Skip to main content

Having an Identity Crisis? CISO’s Need to Own IAM

May 25, 2017

Within any company, we can find owners for every key function throughout the enterprise. If we ask, “who is in charge of human resources?” we know the name of the SVP or director of human resources will surface. If we ask, “who ultimately owns the uptime of our technology infrastructure?” our chief technology officer will raise her hand. If we want to know the strategic plan for product development, we can clearly articulate the rings of the organizational tree that represent every single leadership role supporting this function. Certainly, we know that the threat environment has changed at such a fundamental level that a chief information security officer now definitively owns information security. Which brings us to a rather strange and dangerous conundrum.

IAM Blog

If someone today asked you who owns identity in your company, what would be your answer?

This simple question is the query that starts us on a path of complexities that are real and manufactured. This simple question, when answered and resolved, sends us on a trajectory of improved operations, a reduction in operating expenses and a stronger security foundation. When answered, identity and access management becomes faster, cheaper and safer. Yet, it is the asking of this question and the search for the answer that shines the light on this conundrum.

Everybody owns identity. And when everybody owns a function, nobody owns it.

Before delving into the question further, take a moment to think about every other critical security function in your organization. Can you imagine how effective your perimeter security, security event monitoring, threat analytics and intelligence, penetration testing or data loss protection efforts would be if ownership for the core fundamentals of that function were spread across a dozen owners? How safe would your company be if one of those owners unilaterally made a decision to open a public facing port on your network without following any processes or providing any notification?

Yet, when it comes to identity, every day a manager in the line or in an HR function makes a conscious decision to backdate an employee termination that occurred four weeks ago. The employee’s manager forgot or was on vacation, and suddenly a unilateral decision due to a failed process and a failed series of controls leads to a former employee having persistent access to your network and applications for a month after being terminated. Distributed ownership of the pieces of identity results in major holes in your security program.

Many companies are beginning to acknowledge and recognize the causes of these fundamental weaknesses. For example, the help desk owning the administration access function for Windows credentials while HR owns the job description and possibly the job role definition causes this weakness. An outsourced security company owning physical access credentials while a payroll function owns the employee’s place of work and place of domicile addresses causes this weakness. An application developer embedding another employee’s access credentials into a line of code or the inability to distinguish an FTE from a contractor causes this weakness.

Chief information security officers and the companies they protect now realize this distribution of ownership drives the reality that IAM efforts do not result in the outcomes they need.  In fact, 63 percent of breaches are still driven by the misappropriation of account credentials. CISOs understand that the simple summing up of application and OS accounts under a master account does not equal identity. In order to build a security program on a bedrock foundation, CISOs realize that the security function must set the rules, policies, procedures and standards for all key aspects of the user identity within a company. And it isn’t just employees. Every individual that has a relationship with your company is no longer an outsider. The fact that they have a relationship with you makes them an insider; whether customer, supplier, outsource provider or food service company.

The time to take control of all of the levers of identity to drive a next generation identity and access management control function is now. Are you ready to take that step? The success of your security program depends on it.

    Richard Bird

By: Richard Bird

Executive Director, Executive Advisory - Office of the CISO

See More

Related Blogs

May 30, 2018

Phishing - The Rest of the Story

Receiving an email lure designed to trick you into clicking a phishing link and then logging into a fake website has become a common threat. In this b...

See Details

May 25, 2017

Having an Identity Crisis? CISO’s Need to Own IAM

Within any company, we can find owners for every key function throughout the enterprise. If we ask, “who is in charge of human resources?” we know the...

See Details

April 22, 2013

Creative Destruction: The Case for Identity & Access Management

Sixty years ago, Austrian economist Joseph Schumpeter adapted some of Karl Marx’s analysis of capitalistic systems and developed the so-called ‘Creati...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

January 24, 2018

Identity and Access Management Capabilities

We can help enable your business while reducing risk.

See Details

January 26, 2018

Identity and Access Management Solutions

We help you minimize risk and maximize efficiency with our IAM solutions.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.