With security breaches and attacks dominating the daily headlines, it’s easy for security professionals to become overwhelmed. As each day’s hot news story reaches your company’s C-level executives and your board of directors, you may find yourself responding to fires rather than strategically planning.
Responding to the urgent needs and fighting fires to solve problems has become the response for many CISOs. Turning your focus away from the big picture and buying technology to solve the urgent need is normal.
While this may be your comfort zone of solving urgent problems, in my 30 plus years working with clients I have found that it only solves a specific problem at hand. CISOs and other security leaders who focus on an enterprise strategy first, with a risk analysis approach that includes people, process, data and then technology mapped to a strategy are those whose businesses move away from the urgent firefighting, have better long-term investments and stay the most secure.
As we all know, the traditional view is that cybersecurity is a problem you can solve if only you can choose the right product. This doesn’t work for Identity and Access Management (IAM) because it is an enterprise wide change management program requiring a long-term strategy and plan. In the increasingly complex digital world, this is becoming more important than ever to take this type of approach.
Think of it this way: Your organization would never dream of undertaking an ERP project by only focusing on various features and functionality of technology products. Any successful ERP project must take into account the whole enterprise to include the people, process, data, and (finally) technology.
Therein lies the challenge: the CISO is faced with building the business case to secure the entire enterprise. Just the same way as an ERP system. An IAM program requires buy-in from the enterprise and all the stakeholders. This buy-in is required from people and budget across the enterprise.
Since enterprise IAM programs often touch and impact everyone at every level of your organization, the most successful CISOs take a ‘strategy first’ approach and involve all of the business owners, to understand their risk and the envisioned future state before committing to specific technology as the solution.
Done early in the decision process, executives are able to identify the real business problem, developing a program and budget to include this people, process, and data, and technologies approach to implementation an overall solution in the correct order over time to transform the enterprise and achieve the highest value of their overall investment.
CISOs who build this type of strategy early, setting the correct direction of a program, are able to gain organizational buy-in up through the Board to provide the necessary executive sponsorship and resources to create the correct budget approval for a multi-year program solving the issues which impact their risk, security, compliance and bottom line enterprise wide.
So, how does a CISO create awareness among your C-level executives free up the funds and political capital to make smart decisions to approach an IAM program? In my experience, the CISOs who are most likely to succeed in today’s enterprise will resist the pressures to try to immediately solve every problem with a technology.
He knows that before you even begin to look at technology options, you must first look at the business problem, build a strategy and include the buy-in from across the enterprise. So the seven questions to ask yourself before you buy IAM security technology are:
- Exposure: Do you understand your current risk exposures? What’s at risk and why?
- People: Do you have a cross-functional IAM team representing all the key technology and business owners? Are they truly engaged to solve the right problems in well attended IAM meetings?
- Path: Do you have your compass set in the right direction with the right people, processes and technology? Will the stakeholders know they’ve arrived at the right place when you get there? Are you setup to survive mid-project storms and change?
- Risk Economics: Does your organization use risk economics as well as ROI to ultimately decide which problems are most important to solve and how to spend your investments wisely?
- Funding: Is your organization moving with an understanding of an overall risk model and the importance of sustained, multi-year focus to transform the enterprise? Do you have a well-documented business case and roadmap for your Identity management program to achieve enterprise-wide success?
- The board: Is your organization highly regulated, and if so, are you taking a proactive approach to integrate Integrated Risk Management (IRM) into your IAM program?
- Future: Are you moving your organization toward enterprise wide change and applying the governance to sustain the change?
Next time you see a security problem in your organization that you think can be fixed by simply buying a piece of technology, stop and think. Are you taking a technology-first approach because it is what seems to be the easiest way to solve the immediate pain? If so, take the time to answer the above questions first. If this seems too daunting, call me as I may be able to guide you through the process.