Using risk to align IAM with business objectives

Why alignment matters

It is easy to see how an IAM initiative relates to your organization’s process, data and technology needs. However, the connection between your IAM program’s direction and your organization’s overarching business objectives can be more difficult to spot. Don’t let that fool you — aligning IAM and business objectives is incredibly valuable to both information security and in achieving enterprise-level goals. Incorporating risk data into your approach can help you get there. Tying your IAM program to business objectives provides overall direction, clarifies purpose and strengthens executive sponsorship. Incorporating a risk-based perspective is a strong strategy to enhance alignment between IAM and business objectives and to communicate program value.

Using risk data to demonstrate value

Cybersecurity risk describes how much and how often loss is going to occur. It is typically calculated as likelihood (threat times vulnerability) versus impact (loss event) and expressed in qualitative or quantitative terms.

Understanding and using risk-related data can assist your IAM program to prioritize functionality, fine-tune direction and provide business value measurement.

  • Prioritize functionality: review risks based on organizational objectives mapped to your IAM program
    • Example: Increase the number of resources vaulting privileged accounts based on your organization’s priority to secure customer data
  • Fine-tune direction: proactively automate protection into your current IAM processes
    • Example: Ingest cybersecurity data to drive more frequent access certification of high-risk systems containing PII data
  • Measure business value: discuss IAM business value in terms of reducing event loss costs and potential threat likelihood rather than reporting typical IAM statistics, such as the number of accounts provisioned or entitlements revoked
    • Example: “Based on our organizational priority to secure customer data, the IAM program has reduced potential threats by 25% and event losses by $100,000 through our privileged account management project this past quarter.”

Five steps toward alignment

The following steps will put you on the path to a business-aligned, risk-informed IAM program that advances business goals, increases organizational security and clearly communicates its value.

  1. Start with the business: understand business objectives and how they map to the IAM program
  2. Understand your risks: compile risk- and asset-related information and perform risk assessments
  3. Evaluate the current and future state: complete an IAM program assessment and build a road map based on organizational objectives and their related risks
  4. Implement change: begin alignment project activities, including organizational change management, to support stakeholders and end users
  5. Measure and report out through a business and risk lens: demonstrate IAM program value through risk-related reporting

The views expressed by the presenters are their own and not necessarily those of Ernst & Young LLP or other members of the global EY organization.

Read this article and others in the Identity Insider Magazine.


Discussion

Where are your security gaps?