Executive Director, Executive Solutions, Office of the CISO
Mark Modisette is a veteran information assurance and security executive with more than 20 years of experience in various industry sectors including health care, technology, government, utility and banking. As executive director, executive solutions in the Office of the CISO at Optiv, Modisette leverages his experience to assist in the development of cyber security strategy, roadmaps and solve unique security related issues while aligning effectively with operational and strategic business objectives.
Tales from Trenches: How a Simple Helpdesk Fix Led to IAM
Still on the fence about the implementation of Identity Access Management (IAM)? The more you read, the bigger it gets. It’s complicated. It’s involved. It’s labor intensive. You may have to shelve things you have and add new things. It’s… daunting.
As a former CISO, I get it. But stay with me a minute.
Did you know that, on average, individuals who have been working for your organization for two years or more may have double the access that they need to do their jobs? The implications of this are (there’s that word again) daunting.
Did you know IAM can save an organization (miles may vary) money? How many times can we say a security project will save money without trying to weave your CFO a tale of fear?
Since I think I now have your attention, here are a few tips on selling your IAM implementation project to just about any C-Level and helping you illustrate why IAM is important.
Start with a Smaller Project: Save Money and Get a Quick Win.
Have a helpdesk? How many password reset phone calls do they get? “Forrester has spoken with several large US-based organizations in different verticals that allocate over $1 million annually just for password-related support costs (mostly in staffing and infrastructure expenses).” Why not automate it? There are many solutions today that make this capability easy to implement and you could start redistributing helpdesk workers to do other work.
Once Validated Here. Cautiously Look at IAM.
Be careful. Earlier in my career, as a young CISO, I was attempting to build an ROI justification to implement the expensive IAM software my predecessor had invested in. My initial approach was flawed because I tried to sell implementation of all the bells and whistles the IAM package had to offer. All I needed was some professional services to set it up – which sounded deceptively easy. My plan failed, because I went out too big, trying to do everything at once, likely distracted by the “shiny” features of the IAM package. I went back to the drawing board and started to deconstruct the IAM project and look at the overall business strategy to see if there were some alignment opportunities with other initiatives. One of the corporate ones was to integrate an acquired company’s legacy systems into our data center. I estimated, based on current statistics and numbers from the system managers, that there would be a 62 percent increase in helpdesk tickets. But there were no plans to hire new people to take care of the extra load, so doing business smarter was the only option. I gathered data and crunched numbers and went in to see my CIO. The data was undeniable on the cost savings vs. the cost to implement the password reset capability. Another, slightly larger victory in my slow climb to full IAM.
My next challenge was to build a case for implementing the next “chunk” of work in my IAM project: Provisioning and de-provisioning for key applications and domain access. I had one successful project under my belt, and I was conservative in my forecast for time and cost savings. I needed a way to illustrate the issue we were seeing. I decided to document the access rights accrual of a typical employee; I will call “John.” I worked with my team to conduct research and developed a graph. And I was indeed able to show in one clean graph that what I thought was happening – was actually the case
The graph below shows most of John’s access was within policy. But after the promotion and reorg, John’s access was breaking policy. I was able to walk my CIO over a substantial risk that we needed to address. The unnerving part of the story was how the access lingered after John left the company. I combined this chart with numbers of people who have changed roles and people who left the company in the last six months. Without assigning a significant number of people to manually manage this risk from my team, I would not be able to address the issue – unless I could assign a fraction of those same resources to operate an IAM solution designed to provision and de-provision employees. My pitch was a success.
In retrospect, I was lucky to have worked for a CIO who listened, who recognized the importance of security and was ready to hear the real-life nightmare and act on it. We aren’t always that fortunate, and sometimes we need to finesse a way to get our point across. The smaller, quick win I was able to have with a self-help password reset project set me up for the next conversation. Was the conversation about “lingering access” easy? Nope! The data and existing issue that I was able to uncover with the help of my team helped get the provisioning our organization needed and reduce risk and not break the bank.
IAM implementation starts with small steps that reveal other vulnerabilities that require action. Corporate buy-in on one small project can lead to buy-ins on larger future ones – and perhaps on IAM implementation as a whole.