On any given day, the person running IT’s real job is: PPS—professional problem solver.
The set of problems they’re tasked with solving changes every day: increase business process efficiency through automation; facilitate software development and release through DevOps principles; maintain and enhance security. Against this landscape, CIOs also have another challenge: to surprise and delight their users. Easy, right?
But there’s a new way for CIOs to make a splash. By easing pains around identity and access management—from onboarding and deprovisioning to simplifying secure authentication—a CIO can have a significant and positive impact on security and the business — and the daily lives of the employees in the organization. For most, this is a unrealized potential gain.
Many years ago, I worked for a CIO in a Fortune 500 company who chose to focus on one key metric: responsiveness and satisfaction with the IT Help Desk. Of the hundreds of possible metrics across a 600+ person IT organization, he chose this specific metric for one reason: if the users were unhappy with their IT support on basic things like their mobile devices and Excel formulas, their bosses were less likely to include him in the big-picture business technology decision making. Getting IT Support right was a necessary step along the path to being a trusted technology partner to the business leaders across the company.
An effective identity program can have the same impact. So what are the ways a CIO can turn their identity program into a pathway to having more influence in their organization? It starts by identifying the main sources of friction, which can be determined through discussions with business managers and other stakeholders. Trust me: once you start asking, identity management is nearly always a point of friction.
A simple place to start is with the pace of provisioning—specifically, how long it takes for employees to get new or modified access rights when they start a new role or a new business system is introduced. Especially during the pandemic, job changes, layoffs, and organizational realignments have been facts of life. The faster workers can be provisioned, the faster they can get to their actual work. A key performance indicator (KPI) that can help set a baseline and gauge improvement on the issue is the average number of days access requests are open before they are fulfilled. Every day an access request remains open, that employee is blocked from doing something important. If that number can be reduced, it provides clear evidence of growing efficiency and builds confidence in IT across the enterprise.
The business units that have the longest waits should be the first priority. One of the most effective ways to quicken the provisioning process is to turn to delegated administration and a self-service approach — remove IT from the approval process entirely. Delegation allows organizations to hand control of decisions about access requests over to the employees who understand the access needs the best. In effect, this approach moves these decisions closer to the user by giving, for example, the a manager one or two levels below the leader of a business unit the authority to assign a user to a new role with new access privileges. Dovetailing this with a self-service approach for users that enables them to make request changes to their access rights without having to go through the Help Desk also speeds up the process.
At their best, secure authentication and access are seamless; the less disruption for users, the better. From that perspective, having too many passwords to remember is an impediment to both user authentication and user productivity. The good news is it can be resolved through the implementation of single sign-on (SSO). The KPIs for an SSO project will vary according to the project’s goals, but some useful metrics may include how long it takes users to authenticate or more qualitative measurements like user satisfaction.
A more quantitative metric would be the number of work accounts and passwords users have to maintain. Ideally, the number of accounts tied to each user should be low—one account per employee. This isn’t just for personal convenience; compromised accounts are one of the key pathways attackers use to gain a foothold in a network. The more accounts there are, the larger the attack surface is that organizations will need to protect. This is particularly true for privileged accounts, which, because of their access rights, should be kept to an absolute minimum — something we call the Principle of Least Privilege. New approaches, like Just In Time Administration (JITA) can make this even more efficient and secure.
Ultimately, the goal of these efforts and technical approaches is to improve productivity without increasing risk — possibly, even reducing risk. Speed cannot come at the expense of security. Operational efficiency is not beneficial if it leads to users receiving excessive permissions and expands the threat surface. That said, look under the rocks of user pain, and slow or inefficient access management is often waiting for you. Solving that is key to being a trusted technology partner to the business.
About the Author: Paul Lanzi, is the co-founder and COO of Remediant and IDSA Beyond Best Practices Technical Working Group subcommittee leader. Remediant is a cybersecurity startup focused on delivering a new approach Privileged Access Management. Paul and his co-founder at Remediant, Tim Keeler, worked together in the IT departments of several biotechs including Genentech, Roche and Gilead Sciences before starting Remediant. At each of those organizations, they saw first-hand the drawback of the legacy approaches to PAM and were inspired to create something new. Paul’s previous corporate IT experience includes project and program management, corporate mobile app development team management and recruiting and managing full-stack web development teams. Paul has a passion for excellent user experience (UX) and project management, having held a PMP certification from the Project Management Institute since 2005. Paul also holds a BS with Honors in Computer Science from UC Davis.
