Identity and Access Management: The Pursuit of Invisible Value

Identity and Access Management (IAM) is the cornerstone of security. Proper IAM enables legitimate internal and external users to access the right data at the right time from the right devices. While IAM may seem like a check box in the journey to technology transformation, its role is much larger. 

CIOs identify and focus on current strengths and weaknesses to arrive at a best-of-breed IAM solution that is structurally sound and integrates well in the organizational technology ecosystem. They implement IAM programs that enable efficiency and trim duplicative or overlapping technologies so that organizations are not over-licensed for capabilities that will not be utilized. 

IAM brings value 

IAM must be balanced for three things — speed, risk, and usability. IAM can enable enterprise transformation projects through automation that enables quicker access. It allows for movement of workloads into the cloud seamlessly and enables companies to externalize applications that are on-premises. However, speed must be balanced with each organization’s unique risks. While the right IAM structure can reduce risk, insufficient IAM can increase risk. 

Usability is also an important factor in an IAM program. Whether the solution is single sign-on or multifactor, a simplified, well-designed solution that is easy to use and understand can improve the user experience, make employee onboarding seamless and reduce help-desk calls. Conversely, a poorly designed solution can create friction in a user’s experience depending on what choices are made in the technologies and processes that are put in place and can negatively impact user adoption. 

It takes time to build the right identity infrastructure. Once a robust IAM foundation is established, organizations can move faster into future states. To work towards an optimized IAM state, CIOs should: 

• Target incremental progress over perfection 
• Aim for infrastructure with governance 
• Gain visibility into all identity profile types such as employees, non-employees and customers to ensure a unified IAM experience after a merger or acquisition 
• Choose smart partners and effective products with a track record of success 
• Address pain points upfront to gain buy-in 

Target incremental progress over perfection 

It is critical to understand that IAM is not a project – it is an ongoing program that must span and align with the life of the organization. CIOs should aim for incremental progress over delayed perfection. IAM must be maintained, keeping pace with growth and dynamic business needs.

Aim for infrastructure with governance 

Beyond choosing the right technology, strong IAM requires a solid infrastructure, with a strategy and a roadmap. CIOs should build out a strong IAM infrastructure with ongoing maintenance and improvement that aligns with business needs. While a strategy and a roadmap are instrumental, they must be accompanied by a governance model led by a steering committee that champions the voice of the customer. The steering committee serves to inform C-suite decision-making with an empowered understanding of business pain points, risks and security challenges. It is then that informed decisions about trained staff can be made to ensure that the organization’s crawl-walk-run strategy leads to the stated vision. 

Gain visibility into all identity profile types 

An effective IAM program creates a consolidated record for each person as one identity. For a comprehensive view of each user’s accessibility and associated risk, IAM must be able to form a single identity for each user. While many organizations are focused on employees (e.g., segregation of duties), client identities across the various business units are just as important, particularly in the case of corporate mergers and acquisitions, where a customer might have access across several business units. A strong IAM program addresses disparate identity issues by developing a consolidated profile for each person across a unified user experience when they interact with the organization. 

Robust IAM demands smart partners and effective products 

Effective IAM is not a do-it-yourself program. To prevent user access breach disasters, CIOs must recognize that they need smart partners and best-in-class products. Experienced IAM partners enable flexible frameworks that control risk while leveraging customized technology such as intelligent process automation (IPA) and artificial intelligence (AI). 

Address pain points to gain buy-in 

IAM touches every aspect of the organization, making implementation and adoption very challenging. When new controls are implemented, users often find a way around them. Offering value propositions to C-suite members is key to effective implementation and acceptance. The sooner users are vested in the controls, the more successful the program will be. Issues unique to C-suite members include: 

Chief Risk Officer (CRO) and Chief Administrative Officer (CAO) – Access governance models, monitoring, prevention and remediation strategies and identity risk scores (of internal and external users, including vendors) are top concerns. It is important to demonstrate value by providing traceability for faster, more accurate audits. Implementing IAM controls to address access and permission for risk reduction offers value propositions to CROs and CAOs. 

Chief Financial Officer (CFO) – Preventing and mitigating data breaches, protecting assets, and demonstrating return on investment are critical to CFOs. They look for increased production, efficiency and value, while protecting sensitive assets with privileged access management programs. 

Chief Data Officer (CDO) – Protecting data from hackers is the critical task of CDOs. IAM offers the data protection, monitoring, privacy policies and classifications that CDOs want while also applying analytics for enriched, contextualized data from protected data lakes. A collaborative partnership between the CIO and CDO is crucial for building an IAM strategy that considers the who, when, why and how of data access. 

Chief Marketing Officer (CMO) – CMOs are interested in privileged user management, which is the activity of users who have privileged access. They are concerned with controlling proper usage of social media accounts and other external-facing communications to secure brand value. And they appreciate the ability to rapidly capture customer information, protect customer identity and enable quick authentication. 

Where do companies go from here? 

IAM brings significant ROI to enterprise transformation by: 

• Supporting compliance 
• Elevating security 
• Increasing operational efficiency 

While the most significant benefits of IAM cannot be numerically quantified, the value of an effective IAM program is undeniable, because access breaches come with severe consequences and both monetary and reputational costs. 

To acquire the greatest benefit from IAM during enterprise transformation, companies should undertake the following, with each step centered on IAM: 

1. Understand the organization’s current processes, users and technologies 
2. Know the organization’s transformation infrastructure goals 
3. Understand the drivers for transformation 
4. Assess how IAM fits into enterprise transformation 
5. Lay out an IAM strategy with subject matter experts 
6. Evaluate gaps and opportunities and discuss pain points with business centers 
7. Create a roadmap that delivers iterative and consistent improvements to security, risk reduction and the user experience 

Identity and access management are difficult and ongoing. CIOs should aim for progress over perfection. IAM programs that scale for growth are essential to bringing a future IAM state endowed with security, speed and visibility. 

Learn more about Protiviti’s Identity and Access Management Services.

Connect with the authors:

Ashraf Motiwala

Managing Director, Security & Privacy

Chad Wolcott

Managing Director, Security & Privacy

Dusty Anderson 

Managing Director, Security & Privacy