What’s the difference between those organizations that successfully implement an identity management program and those that do not? It turns out that there are a number of common mistakes organizations tend to make that prove to be obstacles to their long term identity success. This was one of the key takeaways at an expert panel I attended at the recent Navigate ’16 conference.
Lawrence Wolf, managing partner at strategic security and risk consulting services firm Edgile, said during the panel discussion that success often comes down to proper planning. Unfortunately, however, many organizations today still don’t take the time to plan strategically for their identity management efforts. “The planning process is so important and companies still surprise me today in their lack of planning. They’ll buy the technology without planning what they’re going to actually do with it, which typically leads to what I would call a ‘one and done’ technology implementation,” said Wolf.
Wolf made the point that it’s difficult to elevate identity management planning out of the IT department because many organizations are used to buying a technology and having it deployed and managed by IT. “But identity is an enterprise-wide deployment, and requires enterprise-wide buy-in, budget, and effort,” he said.
By properly planning for the impact an identity management program will have across the entire organization, enterprises will understand what it will take to succeed in their efforts. “I ask clients if they have ever deployed an ERP solution in the past. I explain that it’s much like that. If they haven’t ever deployed anything that touches everyone in the organization, that’s a red flag to them that they are going to need to be taught how to think outside of IT and look at a different way of deploying the technology,” Wolf said.
Over the years, after interviewing countless CIOs, CTOs, and others who have been part of identity management deployments, it strikes me that it has been very common for enterprises to not plan their identity management efforts accordingly, but instead approach these efforts in a mishmash: with one effort aimed at Web sign-on, another at provisioning, single sign-on for a group of apps, and so forth. Organizations end up with an integration mess with too many disparate initiatives underway, too many vendors, and not enough thinking holistically about how identity management has the ability to improve processes throughout the organization when properly planned and managed over the long haul.
Avinash Rajeev, principal cyber security practice at PWC, agreed that planning is essential, and added that planning must be for a sustained program. “As integration partners and as identity vendors, I think sometimes the expectation [from clients] is that identity is a focus for a few years and then it’s done. But it’s not. It is an ongoing journey. Things evolve: products evolve, the technologies evolve, threats evolve and everyone has to plan for that sustainability,” Rajeev said.
“What we see are [customers] good at hiring the experts to come in for that phase one, set up the infrastructure, and get it all up and running, integrate the initial set of critical applications, and then declare victory,” said Rajeev. When they declare their identity deployment victory, these enterprises then move to become independent of the consulting teams that help them get setup: but this is too often a rushed handoff, poorly executed. Companies will quickly move on their own and not complete proper knowledge transfer required for long term success. “They fail on knowledge transition and it becomes thirty days before the consultants are supposed to leave. That rarely works out well,” he says
The fix? If organizations are really interested in making their identity management programs sustainable, they have to make sure that their teams are embedded with the external identity vendor or system integrator so that they learn enough to have a polished transition from day one.
Building that embedded team is essential for long term success, said Anthony Berg, senior manager cyber risk services at Deloitte. “Make sure up front that is part of the project, and there’s adequate time for the knowledge transfer. That you’ve planned into the project not just an incidental [employee-expert] shadowing but specific knowledge transfer activities, and even artifacts or deliverables related to makings sure your team is enabled,” he said.
The panel agreed that enterprises should take full advantage of the training courses vendors provide, and get their teams familiarized with the products so that they have the basic capabilities foundation in place. They understand, when it comes to identity, the basics of onboarding an app, the basics of building a correlation rule, the basics of all those elements so they can learn the experience.
Dave Hendrix, VP, client and partner services at SailPoint agreed. He advises enterprises focus on the essentials: hire the right people and train them. “There’s not enough of people with the identity skills out there to satisfy the demands in the market. You have to find people with the right innate skill sets, and then you have to build a program that trains them,” he said.
Sounds spot on to me. And those that don’t heed such advice risk ending up where many enterprises have ended up already: a disjointed Identity Management initiative that doesn’t meet expectations or scale. And, with the increased reliance on cloud services, more apps and devices coming online that are all going to require tighter identity controls, that’s just not an enviable place to be.