Making the Business Case for Identity Security

Identity is at the front line of security, in a world where one social engineering attack can bring down an empire, everyone is on guard. As a security leader, identity security should be on the Board’s radar, but how do you get their interest and why look to the IDSA as a resource?

There’s two parts to this:

It’s vital to speak their language as you surface and share the realities of the world and how more and more companies are falling foul to bad actors. Furthermore, share how these attacks take place, where does it start and even share examples of security breaches in companies like yours. In short, don’t assume this can’t happen to you.

In addition, we all recognize our limited budgets, there’s no open cheque book. This means we have limited time and money as we look to solve our problems. So, you can aimlessly wander around conference vendor halls or seek out trusted sources. There are several independent sources that are available to guide you; but when it comes to identity based security we’d like to think the IDSA stands out above the rest.

IDSA members have done a great job documenting security outcomes that enable practitioners to look at the outcome they are trying to accomplish in their organization. These outcomes cover a range of security areas:

  • Provisioning
  • Governance
  • Authentication
  • Privileged Accounts
  • Device
  • MFA

And lots more…it’s a great source of information that explains in detail what these outcomes are, what it takes, and even overlapping frameworks like NIST. This documentation enables you as a practitioner to gain some grounding on what we regard as core identity management disciplines.

While it’s great to say, “let’s deliver some privileged management” or “we need to do some identity management,” it’s not exactly a business winning statement that will convince your board or C-suite to prioritize the work or invest their limited funds.

With that in mind we wanted to enhance the IDSA’s Security Outcomes with some further details that are business focused. Over the years, I’ve found that explaining things using simple business terms enables executives to better understand and thus support our asks. There are four areas I prefer to anchor these conversations on:

  • Reduce Costs
  • Reduce Risk (improve Security)
  • Improve User Experience
  • Achieve compliance (usually framed as in a more cost effective way)

Several years ago a previous manager and mentor of mine educated me on the following – the reality in many discussions is that grounding on the following is key:

  • Would you like to be more secure?
  • Should we look to simplify?
  • Should we look to reduce costs?

It’s not like any executive would like to say “I prefer to be less secure, more complex, and spend more.” Take for example, the first security outcome – it can provide business value across all of the key areas mentioned above:

IDSO-001: User accounts and entitlements are granted through governance-driven provisioning – Creation of user accounts and assignment of corresponding entitlements are based on the results of a governance process. The governance process should include appropriate business justification approvals and risk mitigation, as well as constraints on access determined by business requirements. Governance process is tracked for auditing purposes.

  • Compliance Requirement: This outcome is almost always required for compliance.
  • Security Benefit: Entitlements should be restricted to minimum birthright access (least privilege).
  • User Experience: Should enable faster access to applications as you can enable more pre-approved changes/access.
  • Cost Benefit: Reduced operational cost and increased productivity.

While security outcome number 5 (which I’ve implemented in both of my previous roles) addresses a key security requirement, if done properly, can also provide a positive user experience.

IDSO-006: Device characteristics are used for authentication – Besides relying on a valid username/password, authentication should take into consideration additional context about the device used to determine if the device itself has been compromised. This context helps prevent the spread of malware and limiting lateral movement by denying infected systems access. This also allows access to be limited to company issued or company managed devices.

  • Security Benefit: Reduce risk of access to data by a compromised device.
  • User Experience  Reduces the number of times a user is prompted to login.

So, while outcomes are important – I’d rather go into the conversation and say, we can reduce operational costs, improve compliance and security.  Of course with some data to backup the claim. Deploying an IGA solution is cool and all – but only if it delivers on the grounding points above.

This is why we’ve now included some tagging and details enabling a view based on your business goals. We’ll refine this over time and would love feedback, but the goal would be that you can look at which outcomes drive improved user experience, cost reduction, better compliance, or reduce risk (improve security).

About the Author: Den Jones serves on the Customer Advisory Board for Identity Defined Security Alliance and is currently the Chief Security Office at Banyan Security. Den most recently served as Senior Director of Enterprise Security at Cisco, and prior to that as the Director of Enterprise Security at Adobe. Under his management, Den’s teams delivered proactive enterprise-wide security services as well as customer-facing Directory and Authentication platforms. Den is a well-respected member of the security industry community. He is a member of Microsoft’s Cyber Security Council.



Let's work together to help everyone become more secure.