Ok for a little Sunday Satire fun, I thought I would write a bit about the different personas in Identity and Access Management professionals. Like any persona, people can have more than one. Now with my tongue placed firmly in both cheeks.
1. Pious Privacy (compliance & risk)
With the ever-increasing list of best practices, standards bodies, professional accreditations, regulatory bodies, privacy regulations, events, workshops, labs, risk methodologies and research centers (and I am sure I could go on) comes an ever-increasing list of compliance requirements. Some of these are mandatory (SOX, PCI, GDPR), other guidelines and everything in between. Sorting through these to find differences and responding to their needs is a full-time job - ok let's make that plural - many full-time jobs... A checkbox in approach with a limited view, PP's can have a limited view like "we determine what data should be classified as private and adhere to the privacy policy, we don't deal with how it's done". "who is this Pam anyway?"
Where to find them - Very visible, this species is often seen staring over others' shoulders or frequently performing the bewildering dance of interpreting compliance requirements (2a/b function) or dictating what data is private into languages they often never learned to speak themselves. Each point taken out of context and mapped in binary or to some scale, with little to no understanding of impact. Hours can be spent discussing the length and material of a piece of string.
Identification - Advisory only, except for checking others' work. Loves terms like "best practice, PII, least privilege, gaps assessment, certification, PAM and RBAC". They talk "risk registry, privacy by design, awareness, and risk planning and risk acceptance". Views IAM as a different practice to compliance and a pure cost and social responsibility. Tools of choice include spreadsheets, self-assessments, and risk registries and large documents never read again. They view IAM as compliance.
Where to find them - Very visible, this species is often seen staring over others' shoulders or frequently performing the bewildering dance of interpreting compliance requirements (2a/b function) or dictating what data is private into languages they often never learned to speak themselves. Each point taken out of context and mapped in binary or to some scale, with little to no understanding of impact. Hours can be spent discussing the length and material of a piece of string.
Identification - Advisory only, except for checking others' work. Loves terms like "best practice, PII, least privilege, gaps assessment, certification, PAM and RBAC". They talk "risk registry, privacy by design, awareness, and risk planning and risk acceptance". Views IAM as a different practice to compliance and a pure cost and social responsibility. Tools of choice include spreadsheets, self-assessments, and risk registries and large documents never read again. They view IAM as compliance.
2. Oblivious Operator
Someone has to do the work, I mean who would PP do otherwise? But its probably boring and repetitive and basic automation or AI will probably put all OO's out of a job at some point. In the meantime, we are getting great exposure to a rapidly developing industry and being paid slightly better than the average operator due to skills shortages in the industry. 3 months as a PAM admin and I can ask for a raise or jump ship to a senior position elsewhere.
Where to find them - Heads down in the trenches on call. Will usually have a shovel in hand and wearing a toolbelt. Except when they filling out reports on what they have done for the PP's
Identification - They talk about tickets, events, incidents, and changes, usually in large numbers like "I did 40 tickets today already", or that batch had 200. Closely monitored on delivery and time usage you can usually just ask where they are. They likely on half the companies speed dial to get access issues resolved promptly. They talk process and procedure, not compliance, risk, and security. Views IAM as a never end ticket queue
Where to find them - Heads down in the trenches on call. Will usually have a shovel in hand and wearing a toolbelt. Except when they filling out reports on what they have done for the PP's
Identification - They talk about tickets, events, incidents, and changes, usually in large numbers like "I did 40 tickets today already", or that batch had 200. Closely monitored on delivery and time usage you can usually just ask where they are. They likely on half the companies speed dial to get access issues resolved promptly. They talk process and procedure, not compliance, risk, and security. Views IAM as a never end ticket queue
3. Magnetic Marketer
These people are driving the business and so seen to "bring in the money" and their identity plan is called a strategic business strategy. Identity centric, their world revolves around the brand, trust, attributes, social media, communications, and direct relationships. Usually focused on Customer IAM or Partners, they seldom care about security or standards and usually view compliance as an obstacle.
Where to find them - Trendy coffee shops, patios board rooms, events and working on building " relationships of trust". Always looking for the next hype cycle. Usually using something like Salesforce as the IAM tool of choice.
Identification - They talk about subscriber experience, stickiness, market development, break out services and market share, cost of acquisition and market intelligence. They refer to groups as target audience, buyer personas, demographics. They talk trust, never security and usually want more access for everyone. They view IAM as a relationship building.
Where to find them - Trendy coffee shops, patios board rooms, events and working on building " relationships of trust". Always looking for the next hype cycle. Usually using something like Salesforce as the IAM tool of choice.
Identification - They talk about subscriber experience, stickiness, market development, break out services and market share, cost of acquisition and market intelligence. They refer to groups as target audience, buyer personas, demographics. They talk trust, never security and usually want more access for everyone. They view IAM as a relationship building.
