Navigate 2022: The Customer Identity Panel
Authored by Brian Royer, Content Marketing Writer
The Navigate 2022 Customer Panel: Identity as a Digital Transformation Accelerant proved to be an engaging blend of organizations at various stages of their identity management programs earlier this month during our annual conference.
SailPoint’s Chief Customer Officer, Meredith Blanchar, set the table for this session by observing that what makes identity security unique is striking a balance across several vectors. This includes managing the fine line between securing and enabling the business at a rapid scale (e.g., frictionless experience); recognizing the importance of identity security as a program that’s a business essential, not just a project; and finally, retaining the right level of tech and business savvy needed to keep the organization invested in the journey, (e.g., explaining the business value in a way that’s easy to understand and compelling across all stakeholders).
The panel of customers from various organizations, all leveraging technologies and at very different points in their journey, were asked about their most significant challenges and concerns in supporting the business in reframing identity security as a true enabler.
“While we’re a customer-serviced based organization, when I think of friction, it’s often in the context of our associates,” said David Hetzler, Director of The Home Depot. “We want to remove friction so associates, on day one, have the access they need to be productive and drive revenue. Conversely, when we’re looking at someone coming into the company to do something they shouldn’t, we want to be able to exert the maximum amount of friction possible so they can’t. Ideally, we want to apply appropriate levels of friction wherever possible,” he said.
Joshua Brown, CISO at H&R Block, cited that, as one of the largest seasonal workforces in the country, onboarding and offboarding as many as 80,000 employees a year, the slightest friction is desirable. “Providing the right level of friction for the right level of risk is important. It’s also important for our employees to have the right access at the right time, including if they change roles, move to different projects, and so on, and all of that needs to happen automatically. A frictionless experience is something the business recognized, as identity-based attacks continue to be one of the largest, if not the largest, attack vector for us over the past few years,” Brown said.
Organizations increasingly see identity security as a program, not a project, evolving into something that makes it ‘business essential.’ Embracing that as fact and selling or reminding organizations that successfully unlocks the realization that this is core to the business often requires an evolution in thinking and execution. “We started our journey with SailPoint as others do, perhaps, as a compliance project. However, as the landscape evolved, it became a part of our security program. As we’ve moved forward, it’s become a business enabler,” said Tressa Springman, CIO of Lifebridge Health.
Similarly, Brown, too, affirmed H&R Block’s commitment to enablement. “We need to meet the needs of our clients, wherever they are, despite having 10,000 retail locations. We need people to be able to work from where they want, and the business was very understanding in pushing the value of identity management so they could work securely from anywhere they needed to.”
Getting It Right
Having to prove the value of identity security among identity professionals is ubiquitous. But what’s often overlooked and possibly more important is the ‘cost’ of inaction, getting it wrong, or doing only a partial job of identity security. Being able to convey value to stakeholders effectively speaks to the business value of identity security done well and the (potential) downfalls of getting it wrong.
Hetzler replied with the most extreme use case. “I look at that and ask, what if you had no IAM program, give everyone access to anything they want? But the moment you say that to stakeholders in the business, they will reject that idea with the need for controls.”
He added, “So, how do you explain the benefits of an IM program? Well, you will not be compliant if you don’t have one. You’re not going to get the revenue. And if you don’t manage risk, you will have a breach. It’s the ability to describe the sum of all things and how they come together and then make sure you tailor that to your stakeholders and their values.”
“Identity is the new micro-perimeter,” said Brown. “It’s the first and best line of defense, especially when you consider identity security foundational for everything else you do. You start by getting your identity right. When you paint the picture relative to the criticality of people having to prove who they say they are and what they should be able to access, it’s a no-brainer.”
Springmann suggested that the role of leadership is to establish governance that’s constantly re-evaluating the external set of risks, the internal threats, and what vendors are developing that the organization is not taking advantage of.
Pitching the Program
Getting buy-in or bringing the business along, so it’s exciting, and viewing identity as an enabler rather than something restrictive to their way of doing business, can be both a challenge as well as an opportunity, requiring varying approaches based on the organization’s culture and openness to change management.
“You need to be a student of your organization’s culture to understand their penchant for risk and how they see themselves on an innovation scale,” said Springmann. “These ‘polarities’ speak to the culture, and what may be successful in one culture may not have the same characteristics when presented in a different industry. You also have to communicate effectively why this is important to the organization. When you have all that in place, you end up with an alignment for a successful and sustainable implementation.”
The final question from SailPoint’s Blanchar was obligatory: What would you tell yourself if you had a chance to do it all over again?
“Since we approached this as a program, not a project, we should never have to do this again,” explained Brown. “It’s much more rewarding when you get it right, even if it means taking the harder path.”
Hetzler echoed his fellow panelist’s perspective that getting it right the first time, with the proper foundation, ensures you won’t be back to the drawing table, at least not in the near future.
“Identity is all about people, processes, and technology. It’s also about making sure you have a good blueprint for the foundation because if you get the wrong foundation under this, you’ll be back again in a few short years to rebuild it,” he said. “So make sure you do all the basic block and tackling, team building, and foundation building from the ground up. We were able to change up our joiner-mover-leaver, certification, access requests, and password management in a rapid fashion not only by partnering with SailPoint but also because we focused on building a good foundation.”
And to put a fine point on it, Hetzler added the session’s final observation: “How do you thread the needle where the problem is complex in a way that looks simple? Our goal is how do I make identity look simple to everyone, but with all that complexity, within the IAM team, make it easy to make our company secure.”