Okta

Looking for Okta Logos?

You can find all the media assets you need as part of our press room.

Download Media Assets

IAM—Who’s Ultimately Responsible?

It’s a familiar tale. HR wants to increase efficiency. Security needs to reduce the risk of a breach. Legal have their eye on safeguarding, and IT are swamped with reset requests. For modern businesses, a wide array of stakeholders have an interest in streamlining processes, protecting their people, knocking down the proverbial walls of the traditional office and freeing employees to do their best work – wherever they are. It’s something I’m passionate about as a CIO, and it asks us to think innovatively about how we can enable seamless productivity.
 

With Identity Access Management (IAM), large companies are able to manage and enable bespoke access for their employees and partners across their networks. To ensure that things are executed properly, many companies are investing in a third-party IAM provider. These providers partner directly with CTOs, CIOs, and CISOs to securely implement identity processes across the board.
 

IT leaders typically work closely with the IAM provider, but do so in tandem with numerous other departments. As such, it can be tough to determine who’s ultimately responsible for effectively managing the company’s identity access overall.
 

I was keen to hear what my peers in the industry think about this, so I reached out to a few respected industry experts to hear their insights.

The scale and challenge of IAM

IT management is an art. Juggling numerous competing priorities from users across the world, today’s IT leaders have their work cut out for them. As many who work in this field recognize, if, each day, even a handful of those global users forget their passwords, it draws dedicated IT departments away from driving change. Instead of having the freedom to innovate creative solutions for complex challenges, they end up sinking time into password resets and backtracking identity errors.

Companies with an international presence face other challenges with identity, such as directory management, provisioning, and deprovisioning. According to Ralph Loura, CTO of Rodan + Fields, IAM is essential for this. In large companies, it’s common for more than one person to share the same name (or similar sounding names). For him, it’s about connecting the right consumer to the right consultant – and taking the pain out of that access for the end user.

Unique organizations bring unique demands, something Christina Sullivan, VP of IT Services at City Year can attest to. Given the number of users her team has to deal with, outsourcing IAM professionals is a no-brainer: “Currently, we have about 4,500 people. About 1,200 of those are staff members, and the rest are the Americorp members that join us for a year,” she says. “As you can imagine, we have a particularly challenging time, two times a year, onboarding and offboarding people that are coming to serve with us.”

For busy professionals like Loura and Sullivan, time is everything. With the sheer volume of data to handle for so many diverse users, a third-party IAM service helps company leaders manage all of those identities, freeing them to spend that valuable time elsewhere.

The risk of mismanaging data

With tremendous potential for public backlash and reputational damage, data mismanagement should be a key concern for leaders today. While IAM providers may take the lead, it’s still up to the company leaders themselves to implement the processes correctly. Every partnership has certain roles involved, and in order for identity management to work effectively, each person has a job to do.

But even a single kink in that chain leaves room for data mismanagement, a problem for any organization trying to forge trust. According to Steve Callison, VP of Platform Services at Cardinal Health, their biggest concern is maintaining user trust. “We deal with patient data which has HIPAA regulations on top of it,” he says. “So, controlling that data and making sure we have the correct safeguards [in place] and we’re onboarding and offboarding appropriately, while allowing access, is a huge deal. And, while there are legal [risks] and penalties that go with it, probably the largest concern is our reputation if we don’t manage things correctly.”

It’s a no-brainer; one breach can deeply impact trust in businesses, and there’s more at stake than just data.

The bottom line

So with those perspectives considered; who, then is truly responsible for managing the identities associated with a company? Who takes ownership of that role?

“It’s never quite clear who owns something. It depends on where it’s coming from and where the demand is,” said Callison. Jaswinder Hayre, CISO of Dow Jones believes that managing IAM is a collaboration of sorts: “At Dow Jones, we have more than one master to serve. When we take all of our identities and personalities and put them into broad buckets, I think each of those buckets we’ve identified masters for.” said Hayre. “There’s no one master to rule them all.”

Therefore identity management is something all company leaders need to keep in mind, as there are many people and departments at play – developers and engineers, HR and legal teams, the list goes on. There’s too much to manage for one sole controller. Seeking the help of an experienced, reliable IAM provider will certainly make a lot of this collaborative work easier, reducing the risk of data mismanagement, and freeing up time for the people who need it most.

Mark Settle is a seven time CIO with broad business experience in information services, enterprise software, consumer products, high tech distribution, financial services and oil & gas.  He has led IT organizations that supported the global operations of Fortune 500 companies; maintained the R&D infrastructure required for software product development; and hosted customer-facing delivery systems for commercial products and services. He has received multiple industry awards and is a three time CIO 100 honoree.

Settle sits on the advisory boards of several Silicon Valley venture capital firms and pioneered the adoption of service management and cloud computing technologies within several large enterprises.  He is the author of Truth from the Trenches: A Practical Guide to the Art of IT Management which will be released in the fall of 2016.  Settle’s formal training is in the Geological Sciences. He received his Bachelor’s and Master’s degrees from MIT and a PhD from Brown University.  Settle is a former Air Force officer and NASA Program Scientist.

Follow Mark Settle