Shooting from the hip is easy, because it is fast and sound like you’re making an impact. But do you hit the mark? When you study the ‘art of shooting’ a bit there is a whole lot of practice to it, it takes time and every shot is highly contextual. No soldier goes into battle without a thorough preparation and training. The target, the terrain, the road in and the road out, weather, it all plays a role in hitting the mark. Becoming really good is hard, takes a long time, and ultimately also depends on context. Yet it always beats shooting from the hip.
Every so often I talk to people in the field of Identity and Access Management and within a minute I’m feeling like I’m talking to the trigger happy hip-shooter. I can’t help to think that they’ve never seen a line of code of an IAM solution, never talked to the end-user, never were first responder to an incident or a breach. Because IAM is hard, complex and highly contextual. Yet it seems so simple to the outsider. Because it’s about logging in, and how hard can that be, right? Everyone logs in, sometimes hundreds of times per day. Sometimes without even realizing it (through SSO solutions for example).
For Identity and Access Management you need to be able to combine competencies and skills that you rarely need to combine in another area of expertise.
- The conversation with the business and executives needs to be simple yet clear. The complexities of IAM need to be hidden because these will not be understood and will obfuscate any real question to business or decision by business. In these conversations the IAM expert needs to put himself in the shoes of either the user (logging in, how hard can it be) or in the shoes of the stakeholder (the project manager of a large IT project, requiring proper access and changes to authorizations, in time). One can mention technology, but always from a use or management perspective.
- Talking to the CISO and the security team it’s about risks, threats and vulnerabilities. And how IAM can aide in reducing the attack surface, reducing the issued permissions to a need-to-have, preventing segregation of duty conflicts and also monitoring actual use through user behaviour analytics. Often this conversation also includes audit and audit-ability of the IAM processes and solutions that are in place. These conversations involve the risk managers and internal auditors. Technical detail can be part of the conversation, but always from a risk and security angle.
- Engaging with architects and policy makers can be a challenge since it requires a more conceptual approach to technology and IAM services. One should not immediately look at the applicability of what is discussed here, but much more on a longer term of what is required and desirable. Since these discussions are also about the guidelines and architectural boundaries that are defined it can feel a bit restrictive. Yet when understood properly as an IAM expert you can influence the architectural conditions in a way that benefits the service now and in the future. In addition architects require a broad approach and (should) see IAM in the context of enterprise or IT architecture as well.
- The conversations with colleagues in the IAM department itself are more detailed. Be it with operational support processing requests and providing customer support, product owners, engineers (devops), service owners, customer representatives or managers. These are the internal conversations where the functional conversation and the technical conversation merge with the customer perspective on IAM and the management perspective on IAM. Here the IAM experts do not only need to understand what services they deliver and how technological solutions enable them, but especially how the people work together and what the ‘dot on the horizon’ is for everyone. Since most colleagues in an IAM department have deep expertise and knowledge it is essential to engage with them from a single starting point that combines all perspectives on IAM. (for this we’ve created in Rabobank four perspectives on employee IAM that are leading for everything we do)
- Talking to vendors of IAM solutions it’s about technology, integration and benefits for the organization. Not all vendors are open to discussing a functional perspective on IAM first, but the good ones are. They understand that their technology serves a functional and business purpose and that without it the technology itself is just expensive and not usefull. As an IAM expert you need to know your technology but also be skilled in vendor management, discussing potential solutions not only based on a successful POC but also based on long term maintenance effort, integration with legacy environments, efforts of upgrades and the (always lurking) risk of takeovers. Some products ceased to exist after the vendor was taken over by another vendor with a different focus.
And I can imagine that I’m forgetting some of the conversations that are taking place with Identity and Access Management as a topic.
Is it possible that this is one person? It is highly likely that it is not. When dealing with IAM the range and spread of skills and competencies is so wide that you need a team. Therefore for IAM I come back to the same statement that was also made for digital: digital success depends on peole (not on technology). It’s almost as if I hear Richard Branson speaking ‘take care of your employees, they will take care of your …’. With a solid team that has the right skills combined and is able to work together you can fire the perfect shot. A team takes time to built, and the temptation is present to quickly shoot from the hip. But I would urge you to start slow in order to go fast later. Focus on the people and the team, and they will move IAM forward.