Navigate 2019: Compliance Fatigue, Who Has Time for That?

It’s time security and identity teams stop thinking so much about identity. It’s time organizations stop having to think so much about access rights and privileges, provisioning workflows, passwords, access certifications, and all that’s associated with them. It’s all hard, often repetitive, work, and there are other things the organization needs to be concerned about.

No, I’m not saying that we don’t need identity management and governance any longer. Quite the contrary. It’s just as, if not more, crucial as ever. Identity is central when it comes to securing the environment, meeting regulatory compliance, and providing great user and customer experiences. I’m saying identity has become so important to the organization that it needs to become part of the fabric of business-technology.

Take access certification as an example. Access certification was one of the big themes throughout the discussions at Navigate this year, especially when it came to access certification fatigue. Business users are overwhelmed with requests to certify access to all of their (increasingly growing) list of applications. Too often they don’t understand the access and entitlements they’re approving, or they’re so overwhelmed with requests that they just start certifying access lists to get them the heck out of their to do queue.

These aren’t the types of things enterprise security and identity teams want to be working on. They’d much rather find more efficient ways to achieve the required certifications so they could focus on more business-strategic things. At Navigate we heard from many companies that want to improve and automate their processes, improve their customer experiences, get better control of privileged access accounts, improve return on technology investments, and help make their organizations more secure and agile.

Unfortunately, many security and identity management teams – who want to do more and be supportive of the business – are stuck on these painful treadmills. And they’re stuck in place just trying to keep up as the business is asking them for help to move forward and advance the business. But the challenge is, despite all of their efforts, the increased complexity of business-technology environments and the sheer number of devices, applications, resources, and data that they must effectively manage access – and the old processes that have been in place for several decades now are no longer sufficient.

As SailPoint co-founder and CEO Mark McClain said during his opening keynote, “We have to be able to enable our teams to get their jobs done. We have to say yes. They need the apps, and the data to do their jobs. But the reality is the complexity, the rate of change, and the scale that in most enterprises now are making it extremely difficult to decide who should have access to what.”

I spoke with a lot of identity managers and security officers over the past few days with whom those words resonated. They are taking the steps they need to gain get their identity programs where they need them. They’re trying to automate much of the mundane work that you’d expect. They’re automating access certifications processes, to the extent they can be. They are automating password resets. They are gaining better governance over critical applications and data. But they’re not scaling as quickly as they’d like, or as they likely need to be.

They do see hope on the horizon, however. I spoke with many CISOs and identity executives who hope, and I heard their growing enthusiasm that machine learning algorithms and artificial intelligence can help them scale where decades-old processes and throwing more labor and the challenges haven’t.

Effective identity analytics obtains identity insights by looking at all of the identity data already within the organization and reviewing it at speeds humans just can’t. The system can identify low-risk access requests and provide automatic approval, and it can spot outliers that should be looked into and bring them to the attention of the appropriate people. And as new applications and digital services come online, machine analytics can provide real-time, data-driven, and risk-based feedback so that the organization remains agile and secure.

That’s why it’s time security and identity professionals alike should be able to stop soon having to think so much about identity. It’s time to let the machines think about the mundane stuff. And as machine learning lives up to its promises, and it certainly eventually will, it will do much more than that. It will help businesses to drive down the complexity of identity management, and for most people in the organization, identity management will fade into the background. Just where it should be.