In previous IAM Best Practices blogs my fellow customer advisory board members dove into identity ownership, ensuring identity uniqueness, where to start with provisioning and de-provisioning, discovery of assets for privileged access and establishing processes for incorporating IAM into new applications. In this blog post, I will explain why it is critical to establish a governance committee as part of identity and access management (IAM).
IAM deployments are complicated and often difficult, with many roadblocks met along the way. The process of deploying IAM requires the business and IT to engage with numerous decision makers, and a governance committee to oversee the process is critical to success.
An IAM governance committee is a group charged with creating and prioritizing organizational policies, establishing authority for policies to be put in motion, approving funding, and reviewing feedback in order to refine policies. Each business owner on the committee must identify their critical assets within their organization as defined in the organizational policies, and that should be communicated to IT so the appropriate controls can be designed and prioritized for implementation. With input from a stakeholder from each part of the business, controls can be established with the risk appetite determined by the governance committee.
Common mistakes made by IAM governance groups
Even with a governing body in place, certain mistakes can be made, and important steps overlooked. When establishing a committee, avoid the following pitfalls:
Failing to engage the business and key stakeholders
Decisions are not made in a vacuum. It is essential for the group to engage with the business when creating policies and deciding on essential funding mandates for IAM.
Key business stakeholders, including the Enterprise Risk Management team, as well a Chief Data Officers and Chief Privacy Officers, should also be part of the process. With evolving regulations inclusive of enterprise and consumer data, it is critical that regulatory requirements are baked into policies. These individuals can also assist in the identification of critical assets to the business.
Failing to develop metrics-measurements, including priorities
Metrics are essential to measure success of IAM, and a solid set of numbers should be established in order to determine which policies are working and which may need tweaking.
Creating too much complexity
The more complexity a committee creates for users within their environment, the more individuals will be motivated to go around the controls. Work to keep things as seamless as possible to the users and their business processes.
Failing to leverage AI and ML
Artificial intelligence (AI) technologies, including machine learning (ML) are transforming IAM and enabling organizations to implement better IAM practices. To overlook these capabilities is an opportunity missed.
Best practices for establishing a governance committee
I suggest the following best practices when establishing an IAM governance committee:
- Ensure a charter with key objectives and priorities;
- Include key data-business owners, such as HR, Legal, Privacy, and the CIO;
- Identify metrics to measure the objectives defined;
- Obtain executive sponsorship from key executives, including the CHRO, CRO, CISO, CPO, CIO, CEO;
- Identify a programmatic roadmap and funding requirements;
- Ensure the committee’s objectives are aligned to business priorities, including digital transformation.
Ultimately, your goal is to establish an IAM program that secures customer and employee data, gives users a seamless experience, that streamlines or reduces costs associated with access and identity management, and that ensures compliance to any relevant industry mandates. Putting your IAM governance committee in charge of the process should be one of the very first steps in accomplishing success in IAM for your organization.
About the Author: Julie Talbot-Hubbard, General Manager, Global Vice President of Digital Identity and Data Services at Optiv, has held key transformative CISO and Data Leadership positions where she established and aligned global security and data strategies while leading the implementation of Security and Data capabilities to reduce each organizations cyber risks exposure while enabling them to maximize their data to grow revenue, product evolution and consumer delight. Julie is a member of the IDSA Executive Advisory Board.