Digital transformation initiatives demand new ways of handling user interaction with data—from zero-trust implementation to cloud migration and beyond. Identity forms the core of these initiatives and, together with access control, enables data protection across the enterprise.
An identity and access management program is key to an organization’s future cybersecurity initiatives. But most organizations have a long way to go—only 16% have a mature IAM program due to a few common obstacles. If your IAM program is, like many, still stuck in the beginning phases, here are common hurdles our experts encounter among our clients—and how to get your IAM program moving again.
Fear of impact on workflows
The changes that come with implementing an IAM program impact how people across the company do their jobs, so it’s natural that people will resist the idea of change. Addressing their concerns is as important for the modernization effort as addressing stakeholder requirements is for architecture and design. The key is to give users and technical folks alike the confidence that the transition will lead to a positive outcome.
Provide a forum for the objectors to voice their concerns to the security team and enlist a security champion from the team to speak directly to those concerns. Users may need assurance that the solution will streamline the login process and not add unnecessary steps, while technical folks may want to ensure deployment does not require extra overhead for both deployment and administrative sustainment. This is also a good time to explain any productivity benefits the new program offers, such as automated provisioning and de-provisioning, automated password resets, and a more effective access request process.
When widespread buy-in to the IAM program is a challenge, a pilot IAM implementation can greatly increase support. Target key areas that can generate quick wins for the program and demonstrate the effectiveness of the IAM solution. This will help break down barriers to overall enterprise adoption of the solution.
The organizations we work with typically already have some elements of IAM and are looking for products to enhance their capabilities. New products need to be able to communicate and integrate with what the organization already has. But what if not all existing applications can support the new IAM product?
Old or otherwise incompatible technologies are a problem most organizations will face. In recent Converge/Ponemon research into organizations that have adopted zero trust, the continued use of legacy technologies was the top obstacle to zero-trust implementation.
All your applications won’t be compatible, but that doesn’t have to hold up your IAM program. Instead, address this in a way that makes sense for your organization. Identifying your high-risk areas is a good place to start, so you can focus on getting those up to speed first. Make a policy for where to document less secure applications and how often to review them. Have departments that aren’t yet compatible manually perform some of the recordkeeping, documentation, or processes and make a plan for a replacement program to roll out in a reasonable time frame.
In addition, some IAM solutions integrate with legacy applications better than others. If your legacy applications are mission-critical and are likely to be in place for years to come, select an IAM solution that will more easily integrate with these applications. Flexibility in your IAM solution can be a crucial component when integrating with business-critical applications and moving your IAM program forward.
The saying “Don’t let the perfect be the enemy of the good” is as apt for planning a cybersecurity project as anything else. Too often, organizations are held up by a desire to have the ideaI IAM program. This is an unrealistic expectation that blocks anything less than perfect from getting off the ground.
One organization was held up from getting budget for an IAM solution because of incompatible technologies in some areas of the company. Management was unwilling to fund a new solution if it didn’t solve IAM across the organization. It finally took a major security incident to get budget—an incident that may have been avoided had there been some sort of IAM program in place, even one still evolving.
Accept that your IAM program won’t be flawless from the very beginning, and let your message to those around you be “progress, not perfection.” In addition, take a risk management approach to ensure risk reduction is at the forefront of the overall initiative. Understanding the threat landscape and executing risk reduction activities will allow you to demonstrate risk reduction in hard numbers and satisfy the program’s requirements. For example, the risk associated with IAM will be reduced by 40% by executing activities A, B, and C.
Lack of budget
In the end, everything still comes down to cost. To implement an IAM program, an organization will need the right technologies, and if there’s not enough in-house expertise to implement it, the company may also need to hire additional experts—none of which is cheap. In our research with Ponemon, 40% of companies cited a lack of budget as an obstacle to their zero-trust program.
To ensure a limited budget is spent wisely, develop a plan with weighted projects based on cost, value added, and ease of implementation. Prioritize the projects yielding the biggest bang for your buck. For example, an MFA initiative is a considerable security enhancement at a lower cost, putting it at the top of the to-do list. Project number two may be one that costs more but is less complex to implement.
Overall, remember that IAM is a marathon, not a sprint. Getting your organization where you want it to be will likely take years rather than months. By openly addressing stakeholder concerns and taking a step-by-step, purposeful approach to implement IAM in high-risk areas first, you can get your IAM program moving forward on a path of consistent progress.
Converge Cybersecurity’s IAM team is experienced in reviewing and evaluating IAM environments in all stages of maturity. For help navigating the complexities of your IAM initiative, contact our experts.