Nelson Cicchitto serves as the Chairman and CEO of Avatier Corporation where he oversees its overall corporate and product strategies.
If you’re outside of the IT function, should you care about identity and access management? It depends. Does your organization rely on the internet, email and sensitive, confidential data to do business? In those cases, you should at least have an understanding of the fundamentals.
Even if you only have limited time or interest to pursue the subject in-depth, there are a few basic ideas every executive should learn before their next meeting with IT leaders at their orginzation. This guide will help you ask better questions and exercise better oversight.
Identity and Access Management for Executives: Know the Key Terms
Whether you are attending an IT strategy meeting or a standing governance meeting, it is helpful to have an understanding of a few key terms.
Identity Management. The processes, technologies and policies that serve to govern individual users in your company. Note that identity management covers actual human users and machine users (i.e., distinguishing between servers and other equipment).
MORE FOR YOU
Access Management. Closely linked to identity management, your access management program gives access to the right people at the right time. For example, a finance manager will need access to different systems and records than a sales representative. Access management also includes the processes required to remove access when it is no longer required.
Multifactor Authentication (MFA). Have you ever used a website or service that sent you a unique code your phone or email address when you attempted to log in? If so, you have already seen MFA in action. As an executive, you should guide your team on how much to use MFA.
Single Sign-On (SSO). Asking your employees to memorize new passwords and usernames continually is asking for trouble. Your staff are likely to reuse the same password over and over again. That’s one reason why SSO technology, which allows users to securely access multiple platforms with one set of credientals, has taken off in popularity.
Principle of Least Privilege. Your employees should only have the number of access privileges they need to complete their jobs. For example, a sales executive does not need access to all of the company’s finance systems. By limiting access to the specific job role, you reduce your IT security risk. Without keeping this principle in effect, you are effectively handing a digital skeleton key to everybody in your organization.
Identity and Access Management for Executives: Objectives and Metrics
The specific technical KPIs and metrics you use will depend on your organization, the purpose of identity and access management objectives should reduce risk and increase productivity. One way to start conversations about this subject with your technology staff might be to set a goal to equip 95% of employees with SSO technology by the end of the year. If you find that employees are making mistakes with security, you might decide to set an employee training and awareness goal instead. For instance, 100% of employees will complete the company’s IT security refresh course in the next 12 months.
When it comes to identity and access management metrics, it is easy to get lost in a sea of data. Ask your IT managers to prepare a one-page dashboard highlighting the most significant risks along with progress made toward your annual goals.
Identity and Access Management for Executives: Resources, Training and Technology
As your organization increases in size and complexity, running an identity and access management program effectively becomes more difficult. When you meet with IT or review IT budgets, ask these questions about resources.
1. When launching new technology projects, how are user accounts being managed?
If this functionality is outsourced to a third party, ask about monitoring and reporting requirements. Blaming an IT security feature on a third party is not a good look, especially for an executive.
2. What training budget and professional developments are provided to our IT security professionals?
The IT security landscape evolves quickly. If staff are not regularly submitting requests for learning plans, their skills may be getting rusty.
3. How reliant is our company on manual IT security administration?
Manual work activities, like logging password reset requests in a spreadsheet, will not cut it anymore. If your employees are spending hours each week updating passwords, consider looking for identity and access management software solutions that can automate these repetitive activities.
4. Do we have the resources to close audit gaps and related problems?
Capital One was recently fined $80 million for a 2019 data breach, and the U.S. government has also required the company to make significant improvements to its IT security. The government may not have investigated your company, but you might have reports or assessments from an audit or outside experts gathering virtual dust. Ask your IT managers if they have adequate resources to fix the root cause of security problems. For example, you may not have a reliable system to govern cloud computing user accounts. In that case, switching to a new access management solution could be a good idea.
Strategy and Leadership Are Still Vitally Important
Now that you know the fundamentals of identity and access management, you can delegate most of the details, especially if your company has IT security specialists on the payroll. As an executive, your role is to make time in your town hall presentations and leadership meetings for identity and access management. When staff sees that the executives promote effective identity and access management practices, they are more likely to pay attention.
In terms of strategy, help your IT leaders connect their identity and access management program back to the company’s direction. If your company is planning significant acquisitions, for example, IT needs to be part of the planning process. Otherwise, IT security will be scrambling to catch up.