Dear Board of Directors, It’s Time to Do the Right Thing and Elevate IAM

Dear Board of Directors, It’s Time to Do the Right Thing and Elevate IAM

Board of Directors


I talk with IT executives regularly and have noticed a trend across industries that is concerning. While the threat of a data breach looms large on the horizon, IT leaders consistently appear to address the threat with a "wall building" focus. Certainly, protecting resources from unlawful entry is necessary and valuable, but what about the threat from within? According to the Verizon Data Breach Incident Report, 81% of hacking related breaches leveraged stolen and/or weak passwords. Yet, far too many IT leaders ignore the identity problem in favor of building a better "wall." It is time to focus on identity and access management (IAM).


Right away, some of you bristled at the mention of IAM and I don't blame you. According to the Ponemon Institute, 74% of organizations believe implementing IAM is too difficult. It feels safer to keep investing in traditional perimeter mitigation strategies, rather than address what could be a significant investment of time and resources for your organization. But, as my good friend Clark Griswold from National Lampoon’s Vacation found, plugging the hoover dam with bubble gum isn't a sound prevention strategy.


The reality today is that your organization has been breached. You may or may not know it yet, but make no mistake, those that wish harm to your organization have found ways inside. It may take the form of malware, phishing attacks, denial of service attacks or accidental web exposure. Even more alarming is the insider theft threat. The SailPoint Market Pulse Survey (2016) found that one in five employees would sell their work password! Well managed identity solutions don't remove these realities, but they do offer a mitigation to the exposure and a way to move forward with confidence.


So, how do you shift a traditional "wall" focused organization to making a well-managed identity program your primary objective in 2018? Here are three things every IT leader should be discussing with their executives and board right now:


  1. Assume your organization has been breached and attackers still have access
  2. Adopt a zero-trust model
  3. Ensure identities that would allow lateral movement within the organization are secured, including OEM accounts, aged accounts, and privileged accounts with stronger controls


Ironically, nearly all organizations that weather a data breach allocate valuable dollars and resources to tightening up their identity processes and tools. The better approach is to make the time and investments now before your customer data, competitive advantage or confidential information is lost.  Stay away from the latest shiny object and get back to the basics – access control, user lifecycle and access governance, should be your highest priority.


Teddy Roosevelt once said, "In any situation, the best thing you can do is the right thing; the next best thing you can do is the wrong thing; the worst thing you can do is nothing."

Mitch Powers
Senior Security Consultant, Identity and Access Management
Mitch Powers is a senior security consultant for Optiv’s identity and access management practice at Optiv. In this role he is focused on addressing identity related security challenges for customers across North America through strategic assessments, deployment planning, and direct customer delivery engagements.