Cyber Playbook: 10 Reasons Why Identity and Access Management Programs Fail

October 12, 2021

Contributed by Todd Musselman, Senior Vice President, Identity and Access Management

This Cybersecurity Awareness Month, many IT security professionals, including myself and my team, are reflecting on the state of the cybersecurity industry. While identity management and IT security have been rising as a priority amongst government, enterprises, and individuals alike, the increase in sophistication and frequency of cybercrime shows us there's still work to be done.

In the Herjavec Group 2021 Cybersecurity Conversations for the C-Suite Report, we explored the importance of a strong Identity and Access Management (IAM) Program. Strong Identity and Access Management lays the perfect foundation for a comprehensive enterprise cybersecurity strategy – the fact is, your endpoint protection is only as strong as your identity program.

The IAM solution market is crowded and can be difficult to navigate. Outdated approaches and technology, along with misdirected or overly generalized focus can cause your IAM system to be less effective and in worst-case scenarios, to fail.

Over the 20 years I have worked with organizations building and Identity programs and deploying IAM technologies, I’ve noticed 10 common reasons why some organizations have not met their own expectations around value achieved in deploying an IAM system.  This cybersecurity month, I encourage you to take a moment to thoroughly examine your Identity and Access Management strategy. Does your IAM program and the deployed technologies fall into any of these common pitfalls?

Too Much Dependence on Technology Alone 

Many IAM solutions focus heavily on technology to deliver comprehensive IAM functionality but neglect the other components of a strong IAM program that would provide truly holistic coverage. This often means your program is unlikely to yield the value expected. Combining technology with the right processes, people and expertise elevates any cybersecurity program and ensures your IAM program is well-rounded and exhaustive in its capabilities.

Inadequate Planning and Lack of Defined Objectives 

The key to a successful plan is understanding your objectives. Without defining clear and specific goals your team is likely to fall victim to the 'rudderless ship' dilemma. When it comes to defining the objectives for your IAM plan, it's important to develop goals based on your enterprise's unique needs. Ask yourself -

  • What are my enterprise's crown jewels?
  • Who requires privileged access and for how long?
  • How can I balance securing my enterprise while also streamlining business operations?

No One Responsible for Keeping Your Project On Track

Along with defining clear objectives, your team will need someone to lead and manage the project development and implementation with your goals always top of mind. It's easy to zero in on smaller tasks within the greater project and lose sight of the ultimate objective. Assigning a person or team to take the lead on managing your project to stay in line with your defined objectives is simple, but effective in ensuring efficient development and implementation of your IAM systems.

Failure to Engage End-Users

Many enterprises assume implementing and running a successful IAM program is a three-step process:

  1. Develop IAM Program
  2. Implement IAM Program
  3. Run IAM Program

The main pitfall of this approach is underestimating the value of a post-deployment plan and support. Change management is a critical component for any new or updated program's success. Ensuring your entire team understands how to properly engage with and leverage your IAM program encourages acceptance of the program - if the end-users won't comply with your IAM program, it's essentially rendered useless. Thorough training and accessible resources (including a team of experts available to answer questions and provide support) are great ways to provide post-deployment change management support.

Lack of Partnership Across All Teams

Your IAM solution is likely to be the most used component of your organization's cybersecurity program and by almost every member of your team whether they are part of the IT/Security, Risk, Audit, Business, or Administration teams. IAM has impacts across all departments, levels of seniority, and even internal and external parties. With that in mind, it just makes sense for your program to be well integrated across these demographics with a collaborative approach to implementing and engaging with your IAM program. This will ensure you get the best value for your cybersecurity investment and streamline your business and security operations.

No Post-Deployment Management Plan

Your IAM plan shouldn't be considered a static, 'solve all' solution. Your team must consider the short-term management of your program along with the long-term measures that may need to be taken in the future when developing your IAM strategy. Knowing who will run your program, how it may evolve, and who will be responsible for updating and maintaining processes, technology, and software is just as important as your initial program strategy.

Not Leveraging Quality Data

Data is the heart of your IAM program. This means that data quality is integral to critical procedures including but not limited to:

  • Application onboarding
  • Authoritative identity sources onboarding
  • Access provisioning
  • "Leaver" processes

Developing your IAM program to include best practices for analyzing and cleaning data is ideal, but if you've already implemented your IAM strategy without solid data processes, now is the time to assess and improve your program.

Consider implementing a data analysis tool such as Herjavec Group Data Manager (HGDM). Tools like HGDM leverage analysis of data using pre and post-processing logic to help clean up stale data and ensure flexibility in the data output format.

Weak application inventories; undermines prioritization efforts 

The common phrase "work smarter, not harder" absolutely applies to developing your enterprise IAM. Often teams will avoid doing their due diligence when compiling the list of IAM applications that need to be on-boarded. This can lead to weak prioritization of onboarding applications. Make sure you and your team understand the applications and prioritize the ones that can provide quick wins, have wide user exposure, and are more easily integrated.

Neglecting Resilient Third-Party Risk Management

Since the pandemic began, we've seen rapid digital transformation – including big changes to the way enterprises require and engage third parties. The recent SolarWinds breach was a tough reminder that technological advancement will always carry inherent risks. Managing third-party identities along with your internal end-users is key to gaining comprehensive visibility and security for your enterprise.

Before the pandemic, the typical network security perimeter made it easy to differentiate between our internal teams and third parties. Today, the way we give access to our employees is generally the same way we give access to external groups. To foster resilient third-party risk management, your IAM program should include:

  • Strong identity governance that balances your enterprise security along with user experience.
  • Comprehensive Access Management program to ensure the right end-user is accessing the right data or applications at the right time.
  • Privileged Access Management processes that identify, manage and monitor system usage by 3rd parties that access and help administer critical IT systems within your organization.

Lack of Executive Level Buy-in

At the end of the day, you can't properly invest in and implement a strong Identity and Access Management program without support from your board and executive leadership team. Cybersecurity is often seen as a purely IT or technology issue, leading many to underestimate the investment and programs needed for the right coverage as well as the business driving benefits of a strong information security strategy.

Prepare communications that properly convey the importance of a strong IAM program along with the business optimizing benefits to garner executive and board-level buy-in.

Comprehensive Identity and Access Management can feel like a daunting task, but there's never been a better or more urgent time to evaluate your current posture and address your IAM vulnerabilities. Use these common pitfalls as a blueprint to start developing or improving upon your organization's IAM program 

The team at Herjavec Group is made up of best-in-class, global talent and some of the most highly respected professionals in cybersecurity. With decades of experience and lessons learned, we want to share our insights with you. From the HG Playbook is a blog series where our diverse, specialized thought leaders will discuss all things cybersecurity. Every month one of HG’s experts will provide advice and insights based on their extensive experience in the infosec industry. Make sure to subscribe below and feel free to connect with us about topics and questions you would like to see covered.

Take the First Step
In Transforming Your Cybersecurity Program

Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.

Book a Free Consultation

Stay Informed

Follow us on Twitter
Connect with us on LinkedIn