforts more than a lack of resources. In other words, budgets are only part of the equation – a disciplined approach to managing identity risk that includes the right monitoring and controls can go a long way in mitigating the insider threat – without breaking the bank.

To end on a positive note: there was a glimmer of hope in the SailPoint survey results. I was encouraged to see that two-thirds of the companies now have an IT risk management function within their organizations, even though that function may not be allocated budget. I’m optimistic that organizations are beginning to put the right level of focus on this issue and are making progress in building transparency and accountability into their identity management strategies.

Stay tuned for our third Market Pulse Survey on this topic later this year. I hope we see progress on many fronts.