The Million Dollar Question

It’s cybersecurity awareness month, but the thought that keeps CISOs up in the middle of every night is still this: I’ve been throwing millions of dollars at identity and access management problems for over a decade. Why haven’t things improved?

The Million Dollar Question

That is the million-dollar question, isn’t it? Why haven’t things improved? Despite spending millions of dollars on identity governance and administration software, access management software, and privileged access management software, you’re not seeing the expected improvements in security, efficiency, or user experience. It’s crucial to understand what improvements you expect and how you’re measuring them. Without that context, diagnosing the problem is difficult. There are several reasons why this might be the case. Broadly speaking, these reasons can be grouped into four areas, three of which you have some control over (misaligned expectations, implementation issues, and risk mitigation) and a fourth area which is outside your control which must still be monitored and addressed.

Misalignment of Expectations and Solutions

• Unclear Objectives: Are the goals of your IAM program well-defined? Are you aiming to reduce security risks, improve operational efficiency, or enhance compliance? If your objectives aren’t clearly articulated and measurable, it’s hard to determine if the software is achieving them. A lack of clear key performance indicators (KPIs) is a significant issue.
• Misalignment with Business Needs: The IAM solutions might not be aligned with your specific business processes or security requirements.
• Inadequate Assessment of Current State: Before investing heavily in new IAM software, a thorough assessment of your existing processes, security posture, and user access patterns is essential. If the initial assessment wasn’t rigorous, the software might not address the core problems. For example, you might have fundamental issues with data governance, user provisioning, or access reviews that the software doesn’t directly address.
• Poorly Defined Use Cases: The software might be the wrong tool for the job. Is the software designed to handle the specific types of access you need to manage (e.g., cloud-based applications, on-premises systems, legacy systems)? Is it suitable for the size and complexity of your organization? A one-size-fits-all approach may not be effective.
• Lack of Integration: IAM software needs to integrate well with other systems. A fractured approach, where different tools are used for different aspects of access management, can lead to inconsistencies and inefficiencies. If the software doesn’t integrate seamlessly, it might not provide a holistic view of access controls.

Implementation and Operational Issues

• Inadequate Training and Support: Even the best IAM software requires a skilled team to implement and maintain it. Insufficient training for staff on how to use the software, and inadequate support, can lead to its misuse or misconfiguration.
• Lack of Governance and Oversight: Effective IAM requires ongoing governance and oversight to ensure that access controls are properly managed and enforced. Consider: Do you have a clear access control policy in place? Are access requests properly vetted and approved? Are access rights regularly reviewed and updated?
• Poor Configuration and Maintenance: Incorrectly configured roles, permissions, and access policies can undermine the security benefits of the software. Regular audits and maintenance are crucial to ensure optimal performance and security. Poor integration with existing systems or incomplete implementation can lead to inefficiencies. Even the best IAM software can fail to deliver if not implemented and configured correctly. Was the software implemented by experienced professionals? Was the configuration aligned with your specific needs and requirements? Were the necessary integrations with other systems and applications completed successfully?
• Resistance to Change: Implementing new IAM software often requires changes to existing processes and workflows. If there’s resistance to change from users or departments, the software might not be deployed or used effectively.
• Lack of Monitoring and Reporting: Without proper monitoring and reporting mechanisms, it’s difficult to assess the performance of the software and identify areas for improvement. If you don’t know what’s happening, you can’t fix it.

Security and Compliance Risks

• Unintended Vulnerabilities: Even with high-quality IAM software, vulnerabilities can arise from incorrect configurations or improper use. This highlights the importance of rigorous testing and ongoing security monitoring.
• Lack of Transparency and Accountability: Software vendors might not always be transparent about their security practices, making it difficult for users to make informed decisions. Additionally, the lack of accountability can lead to a lack of motivation to improve security.
• Overemphasis on Features and Functionality: It’s easy to get caught up in the latest and greatest features and functionality, but it’s essential to prioritize the basics. Ask yourself: Are you focusing on the core functionality that aligns with your business needs? Are you avoiding feature creep and unnecessary complexity? Are you regularly reviewing and adjusting your IAM strategy to ensure alignment with your business goals?
• Compliance Gaps: The software might not fully address all relevant regulatory requirements. This could lead to compliance issues and penalties.
• Inadequate Incident Response Planning: Even with robust IAM software, security incidents can still occur. Verify that your organization has a comprehensive incident response plan in place to quickly respond to and contain security incidents.
• Data Breaches: Poor IAM practices can significantly increase the risk of data breaches. This is a critical issue that must be addressed proactively.

External Factors

• Rapid Technological Change: The IAM landscape is evolving rapidly. The software might not keep pace with new threats and vulnerabilities, and your needs may have changed. Is the software up to date with current security standards?
• Vendor Support: It’s possible that the IAM software vendor is not providing adequate support or that the software is not the best fit for your organization’s needs. Consider re-evaluating your vendor selection and exploring alternative options.
• Changing Business Requirements: If your business needs have evolved significantly since the software was implemented, it may not be meeting your current requirements.
• Growing Number of Users and Devices: If your user base and device environment have significantly expanded, the IAM system may not be able to scale effectively.
• Cybersecurity Talent Shortage: The shortage of skilled cybersecurity professionals can make it difficult to find and retain the talent needed to develop and maintain a secure IAM software stack.