IAM—Who’s Ultimately Responsible?
It’s a familiar tale. HR wants to increase efficiency. Security needs to reduce the risk of a breach. Legal have their eye on safeguarding, and IT are swamped with reset requests. For modern businesses, a wide array of stakeholders have an interest in streamlining processes, protecting their people, knocking down the proverbial walls of the traditional office and freeing employees to do their best work – wherever they are. It’s something I’m passionate about as a CIO, and it asks us to think innovatively about how we can enable seamless productivity.
With Identity Access Management (IAM), large companies are able to manage and enable bespoke access for their employees and partners across their networks. To ensure that things are executed properly, many companies are investing in a third-party IAM provider. These providers partner directly with CTOs, CIOs, and CISOs to securely implement identity processes across the board.
IT leaders typically work closely with the IAM provider, but do so in tandem with numerous other departments. As such, it can be tough to determine who’s ultimately responsible for effectively managing the company’s identity access overall.
I was keen to hear what my peers in the industry think about this, so I reached out to a few respected industry experts to hear their insights.
The scale and challenge of IAM
IT management is an art. Juggling numerous competing priorities from users across the world, today’s IT leaders have their work cut out for them. As many who work in this field recognize, if, each day, even a handful of those global users forget their passwords, it draws dedicated IT departments away from driving change. Instead of having the freedom to innovate creative solutions for complex challenges, they end up sinking time into password resets and backtracking identity errors.
Companies with an international presence face other challenges with identity, such as directory management, provisioning, and deprovisioning. According to Ralph Loura, CTO of Rodan + Fields , IAM is essential for this. In large companies, it’s common for more than one person to share the same name (or similar sounding names). For him, it’s about connecting the right consumer to the right consultant – and taking the pain out of that access for the end user.
Unique organizations bring unique demands, something Christina Sullivan, VP of IT Services at City Year can attest to. Given the number of users her team has to deal with, outsourcing IAM professionals is a no-brainer: “Currently, we have about 4,500 people. About 1,200 of those are staff members, and the rest are the Americorp members that join us for a year,” she says. “As you can imagine, we have a particularly challenging time, two times a year, onboarding and offboarding people that are coming to serve with us.”
For busy professionals like Loura and Sullivan, time is everything. With the sheer volume of data to handle for so many diverse users, a third-party IAM service helps company leaders manage all of those identities, freeing them to spend that valuable time elsewhere.
The risk of mismanaging data
With tremendous potential for public backlash and reputational damage, data mismanagement should be a key concern for leaders today. While IAM providers may take the lead, it’s still up to the company leaders themselves to implement the processes correctly. Every partnership has certain roles involved, and in order for identity management to work effectively, each person has a job to do.
But even a single kink in that chain leaves room for data mismanagement, a problem for any organization trying to forge trust. According to Steve Callison, VP of Platform Services at Cardinal Health, their biggest concern is maintaining user trust. “We deal with patient data which has HIPAA regulations on top of it,” he says. “So, controlling that data and making sure we have the correct safeguards [in place] and we’re onboarding and offboarding appropriately, while allowing access, is a huge deal. And, while there are legal [risks] and penalties that go with it, probably the largest concern is our reputation if we don’t manage things correctly.”
It’s a no-brainer; one breach can deeply impact trust in businesses, and there’s more at stake than just data.
The bottom line
So with those perspectives considered; who, then is truly responsible for managing the identities associated with a company? Who takes ownership of that role?
“It’s never quite clear who owns something. It depends on where it’s coming from and where the demand is,” said Callison. Jaswinder Hayre, CISO of Dow Jones believes that managing IAM is a collaboration of sorts: “At Dow Jones, we have more than one master to serve. When we take all of our identities and personalities and put them into broad buckets, I think each of those buckets we’ve identified masters for.” said Hayre. “There’s no one master to rule them all.”
Therefore identity management is something all company leaders need to keep in mind, as there are many people and departments at play – developers and engineers, HR and legal teams, the list goes on. There’s too much to manage for one sole controller.Seeking the help of an experienced, reliable IAM provider will certainly make a lot of this collaborative work easier, reducing the risk of data mismanagement, and freeing up time for the people who need it most.