Within the Identity and Access Management (IAM) arena, IAM is often as the front-line defense for securing your company and its data. Most industry companies view IAM as an overhead cost with little value or as a necessary evil, which has led to IAM projects not securing proper investment.
Although the news is often overflowing with data breaches and various exploits directly associated with IAM, sufficient funding and focus is not given to IAM projects. Juniper Research forecasted that the number of personal data records stolen by cyber-criminals will reach five billion in 2020, while Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.
Meanwhile, the average cost of a data breach reached $3.92 million, according to self-reported breach costs at more than 500 organizations worldwide, in 16 countries and 17 industries, which equates to approximately $150 per stolen record.
Considering this, one would assume securing buy-in for IAM projects wouldn’t be too difficult. Unfortunately, securing buy-in is often an uphill battle. One must ask, has IAM become the big pink elephant in the room that everyone knows about, ignores, and hopes will go away?
Many client IAM strategies focus on today’s problems alone and fail to prepare for emerging risks and future innovations. As an example, in 2017, the Verizon Data Breach Investigation Report noted that “Sixty-two percent of all breaches involved hacking; and 81% of those leveraged either stolen and/or weak passwords.”
In retrospect, KPMG and Everett conducted and IAM survey with over 125 organizations from various sectors and countries in 2009, which reported that more than 75% of IAM Projects FAIL by not delivering expected results. Why? The primary reason for the failures were due to lack of business buy-in, unrealistic goals around time, impact and budget. Many teams fail to understand or articulate their existing limitations within their delivery models that would not be addressed without innovation to align with their business’ goals and drivers.
Unfortunately, not much has changed in the last 10 years. Forbes surveyed organizations which had been breached: “74% stated it involved privileged access credential abuse, however only 48% of those business have a password vault. 65% are sharing root or privileged access to systems and data at least somewhat often.” The issues in these examples were the same drivers for IAM project requests 10 years ago.
IAM models are often based off of legacy technologies with limited flexibilities to support emerging technologies such as the cloud. Like any project, IAM project teams must be careful with over committing or exaggerating deliverables. The expected duration to deliver new technologies or transformations seldom align with reality because projects are not broken out into realistic phases.
IAM programs must focus on the risks versus the benefits. Projects are often brought forward with a focus on benefits such as productivity or compliance improvements without any quantifiable evidence. Maybe the focus should be on the risk? With all the new regulations established to protect personal data, the selling point of the project should be focused on the risk of doing nothing.
More companies are storing their data electronically. This data includes the client’s crown jewels, employee data, and other. IAM is integral in protecting their company’s data and must have appropriate tools available to achieve this goal.
IAM programs should ensure the risk is clear to help clients build a complete, security-rich solution. These programs should incorporate new value for their business where both the risks and benefits are clear to prevent IAM from being the pink elephant in the room in their business.