IGA: The New Number One Priority
Changes in business requirements such as EU GDPR compliance has shifted the priority of IGA from lower-level to top-tier.
By Morten Boel Sigurdsson, Omada CEO
Identity Governance and Administration – The New Number One Priority
Until recently, identity governance and administration (IGA) implementations used to be considered a lower level priority by many organizations – perhaps number three or four on their focus list. But with changes in business requirements such as EU GDPR compliance, the proliferation of hybrid IT environments and cloud computing, and the advancement of IGA solutions means that the balance has shifted from them being a nice-to-have to a critical asset for facilitating business requirements – making it much easier for CISOs to build strong business justification cases.
Companies Exist to Make Money
Companies exist to grow and make a profit for their stakeholders including shareholders, investment companies, management, and employees. To make a profit, companies must bring in more money than they spend. They must spend money on - among other things - product research and development, manufacturing, sales and marketing to generate customer interest, and customer support to ensure customers are satisfied enough to become repeat buyers in the future.
Costs like these are considered the bare minimum required to operate in most business. In addition to these, there are other areas that businesses may decide to spend on to, for example, attractive office space to motivate employees, task-specific tools to improve employee productivity, and cybersecurity products to protect against security incidents. Companies make investment decisions based on whether the benefits gained outweigh the budget spent. These discretionary purchases should only be made if the company can justify them to their stakeholders.
The Full Capabilities of IGA are just Being Realized
Until relatively recently, many organizations considered the implementation of IGA solutions to be a “nice-to-have” rather than a necessity. Organizations typically identified some benefits such as automating account provisioning which improved the efficiency of their IT departments. However, because they were only considering limited use cases, companies were not able to appreciate all the functionality an IGA implementation could provide resulting in them only seeing a fraction of the possibilities.
Over the past couple of years, the business and technical drivers mentioned above have resulted in many organizations realizing that a comprehensive IGA implementation can provide much higher value than a first-generation identity management product which only provided limited functionality.
So - what’s changed? Why are organizations now seeing IGA investments as a number one priority rather than a nice-to-have? Let’s look at some key areas where IGA is contributing to business and making projects easier to justify.
The Cost and Damage of Data Breaches
Not so long ago, most organizations could continue to operate if an attacker gained access to their corporate network. Why? Not because they had advanced disaster recovery capabilities, but because most of the information they used to run their business was not stored in computer systems. Customer records were housed in filing cabinets, accounts were done manually, and telephone calls or face-to-face meetings were the primary forms of communication.
This is not the case today as all intellectual property – customer records, product designs, and business processes are held in computer systems in their offices or, increasingly, in the cloud. Most communication is carried out over email. While this digital transformation brings many advantages, enabling employees to work away from the office, allowing businesses can be more agile, and creating new revenue streams, not appropriately managed, digitization can also introduce risk which could cause significant damage to operations or worst result in bankruptcy.
One of the most significant risks revolves around a large amount of confidential and proprietary data that is now being held online. Attackers can potentially gain access to unsecured confidential employee and customer personal data, proprietary product designs, future company strategies, and much more. Many companies have now realized that they are now vulnerable to their information being compromised, which could result in competitors copying their new products, loss of reputation and ultimately loss of customers. As a result, they no longer consider controlling access to their critical business systems as anything but essential and that access management should now be considered an integral part of doing business
In addition to reputation and customer loss due to a data breach, many organizations find themselves having to comply with data protection regulations such as EU GDPR to do business. Failure to comply can result in hefty fines and reputation damage. In addition to regulations, many companies find themselves having to comply with security standards such as ISO 27001, and other industry-specific rules.
These regulations and security standards mean that companies must implement stricter controls on who has access to data within the organization which includes maintaining logs of when and why access was granted for auditing purposes.
Mergers and Acquisitions
When companies join with or buy other companies, they want to realize the benefits quickly, so that cost savings contribute to their bottom line. Among other things, this means reducing the complexity of having two IT infrastructures. However, while cost savings during integration are significant, they also need to ensure that they have no liabilities to due to undesirable access being granted to personal information.
Integrating access management across a larger organization can be complex and introduce significant risk which may not be uncovered for a relatively long period. A recent example of this came to light when Marriott disclosed that Starwood’s, a hotel company they had bought, had been subject to unauthorized access since 2014 which could have affected up to 500 million guests.
During mergers and acquisitions, organizations need to ensure that they understand the access rights that the other company has granted to users. This is particularly true if they have intentions of physically joining the two infrastructures together as this could result in opening unnecessary security holes into the existing IT infrastructures.
Increase in the Return on Investment
As IT infrastructures have become more complicated due to the number of applications, the increase in user changes, and locations of where data is stored and accessed, so too had the burden on those responsible for identity management. Their role has expanded significantly to not only manage the increase in applications and users but to also move towards higher level governance and ensuring that the company meets audit requirements. Without an IGA solution, the cost of delivering identity lifecycle management and compliance across the organization can spiral out of control and result in essential tasks being missed due to the amount of work that the identity managers would need to carry out.
As a result of this increased burden, organizations that have analysed the costs and benefits of an IGA project have realized that they typically pay for themselves within a year and can result in an ROI of up to 200% in some instances. Cost savings in the millions of dollars for organizations with a few thousand employees can no longer be ignored.
The changing business and IT landscapes have resulted in organizations needing to address issues that were previously not a significant threat to their business. These changes include an increase in data breaches caused by both internal and external threats, additional regulations and security standards that are now part of doing business, and the increased risks that arise due to mergers and acquisitions. It is critical that organizations address these issues if they want to remain in business. As a result of IGA solutions being ideally placed to address many business-level challenges, such as the ones discussed in this blog, CISOs are now able to construct solid business cases that demonstrate not only how they contribute to the organization’s ongoing operations but also how they contribute to the bottom line through a positive return-on-investment.
Omada | April 2019
Omada CEO Morten Boel Sigurdsson has more than 25 years of experience providing innovative IT related services and solutions for large global organizations. He built his previous experience working at SAP and A.P. Moller Maersk.