Getting executive buy-in for identity management

Some enterprise technology deployments can be handled entirely by IT, don’t require executive support or the cooperation of the entire organization. Identity management implementations are not one of these types of initiatives. They take dedicated and adequate budget, executive leadership, and long-term enterprise-wide dedication. So how do enterprises get the C-suite buy-in they need?

I’ve been covering identity management implementations a long time now, and this is one of the most important questions that needs to be answered. Too many organizations have approached their identity management efforts piecemeal. They don’t have executive leadership behind the effort. It’s not planned and architected across the organization. Instead there’s an internal single sign-on initiative. There’s another provisioning project. And maybe an app team will lead a web authentication effort, and so on. There’s no comprehensive strategy.

I recently watched a panel of identity management solution providers tackle this very topic at the recent Navigate ’16 conference. Ken Dunbar, director of cyber services at KPMG said that while scare tactics may work for a short period of time – they don’t work long term. “I've seen attempts trying to scare executives into liking an identity program. This might work initially but is not a long term approach,” he said. So rather than focusing on fear, make sure c-suite executives are familiar with the benefits of a comprehensible identity management program, he said. Such benefits, panel members all agreed, include increased security, better regulatory compliance, more productive employees, and a more productive workplace.

Panelists also agreed that the best way to convince executives to make the investment and the commitment into identity management depends on the industry they operate. Financial and insurance company executives tend to appreciate a return on investment, while other industries such as healthcare will lean favorably toward regulatory compliance benefits. “It depends on the industry and what reality is for them,” Dunbar said.

According to Darran Rolls, who serves as both the CSO and CTO at SailPoint, it’s also important to tailor the sales pitch depending on the role of the executive. “I'm going to give you two answers, one with the CTO hat on and one with the CISO hat on,” Rolls said. “I think as a vendor with the CTO hat on, it's clearly articulating how the technology today provides value very quickly and overlays and integrates with the environment. Organizations are spending a phenomenal amount of money on infrastructure and on security in general. Explaining that today's systems like ours are able to fit very quickly, are able to overlay and provide value very quickly, so that's what a single integrated infrastructure will need,” he said

With the CISO hat on, Rolls says the “FUD,” or Fear, Uncertainty, and Doubt  works to some degree,  it comes down to being able to substantiate the benefits identity management has when it comes improving security controls. “I think it's trying to balance security controls with convenience. It's about being able to provide an advantage, such as increased convenience, when it comes to providing security controls,” he says.

Another way to get buy-in, is to educate the board about how identity can help with high level compliance and cybersecurity efforts, drive innovation when it comes to cloud and IoT, and improve user experience.

“Many more of the [identity management] leaders that we're talking to are now answering to a board more than they were two years ago,” says Dave Hendrix, SVP, client services at SailPoint. “Two years ago, [identity] was a bottom up run project. Today, it’s driven more top down. As a result, you have to learn how to talk about it in business language. You don't talk about bits and bytes as much as you talk about dollars and risk,” says Hendrix.

Another selling point for identity management, is the greater need to be able to control access in virtualized and cloud environments, the panel agreed. Being able to better manage cloud applications is a big enterprise headache and will likely remain so for years to come.

Dunbar says that machine identities are also a big concern. “I think as the networks are becoming more virtualized, we see that the perimeter is gone. With the virtualization, we have the ability to scale so we're scaling up new servers with all of these services on them, as well as IDs and new applications that need to talk to each other. That's causing a lot of concern, because typically, you have to give them a high level of access so they can do what they need to do,” Dunbar explains.

All of this advice is certainly good advice when it comes to deploying something that touches every aspect of your infrastructure, like identity management. But it’s also true for other aspects of security such as security information and event monitoring, governance risk and compliance (GRC) initiatives, and so on require the same kind of commitment in effort and budget. As security has become more and more a board level issue – selling the need for comprehensive, enterprise-wide, security efforts, should become easier.