Voices of experience – Best practices for initiating an IAG project
Most companies do not doubt that implementing identity and access governance in their organization might be a good idea. But what’s the best way to do it?
By following the advice of those who have gone before. Specifically, at Navigate 2022 in London, IT leaders from various industries recently shared their best practices for initiating an identity and access governance project. Here are their top recommendations:
- Make sure you understand the IT landscape. “The advice I would give is to ensure you’ve got the data that you need because without that, you’re flying blind. We did a lot of discovery upfront to understand what data we have, what access we have, what systems we have, how things have governed today, and how we want to govern them going.” – Head of Technology Risk, Retail
- Understand the business landscape. “The most important thing to do is discovery. Get as much data as you can about the organization. The more information that you have, the stronger position you’ll be in to make good strategic decisions,” said a senior manager of domain portfolio delivery for a telecommunications company. “The better understanding you have of each part of the business, including their requirements, what drives them, and their complexities, will enable and drive your strategic decisions. But you also need to relay the benefits of the project to the key stakeholders, so they are interested and looking forward to gaining benefits from the strategy.”
- Take a realistic view of what you can achieve. One sure way to kill a project is to overpromise and underdeliver. A large telecommunications company’s head of identity and access management highlighted the risk of organizations overestimating their capabilities. He suggested that organizations should consider all the data that are available in the company and the company’s level of maturity, including its human resources department and systems since they typically play an important role in deploying identity and access governance solutions. “If those systems and departments don’t have the right level of maturity, then you need to adjust your ambitions.”
- Focus on the business benefits. Of course, identity and access governance are designed to control access to systems and data. But according to a security architect for a finance company, there are other things to focus on when deploying a solution. “Make sure that the project is presented in a way that’s enabling the business rather than being seen as an imposition of a control,” he suggested. “It may seem like common sense, but it is very easy to reach a point where you deploy an element of governance, and the wider business may badly receive it if you haven’t done the right level of communication.”
- Involve the right stakeholders. Having powerful friends and allies can be a critical best practice for implementing identity and access governance. “The first challenge for organizations is to understand that deploying identity and access governance is not an IT or cyber program. It’s a program that needs to involve many stakeholders,” noted the chief technology officer for a manufacturing company. “And the challenge is to involve them at the beginning, to avoid any pushback from them not understanding the program’s objective.”
- Realize it’s a project, not a product. “A lot of companies are dreaming about the world of identity management. A lot of companies are very ambitious. They want to boil the ocean in one day, but this doesn’t work,” said a manufacturing company’s identity and access governance director. “Remember, the technology is just the enabler. In addition, you need management support, and you need the right processes and people to do the job.”
- Focus on all levels of the organization. According to the user lifecycle supervisor at a construction company, the secret to successfully initiating identity and access governance is to realize that it’s something that eventually has to be “embedded in the company.” To be successful, you have to be able to communicate its value to all levels of the organization, so IT leaders should make sure they are planning for that.
- Start with high-value targets. Lastly, the engineering manager for access services in the banking industry suggested taking a step-by-step approach focused on high-value targets. “If you’re in a highly regulated business, start with the leave process since that’s where you can focus on saving all your compliance breaches. Then move on to the joining process to make sure that your employees can join and start smoothly. You’ll want to leave the move process, which is a pain from end to end, to the point where you have the time and maturity for it.” – Engineering Manager, Access Services, Banking
Best practices for implementing identity and access governance will vary by organization and needs, but the real-world tips from IT leaders profiled above are a great place for other companies just starting to deploy identity security solutions.