Top 5 Identity Management Considerations for CISO / CIO and IT Directors

by | Apr 9, 2019

Important Elements Of Implementing An Identity Management Strategy

In this article, I outline some of my top areas of consideration for Senior IT Managers and the CISO / CIO deciding on investments in Identity Management (IdM).  I work on the consultant side of the field, so I’m on the front lines designing, implementing, and managing IDM projects.  With my assignments, I typically meet with a CISO / CIO only a couple times a year. However, I work on a daily basis with the people who talk to the CISO / CIO team on a weekly basis, therefore I know what transpires in those conversations.

I put together my top 5 list of the big things that will likely arise in your Identity Management projects.

Five Important Considerations In Identity Management For CISO/CIO Directors

1.    You Need IDM Expertise
This stuff is hard, and it’s not the programming part that is hard.  I often feel like I’m taking a break when I get to sit down and write a couple of hundred lines of code.  The hard part is being the translator.  I need to be able to understand the identity management business process at your organization. Just think about that. Do you know everything that happens when a new user starts? Sure you probably know 90% of what happens, but with IDM we are handling the onboarding and terminations of your entire organization, that 10% matters.  Although I’ve worked on SailPoint and MicroFocus Identity Management projects for the last five years, I still learn something new about the products daily.  One year of hands-on experience is the minimum experience needed before someone is capable of making solid implementation decisions.

2.    Time and Money
Best case scenario your project is going to take more of the time and money you estimated initially. In general, humans are good at overestimating what they can accomplish in the short-term and underestimate what they can achieve in the long run.  So, the numbers and figures you thought were on point are wrong. It takes longer.  Again, the time won’t be with the programming or implementation; it is translating the business requirements.  The problem here is the amount of tribal involved and the number of people involved in your existing identity management processes.  In the project, a likely circumstance is going live with logic to generate 12 character usernames, then one week in, the SAP team wakes up and says “hey in SAP users can only have ten characters in their name.”  At GCA, we offer fixed price engagements if you want to mitigate this risk.

3.    Your User Community Will Resist
I’ve seen an entire million dollar project thrown out the window because of how the software would look to end users.  Not like a million dollar sales presentation, but a company that was that much money in before calling it off. I recommend that the team you put in charge of managing the project develop a 1-2 month plan of communication for the business at large.  The most useful thing I’ve seen was where we held 6 or 7 webinars with about 100 managers in attendance each, I gave an overview of all the new functionality and took questions. It was to the point and got everyone informed.

4.    In-House Solutions – NOT Recommended
I like how our CTO, Robert Ivey,  handles this question with his question, “Are you in the business of developing IDM solutions?”  It gets right down to the point. Whom are you going to trust: a small team of your programmers to develop a long-term sustainable solution or the multibillion-dollar companies that have teams of architects dedicated to developing the products? For example, one company I worked with had a homegrown solution and every time users logged into their web portal, passwords communicated over HTTP.  With a quick install of SharkScope, you could permanently get credentials for anyone in the company.

5.    IDM is Here to Stay
I asked one of my co-workers about where he saw IDM going in 5 to 10 years, and would it be commoditized such as Access Management has become.  His response was basically NO.  With Access Management it is commoditized because it is simple. The goal of Access Management is primarily for users to click a few buttons as possible to get into the sites they need to do their job.  You won’t have a business unit come out and say “hey why does it take two clicks to get into my app its suppose to take three!”.  However, if you send the wrong capitalization of an attribute to their app when provisioning a user, they tell you immediately. So, unless there is some new revolution in IT Security Management and both applications and business units hit the utopia level of standardized practices, IDM will be here to stay.