4. Ecclesiastic Executive
This must be one of the highest stress jobs right now period. As the saying goes, “There are only two types of companies: Those that have been hacked and those that will be hacked.” – Robert S. Mueller, III. Gerry gave a superb talk on "The Anatomy of a Successful PAM Strategy" from a user acceptance, but it perhaps applies even more to an executive in IAM earning $200k a year when a breach could cost the company $100's of millions
Where to find them - Dealing with other executives that simply have no clue, dealing with regulators/audit, struggling to find skills and budget or reading the riot act to some wayward group or support staff. At night they can be found chewing on their nails in restless beds, trying to ensure their strategy covers as much as it can as fast as it can.
Identification - Better dressed than most, they tend to have a haggard visage and if you look closely fear in their eyes while expounding the virtues of IAM loudly to any and all that will listen. Often returning from some other meeting with seemingly bizarre new requirements. Their team rally cry can is frequent and loud as they apply stick and carrot to all. Views IAM as a political quagmire. They view IAM as a career step
Where to find them - Dealing with other executives that simply have no clue, dealing with regulators/audit, struggling to find skills and budget or reading the riot act to some wayward group or support staff. At night they can be found chewing on their nails in restless beds, trying to ensure their strategy covers as much as it can as fast as it can.
Identification - Better dressed than most, they tend to have a haggard visage and if you look closely fear in their eyes while expounding the virtues of IAM loudly to any and all that will listen. Often returning from some other meeting with seemingly bizarre new requirements. Their team rally cry can is frequent and loud as they apply stick and carrot to all. Views IAM as a political quagmire. They view IAM as a career step
5. Vapourous Vendor
Nothing else can stick closer or vanish faster. They focus on features and usually have little to no understanding of process or procedure. Usually, a because you can, vs because you need approach. For this reason, they often seen with executives and engineers. Have an uncanny ability to change opinions with their business card.
Where to find them - Events, restaurants, executive offices, hotels, airports, workshops, meeting rooms.
Identification - These are usually the best dressed of all, with expensive accessories. They say things like "...Do I have a product for you...", "unlike our competitor...", "...is scheduled for the next release", "of course our system can...", "we support the open standard of..." or "all you need is a widget here" and "we did this for hundreds of customers". They view IAM as a meal ticket.
Where to find them - Events, restaurants, executive offices, hotels, airports, workshops, meeting rooms.
Identification - These are usually the best dressed of all, with expensive accessories. They say things like "...Do I have a product for you...", "unlike our competitor...", "...is scheduled for the next release", "of course our system can...", "we support the open standard of..." or "all you need is a widget here" and "we did this for hundreds of customers". They view IAM as a meal ticket.
6. Einsteinian Engineer
It works, I don't care how you operate it... Architects and engineers love standards, interfaces and many many VV's. It's not if it is needed so much as if it's cool. I mean who wants to do something that's been done before, I have a better idea. The focus is usually about making it work, not solving a problem.
Where to find them -These folks usually know little about either security, security operations or compliance but a boatload on product features and standards. If they not attending a VV pitch, they can usually be found in the lab paying with "next-generation" stuff.
Identification - Usually, the one saying, "...well if the vendor only followed the standard properly it would work or I don't care how you enter the required data, the system starts from here" or "You never gave us the requirement that you would want to log in, if you need access you will need to do that yourself".They view IAM as a hugely complex yet simple set of widgets.
Where to find them -These folks usually know little about either security, security operations or compliance but a boatload on product features and standards. If they not attending a VV pitch, they can usually be found in the lab paying with "next-generation" stuff.
Identification - Usually, the one saying, "...well if the vendor only followed the standard properly it would work or I don't care how you enter the required data, the system starts from here" or "You never gave us the requirement that you would want to log in, if you need access you will need to do that yourself".They view IAM as a hugely complex yet simple set of widgets.
7. Pedantic Program Manager
These are the people credited most often with delivery and finance. Hugely skilled with spreadsheets and projects, they usually able to spin anything in a number of different ways. Financial savings and delivery focused, even if the deliverable is meanless.
Where to find them - If they not revising the project plan, they either plan, following up or reporting on status. Excellent specimens can occasionally be seen shoving large chain pizza boxes under the door for the starving project team late in the evening.
Identification - usually the one speaking of "scope", "resources" or "budget". If left unsupervised can descope all security aspects out of the project in favor of delivery. They view IAM as just another project to deliver.
Where to find them - If they not revising the project plan, they either plan, following up or reporting on status. Excellent specimens can occasionally be seen shoving large chain pizza boxes under the door for the starving project team late in the evening.
Identification - usually the one speaking of "scope", "resources" or "budget". If left unsupervised can descope all security aspects out of the project in favor of delivery. They view IAM as just another project to deliver.
