Identity and Access Management (IAM) has touched everything for years. It establishes you at the enterprise level at your new employer (and it goes on living for you at your past employer database for years after you leave). It drives your access and your single sign-on. It personalizes your applications and remembers your favorites. Leading your identity and access management program effectively, can increase efficiency, reduce risk, and ensure compliance. If managed improperly, it makes for a “hostile work environment” (and short tenure).
Identity is no longer something else that the Architecture and Engineering teams wear yet another hat. It is not just some new security tools to hang your hat on (e.g., DLP, CASB). It is a new head entirely – it is at the Incident Detection and Response peer level. It is not another tool, but a new framework. Thus, it needs the right strategy, leadership, and skill set to ensure that this new pillar within the C(I)SO organization is rightly led and fed from the enterprise.
If you are a security professional with any tenure at your organization, you know that your identity protection and practices need some polish. You know there are gaps – but you are understaffed and overstretched. Even with some money in the budget, prioritizing and staying on top of that work is a full-time job. You do not have the time cycles nor the energy to do it all. However, you are a career security practitioner, so you are not new to these odds. The good news is you do not have to do this one alone.
Getting business in the boat
Have you witnessed how cybersecurity has gone from a technical term to a business term? So has identity and access management. Identity now stands (invisibly to some) in the boardroom objectives such as Digital Transformation and Hybrid IT. IAM is no longer a technical term; it has become part of the board and business-level discussion. Security practitioners who delay in getting started may find themselves being a follower instead of leading the charge.
As a security expert, you need to equip your boss to tell your story. You already have at your fingertips all the justification (trials and tribulations). The metrics are on your side, and they tell a compelling story (if you can organize it correctly). You want management in the boat with you from the beginning so they can see firsthand the challenges (and benefits) that an effectively managed IAM program can bring to the enterprise. And if they will not get in the boat with you, then wait for a change in management or an action-demanding security incident or breach. Funding will quickly follow if you are not caught up on the gallows with your boss.
Prep the surface
As a seasoned professional, you know all too well that this is not something to enter without sufficient air cover. You will need those higher-ups in the coming months to assist with influencing the personal will of entrenched IT custodians (as well as improving diplomatic relations between competing IT departments). You also need to present your case multiple times to management (so do not get easily frustrated or tired). It is not one and done. It is vision casting, fly fishing, that repeatedly you will tell the tale. The first cast will be to get permission (a sanity check) to start the investigative process. It will take some time to do it right – so do not treat this like some side hustle. Lay a good foundation. A solid identity and access program will bring you notoriety at your company. Either as public enemy #1 or as the next person in line for promotion. Help your boss present the case and get the buy-in from the board (if not already). IAM is just the area to do it! Assure the stakeholders- that you are looking to improve processes, efficiency, security, and bottom line in this program. It is not hype! Effectively managed IAM does all of that (and more). It is the area that will make (or break) your career.
Get a clue (and a plan)
You need to start. And start soon – but you do need a complete view of the land. You do not go on vacation, change apartments, buy a house, or go to grandma’s without a plan. So, do not start an IAM program without a plan either. You do not have enough unallocated cash left in the budget to do something substantial, but if you get the various vendors engaged, you can get a lot of what you need to start for no or minimum cost. An IAM assessment is a low-cost, high-return investment that will yield much fruit. As a seasoned security and identity practitioner myself – I will never start an IAM Program without a 3rd party assessment in hand (regardless of the green field, retool, or restart).
Remember the goal
Remember, you are not going to do this alone. You are bound to get A LOT of input from various departments and personalities once the company realizes that you are implementing this ‘crazy’ program. It is easy to get distracted with all those special interests – but each of those special interests adds value to the overall effort. Just do not let any one of them steal the show. The herd may take you in different directions. Remember, you are the leader – not them. The vision casting (fly fishing) will come in handy in the ensuing months as people try to force their will or agenda into yours. Stick to the plan and do not cave under various pressures.
Remember, the IAM program must serve the entire organization (not one). While one area or department might be the starting point, do not let the program be seen as “just compliance” or “just security. ” It is an enterprise program – not a pet project – and will take more effort up front but will save on labor (and your sanity). Any suggestions made by the various players should be to improve processes or make up for shortcomings in the way you do things today. Do not allow little wish lists to take you off target.
The reality is as the program takes shape and gains momentum, you will have doubters and others who will not get on board. That is a shame (and that is why you have senior-level support waiting to speak to them). You will also come across those who will jump in eagerly with both feet and who will want everything (and more) that they can get out of the program. Remember to hold the leadership reins tightly to guide the program. It is not an excuse or temptation to be Santa Claus.
Get ready to break things
Again, IAM touches everything. If you touch or change something, invariably, something breaks or stops working. This is where you need the visibility and support from the higherups mentioned above. Patience needs to be practiced. You do not have to be afraid to break a few eggs if you have the support of senior leadership. What you are going to do will touch areas that have been neglected or tolerated for a long time. Initially, you will get an outpouring of support. But over time, people will see that this is hard to do and will start to waffle. You need to be a strong leader and cast that vision yet again and get them back on task with you.
The fact is you do not have to change everything now. You just must make the quick early wins. Your manual processes are working? Great! But they are still manual. Reach out to that department later and find the more acute pain points and attack them first. If changing something drastically interrupts service – then attack that problem later (or just differently). It might not be the best, but it functions for now if it does not get in the way of the program. You are looking for visible quick wins to get you to the next phase of support. IAM is a multi-year marathon…not a sprint…so pace yourself…and create those phases.
Conclusion
Even after you get executive sponsorship, do not stop casting the vision of the IAM program as a value add across the enterprise. You will need continuous cooperation from the different departments of the organization. They need to know and eventually need to see what is in it for them. It is rare to have a business-enabling function within the C(I)SO organization. Now is the time and place where you can be more than just a cost center. You can stop being known as the “Abominable No Men” insecurity and become business class enablers. All that is stopping you is you.
– Randall Fields, Vice President, Customer Success, Simeio (originally published in Cybersecurity Magazine)
