BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

The CIO's Challenge: Balancing Openness with Risk Management

This article is more than 10 years old.

Written by Kevin Cunningham

One of the consequences of the global recession two years ago is a significant increase in IT risk facing global companies.

IT risk – the threat of negative consequences resulting from the operation of information systems – has spiraled upward for multiple reasons: large-scale mergers, acquisitions and divestitures and the resulting need to consolidate people and systems; greater use of IT hosting and outsourcing; the shift to replace full-time employees with temps and contractors; and new technologies like cloud and mobile computing. As a result, CIOs face a massive challenge: how do they balance the need for flexible and open access to their company’s IT infrastructure (so business can be conducted) with the need to mitigate IT risks associated with that access (so bad things don’t happen)?

Some believe that making the auditors happy is a sufficient enough answer. I believe this logic is flawed, however, because doing no more than what’s required to pass a particular regulatory audit is not likely to truly address the unique risks and security requirements facing each global enterprise. Instead, effectively managing IT risk requires corporate diligence above and beyond regulatory compliance. Companies must achieve a level of transparency and risk management that protects against real security threats that exist inside their organization.

There are three primary strategies CIOs should pursue for managing risk associated with access to their IT infrastructure.

  • First, they must instill a risk management discipline in their organizations. This requires a formal categorization of risks in order to understand potential threats and vulnerabilities, and to implement the appropriate set of controls to balance the business’ need for convenience, usability, and availability with the need for security measures that transfer, mitigate or eliminate risk. In the case of identity and access management, this means implementing the necessary controls to mitigate specific risks such as workers who hold access privileges they don’t need, terminated workers whose access privileges are not removed, or toxic combinations of access privileges that increase the potential for fraud, etc.
  • The second key ingredient for effectively addressing identity and access risk is to deploy “identity intelligence” tools that provide visibility and improve control across large numbers of enterprise systems, applications and data. In order to achieve transparency and better manage risk, the organization will need to inventory, analyze and understand the access privileges granted to employees, partners, and sometimes even customers — and to be ready to answer the critical question on demand: “Who has access to what?” Compiling and correlating this data manually is usually not a viable approach due to the complexity of the IT environment and the frequency of changes that routinely occur to user populations. Therefore, an automated approach that provides data on demand is required.
  • Lastly, CIOs must foster collaboration between business staff and IT staff in order to effectively manage IT risk. It may sound paradoxical, but addressing IT risk requires business-level participation. Business people are required to align IT operational policies to business policies and priorities. For example, a finance manager is the most qualified person to define policies around storage of financial information based on criticality of the data. This information must be communicated to IT operational staff so that appropriate controls and IT policies can be put in place. Likewise, IT is in the best position to gather the data on who has access to what and report back to the business people to let them determine if that access is correct or not.

The good news for CIOs is that today’s governance-based identity management solutions are designed to help organizations identify and remediate common risks associated with user access, and provide “identity intelligence” that translates technical identity data into business-relevant information. And these same tools have been designed to be used by the business staff who need to be involved in identity management processes. These solutions facilitate business user participation, simplify technical information in a meaningful way for business users, and treat identity management as the critical business process it is.

Managing IT risk is no easy task, and certainly, no one technology can address all aspects. But as companies struggle with today’s business requirements, a governance-based approach to identity management enables a centralized, holistic approach to governing user access to enterprise applications, regardless of whether they are deployed in a datacenter or the cloud, or accessed through mobile devices. Now, organizations can create a cross-department, enterprise-wide identity management process that provides a layer of intelligence to give enterprises the business insights needed to strengthen IT controls and reduce operational risk. The better a company understands which users have access to which corporate assets, the better it can realistically understand its potential security vulnerabilities.

Kevin Cunningham is president and founder of SailPoint Technologies, an Austin-based developer of identity governance solutions.