8. Adherent Auditor
Filling a very important 3a/b function, auditors should never be left out of the IAM role, yet also tend to focus on security and controls and IAM functions in these areas than business capabilities and subscriber management. Like lawyers, AA's will approve a system of great inefficiencies e.g. emails been printed and delivered by hand, so long as it is done securely and does not contravene a control standard, yet will argue for hours on the wording of any such control.
Where to find them - Peridic flocks of audits or seen all year in little to no apparent pattern or season usually. They usually spotted with PP's and OO's asking for terabytes of evidence that they usually already have access to.
Identification - Serious in nature and usually concerned about their reception, AA's need love, and a finding. So give them a hug and gently point and explain a gap in your controls and most will respond well. They view IAM as an opportunity to give an audit finding when no-one else claims it.
Where to find them - Peridic flocks of audits or seen all year in little to no apparent pattern or season usually. They usually spotted with PP's and OO's asking for terabytes of evidence that they usually already have access to.
Identification - Serious in nature and usually concerned about their reception, AA's need love, and a finding. So give them a hug and gently point and explain a gap in your controls and most will respond well. They view IAM as an opportunity to give an audit finding when no-one else claims it.
9.Baffled Business
Often forgotten in the laser-like focus of the others, the business just wants to get things done. Of course, the other parties can make things very painful, and they usually somewhat aware of the need for security and compliance. But why can someone apply and be given a mortgage for $3m in 3 hours and yet it takes a week to get access to a system I need for work. It costs a fortune having people wait for access.
Where to find them - Usually avoiding all the others on this list as much as they dare, unless it's urgent or reading the incredibly complex instructions about access requests - I think I should just ask for root for everyone then we don't have to do this again. "What is root anyway, and why am I attesting to my staff needing it, don't they know?"
Identification - Frustrated and included to say things like "all I am trying to do is get bob access to this data (which he needs for his job" why is this such a big thing? It's worked like this for years and now you change it to something incomprehensible" They view IAM as a necessary evil.
Where to find them - Usually avoiding all the others on this list as much as they dare, unless it's urgent or reading the incredibly complex instructions about access requests - I think I should just ask for root for everyone then we don't have to do this again. "What is root anyway, and why am I attesting to my staff needing it, don't they know?"
Identification - Frustrated and included to say things like "all I am trying to do is get bob access to this data (which he needs for his job" why is this such a big thing? It's worked like this for years and now you change it to something incomprehensible" They view IAM as a necessary evil.
10. Dower Defender
Security first, always first. Most notably this breed is that they tend to chase the most unlikely scenarios. Like if the sun shines at a 35% angle at midnight in an equatorial rain forest, a tropical fish walking on Bay street could intercept signals. The dark web is like a vintage fleamarket to them, bowsed on weekends. Kali is their goddess.
Where to find them - Designing 500 field request forms, pushing for 50 character passwords (changed Dailey), wanting photo ID to change your password or calculating how to shut down all signals on Bay street. Others can be found testing their neighbor's wifi security or yours. There are usually some on trial or jail.
Identification - They talk of colored teams, red/blue/purple/pink. They tend to refer to people as hats (black, white, grey). Usually pictured with their hoody up and face in the darkness scanning "Matrix like" terminal sessions.
Where to find them - Designing 500 field request forms, pushing for 50 character passwords (changed Dailey), wanting photo ID to change your password or calculating how to shut down all signals on Bay street. Others can be found testing their neighbor's wifi security or yours. There are usually some on trial or jail.
Identification - They talk of colored teams, red/blue/purple/pink. They tend to refer to people as hats (black, white, grey). Usually pictured with their hoody up and face in the darkness scanning "Matrix like" terminal sessions.
11. Indefatigable IAMer
Very rare, these are the people that have passion, and with that passion and true desire to learn, develop and grow. Collect them, trade them and educate them. I mean we cant always promote inside our teams and these deserve to be fast-tracked.
Where to find them - as the rarest of breeds, they can be difficult to spot, but its usually in the quality of their work and the fact that they often seen first thing in the morning and/or late at night. Often volunteering for projects or eating lunch will reading a manual, white paper or blog.
Identification -If there is one clear sign that sets this breed apart it's that they have a sense of urgency and a desire for continuous improvement. They love to learn but focus on practical experience over academic discourse. They view IAM as a secure way to improve digital services.
Identification -If there is one clear sign that sets this breed apart it's that they have a sense of urgency and a desire for continuous improvement. They love to learn but focus on practical experience over academic discourse. They view IAM as a secure way to improve digital services.
Well, I hope everyone had as much fun reading this as I had writing it. I was once tasked with finding over 40 IAM team members in 6 months into a new organization averaging 5-10 interviews a week while orientating and onboarding the new hires. The skills gap in the industry and lack of diversity is a huge concern. More of a concern was the responses and different viewpoints on IAM I got during these interviews.
No comments:
Post a Comment