What do you need Access to? Some weeks ago, I was discussing identity management analytics with a friend. He doesn’t work in IT, but he’s really bright and has held some pretty senior positions along the way. “Why don’t you just ask people what they need to have access to” he said. Spluttering over my curry, I trotted out the usual – it’s more complicated than that; you can do that in small companies, but not in big ones; what about if people lie. But in reality, current processes and controls don’t really work that well, tools are woefully inadequate and I’m sure many manager just ask their staff “so what do you need to have access to”. On the basis that this isn’t a great solution, what is the radical, game changing, answer.
In the last two years the reporting of data loss, regulatory breaches, and rogue trader activity has grown significantly. As a result, firms are stepping up their efforts to protect data and resources. But as boards and risk committees sign off ever increasing budgets what they may not realize is that they are sanctioning over reliance on manual processes, external auditors and consultants and embedding the shortcomings of manual processes into the organisation. Staff at the coal face are overrun trying to interpret the information they already have whilst new data arrives daily. And the one thing that’s certain is that working harder is not going to solve anything.
Though organisations are different distances along the journey, most fall into three categories. Reactors respond to immediate threats but don’t manage risk at a strategic level. Guardians improve processes and have more pervasive control systems, but the costs outweigh any perceived risk benefit, and real risks go unaddressed. Only Leaders have the deep analysis coupled with the right tools to manage risk in a cost effective way. Ensuring that firms avoid this cycle of audit, remediation and control failure is critical if firms are to gain real confidence that assets are protected.
So what should firms do if they want to be leaders? The first thing is to really understand what assets staff have access to and identify control failures and potential regulatory failures before they happen. To do this you need to have tools that analyse:
- Identity and role: What systems allow users access to and how this matches peers.
- Control and Process: Identifying gaps and how efficiency can reduce cost and risk.
- Usage: The context in which staff access systems and how that changes risk.
- Location: How usage of systems and data align with regulation and legislation.
When a firm can do that in a repeatable, sustainable, automated and predictive way it is on the way to really having confidence that it has control over what access it is handing out and the risks that poses.