None of the executives wanted to handle digital identities, so this CEO decided to do something different


Heikki Numminen

Lead Consultant, Digital Identity

September 23, 2019 at 13:29

We all know data is power. Still, most people think that it’s the IT who needs to handle company’s personal data. The truth is: modern-day digital identity management has very little to do with IT and everything to do with good governance.

Organizations these days have to manage massive amount of personal data. When the amount of data records grows, you need some system to handle it, whether it’s data about employees, partners, vendors or customers.

Did somebody say ‘systems’? That sounds like a task for the technology department! Sure, we need IT to maintain systems and handle all the technical issues, but the key to proper identity management is somewhere else than in the data center.

Trauma brings perspective

I’ve heard about a company that hired a new CEO some years ago. Her previous employer had been a victim of a cyber-attack. In this new company, in every executive meeting she asks: what’s happening in the identity and access management area. If there are any concerns, the executive team is instantly aware.

According to Gartner, it makes no difference who owns the digital identity, also called IAM, in organizations, as long as the owner is part of the leadership circle. It’s a C-suite member who has to explain to the media why an employee was able to tamper confidential company data, or why a breach caused so much damage. It’s always the boss who is interviewed, not the IT support, nor the technology vendor.

The topic of digital identities still seems quite vague and unsexy to the C-suite. Luckily, taking care of IAM isn’t that hard as it might seem. Nixu has had a few customer companies who have handled digital identities quite nicely.

An IAM solution out of the box

One of our customers handled 15,000 personal data records and was planning to extend their digital services further. Their executive team was discussing how to manage identity and access in their growing organization. The CEO was convinced that they needed one responsible person to take charge of the IAM issues.


“Any volunteers,”? The CEO asked, and silence fell into the meeting room. The executive men and women were busy and didn’t feel passionate about IAM. “Okay then, no problem,” the CEO said. “We’ll start with the first one in the alphabetical order”!

So, the first executive team member in the alphabet took charge of the IAM – for the first year. After that, the second one in the alphabet continued for the next year, and so on. The person in charge didn’t necessarily need to know IAM details. In practice, the C-suite responsible member took ownership and guaranteed that IAM has enough resources and the capability to flourish.

The key to good governance, leadership, and cybersecurity

Good governance in IAM means that the organization knows what types of access rights are given out and to whom and what can be done with a specific account type. In the digital identity lifecycle, there are different rights involved, like when customer relationship, employment, or partnership is ending. There must be a good sense about what happens when roles change, who gives the accesses, which accesses are gained, and which removed. When all this runs smoothly, nobody even notices it.

Routines and clear responsibilities – that’s what good governance, leadership, and cybersecurity come down to. Simple, isn’t it?

What’s your company’s IAM level? Take the test: