Data is power. Still, most people tend to think that it’s the IT department that needs to handle the company’s personal data. The truth is that modern-day digital identity management has very little to do with IT and everything to do with good governance.
Organizations these days have to manage massive amount of personal data. When the amount of data and number of records grows, you need some system to handle it, whether it’s data about employees, partners, vendors or customers.
Did somebody say ‘system’? That sounds like a task for the technology department! Sure, we need IT to maintain systems and handle all the technical issues. However, the key to proper identity management is not in the data center.
Trauma brings perspective
I’ve heard about a company that hired a new chief executive some years ago. Her previous employer had been the victim of a cyber-attack. In this new company, she asked the question in every executive meeting: "What’s happening in the Identity and Access Management area?" If there were any concerns, the executive team was made instantly aware of them.
According to Gartner, it makes no difference who owns the digital identity and Identity and Access Management (IAM) in organizations, as long as the owner is a part of the leadership circle. Promoting awareness and ownership of this area in the board room makes a lot of sense also because it’s a C-suite member who will have to face the media if something goes wrong. You rarely see the IT support or the technology vendor interviewed when confidential data is tampered with or a harmful breach occurs.
The challenge is that the topic of digital identities still seems quite vague and unsexy for many C-suite professionals. Luckily, taking care of IAM isn’t as hard as it might seem. Nixu has had a few client companies who have handled digital identities quite nicely.
An IAM solution out of the box
One of our clients handled 15,000 personal data records and was planning to extend their digital services. Their executive team was discussing how to manage identity and access in their growing organization. The CEO was convinced that they needed someone in the executive group to take charge of the IAM issues.
“Any volunteers,”? The CEO asked, and silence fell into the meeting room. All the executives were busy and didn’t feel passionate about IAM. “Okay then, no problem,” the CEO said. “We’ll start in alphabetical order”!
The first executive team member took charge of the IAM for the first year. After that, the second one in alphabetical order followed and took over for the next year, and so on. The person in charge didn’t necessarily need to know IAM in great detail. In practice, the C-suite member responsible for this field in any given year took ownership and guaranteed that IAM would have enough resources and the capability to flourish.
Executives might not always feel that IAM, just like many IT disciplines, is their core strength; this can lead them to avoid the theme. In such cases, it can be more effective to frame the topic in terms of business strategy. A strong IAM team can improve a company’s digital processes and security to create a competitive edge and, ultimately, revenue. For more on this topic, check out Nixu’s whitepaper on the ROI of cybersecurity.
The key to good governance, leadership, and cybersecurity
Good governance in IAM means the organization knows what types of access rights are given out and to whom and what can be done with a specific account type. Digital identity lifecycles involve different rights, like when a customer relationship, employment, or partnership is ending. There must be a good sense about what happens when roles change, who grants accesses, which accesses are gained, and which removed. When all this runs smoothly, nobody even notices it.
Routines and clear responsibilities – that’s what good governance, leadership, and cybersecurity come down to. Simple, isn’t it?