Facepalm Files: The unintended consequences of automatic escalations

The setup:

Early on in my identity career – when I was just starting out as an identity leader, and excited to tackle my first big challenge – I was given my first big project: building an access certification solution. As the new leader at this financial services organization, I really wanted to make my mark. The goal seemed straightforward enough: we wanted to empower application owners to review and certify access to their applications, specifically focusing on SOX-related applications. We dove in headfirst and built a system that took in automated feeds, directly notified application owners, giving them a clear view of who had access to their applications. Full of naïve confidence, we believed we were about to change the game for access reviews!

The (well-intentioned) problem:

To ensure timely reviews, we implemented automatic escalations. If an application owner didn't respond within a certain timeframe, the certification request would escalate to their manager, and then their manager, and so on. We thought we were being proactive, ensuring that no access review fell through the cracks. What could possibly go wrong?

The facepalm moment:

You guessed it. Eventually, all the escalations ended up in the CEO's inbox. Hundreds of emails. Apparently, many application owners were either too busy or simply ignored the initial requests. The escalation logic, while well-intentioned, created a flood of notifications that ultimately reached the top of the organization.

The CEO was incredibly gracious. He told us how important our work was to his organization… but he also politely requested that we find a way to avoid filling his inbox with access certification requests. Talk about a facepalm moment!

The lessons learned:

• Think through the escalation paths: Don't just build escalations for the sake of it. Consider the potential consequences and where those escalations might land.
• Application owner buy-in is key: Access certifications are only effective if application owners actively participate. Focus on making the process easy and intuitive for them.
• Sometimes, "Off-the-Shelf" is better: Building your own identity solution can be tempting, but it's often more complex and resource-intensive than you might anticipate. Consider the long-term costs and benefits of building versus buying. Could a purpose-built solution like SailPoint have prevented this? (Spoiler alert: probably!)
• Test, test, and test again: Before rolling out any solution, thoroughly test the escalation logic with a representative sample of users. This would have quickly revealed the potential for CEO-level inbox overload.

The takeaway:

Homegrown identity solutions can be a tempting way to address specific needs, but they often come with unforeseen consequences. This experience taught us the importance of careful planning, thorough testing, and a healthy dose of humility. And, of course, to always consider where those escalations might end up!

Don't let these identity missteps happen to you. Modern Identity Security for Dummies, SailPoint Special Edition offers a simpler path to success. Download it now!