The table legs, the supports, the purpose.... yes like many before. Feel free to make it 5 or more! After the 11 Types of IAM Professionals (Satire), I thought I would set a slightly more serious tone.
1. Regulatory, Risk and Compliance
This covers all law, regulation or compliance aspects from Privacy to PCI that your particular business is subject to. This is the threshold or minimum standard any organization should adhere to. Not a target, not an endpoint, a threshold. If you don't want audit and regulatory bodies driving your strategy, then get above this layer.2. Security
This is doing it right, protecting the brand, customers, partners, employees, intellectual property, fraud, disaster recovery, etc. That area over and above compliance that differentiates your business from another complaint one. Years ago I heard a CISO at an event say “ I don’t need to be secure, I only need to be more secure than they are” pointing to the CISO of the major competitor. There is some truth in that as a percentage of cybercrime, like any, is opportunistic. How many companies though can truly say they are more secure than their competitors? I believe that collaboration in cybersecurity will return far more than the competition.3. Optimization
Recently I had an EVP of a very successful organization say the problem with CyberSecurity is the lack of actionable strategy. The just documents, checklist, and then"acceptance" view. In this, IAM is different, and perhaps why it usually has the most audit findings.How many organizations can take weeks to set up a new employee or contractor's access? How many people hours does your organization spend doing access certifications? How long does it take for your business to get a certificate installed or a new application role created? How much are password changes, MFA, etc costing you in lost revenue? How many people hours is spent collecting evidence for an audit? I wish these metrics were more frequently used KPI for IAM maturity.
A discussion recently with a company wanting a "cheap and dirty" provisioning system. The issue, however, was far bigger, in that they had regulatory issues for failing to remove in a timely manner and laughed at the list of audit findings they were wading through saying they only had a few weeks to get it working due to other commitments. So let's say your business has 200 contractors/new employees onboard on an average a year. If the average salary is $60,000, and it takes 1 week to get them setup, your revenue loss as an organization could be (200x$60000)/52= $230,769 of lost revenue a year. Now add time spent doing certifications, and perhaps some other access requests and off-boarding and you have a business case for doing it right. Of course, this won't cover a $1m a year project if that comes out to be your costs (unless money is no issue)
4. Strategic
You can hardly look at a digital device or traditional printed article without seeing something about the importance of digital strategy. Just read Nicholas Rossolillo article on Motley fool "How businesses and you should invest in the digital transformation movement." The numbers in data collection and storage and digital growth are exponential and few companies do not now consider digital strategy as imperative for their future success.Billions are being spent on collecting data, marketing, building brand, building trust, providing faster turnaround on digital services, mobile apps, supply chains and connecting digitally directly with your customers. The foundation for the success of this is built on identity and managing access. The business case is a bit different, depending on your industry, perhaps survival.
Has your security team spoken with your strategic team?
No comments:
Post a Comment