Enterprise IAM Transformation Plan

Thank you so much and recognizing on the final thing before a coffee break is always nerve wracking. But as Martin said, my name is Marcus. I'm a business process manager at Sweat Bank. So we are a small team of process managers trying to talk about identity for our business stakeholders and also demonstrate the business value from that. At the top of our food chain is actually the ciso. So whenever we are talking business value, we are talking about it from the CISO perspective.

So what that means is that the CISO is having quite a clear strategic direction, a lot of focus on business experience as well as efficient governance. So for us, those are some of the key points that we've had to adopt for the last 12 months and really transform quite rapidly given a lot of the threat scenarios that is also affecting us as an organization. Swedbank is quite a large bank and are serving quite a lot of customers, private corporate as well as having a lot of branch networks. We are in most cases also a society critical function in our home markets.

So when we do it and identity, we need to make sure we are very well aware of our threats and as I said, we don't really want to first establish an IM strategy but rather adopt the strategic direction of our security function. And that means we need to know what the CISO and the group is aiming for when it comes to security. And for us in identity, it's then a matter of adopting that and really making sure we talk the talk and walk the walk. When our CISO or executives are talking and thinking about identity, this is what they pitch.

This is not our sales marketing guys, this is the executives talking. So for us it sort of also becomes what we sell. We don't sell the the breaking into to premises, but we sell the prevention of an authorized users being able to log in. And that really means we are in encompassing threat actors and any other potential risk event for our organization with our security direction. This is what we have to adapt to with us in the security function.

Being one step ahead of threats while making sure everyone in our group is aware that security is everyone's responsibility, we have a number of focus areas already crystallized for us. So when the previous panels today I've listened to talks about architecture and and other aspects of what comes first, I think we've had it quite clear for us in the last 12 months that we have three key goals and even objectives and key results already cut out for us. And they're about trust, simplicity and empowering the people working for us to do the right things when it comes to security.

And when it comes to how our strategic influences are sort of collated and continuously evaluated, we have three landscapes. We have the regulatory landscape given we are a financial institution, we have a lot of regulatory demands and requirements. We have the market and the tech landscape where we are pushing and doing our strategic tech investments. And the final one is the fret landscape. What is the fret actors doing when it comes to identity and access management, exposure to external and internal F threats.

And those three are what our executives and management boards are considering when it comes to anything from prioritization topics, budget topics, and any other sort of aspect of when they need to make a decision. So it sort of means for us that for us to succeed, we need to understand that context of strategic tone from the top, but also we in identity want to focus on what, how we best leverage the identity capabilities and the outcomes from those that we believe will best serve our workforce.

So how do we recognize those outcomes while also being able to demonstrate value from the strategic direction we have? And we believe, and our pitch and story is regarding how we believe identity security is our key enabler to reduce risk and deliver this fantastic business experience for everyone. We do know all of our IM capabilities the best. We know what fundamental capabilities we need before we start running into the AI ML and all of the other cool stuff. We need to have this central robust governance in a way that enables everyone to do the right things in the given risk tolerances.

We need to be able to demonstrate for every auditor and regulator that we have this holistic visibility and accuracy and completeness of everything that has to do with user accounts and access rights, whether it being carbon or humans or any other kind of entity. And there will be, as we also heard, that there's a difference between what the business wants in terms of the happy paths to glory and to Barbie and also then what the tech teams want when they're building and and enabling the group to do what they need to do.

So as I talked about the strategic landscapes, when we craft our pro processes, control frameworks and other fantastic things, our process of defining what we need to do goes through these landscapes in one way or another, either several times or just once if we are very clear. So the regulatory landscape for us is quite clear. We have a lot of the Dora PCI and all of the other kind of financial reporting duties. We have our internal and external initiatives and radars and platforms and positioning of where we want to be going.

And then we also have our fret landscape where we are being informed which frets must be mitigated most urgently. So when it comes down to prioritization of what needs to get fixed today or tomorrow, that is sort of where we also are very much influenced by that landscape. And it all sort of comes down to the end point about what is the good business experience looks like. Do we want everyone to always do MFA prompting? No. Do we want to have the most cumbersome processes to do onboarding?

No, but we need to make sure we are able to show how we demonstrate a good business experience while managing all of these landscapes and shapes and influencers. So one of the most recent examples we have, and I would say we managed very rapidly to gain business understanding of is that we crafted our problem statement for a risk that justified what is the business value of us investing in this one thing, let's say multifactor authentication and new tokens. Then we talked about what is the current threat exposure of us not doing MFA properly?

What threats have we not been able to demonstrate that we are mitigating and do we have any regulatory findings or regulatory requirements that forces us to have MFA for everything? Yes we do.

All right, what is the solution? Fix it. So we are able to craft the statement for of the problem and also bringing it back into the solution in the same way we can deliver business value by reducing and mitigating the refreshed ACT's possibility to introduce undecided risk and risk events. And we can also exceed the regulatory expectations that are being put on us while also making sure we have the best possible business experience.

And this is one way for us that we've been able to, from a governance and process perspective, bring together our business stakeholders in architects in IM product teams and our workplace functions in a way that we agree what we need to do and why. And for us that has been a really fantastic way to adopt our strategic direction, explain to management why we want this and get them to accept it.

And that is sort of coming into the next part because we do want to be able to do governance by the sign without having to know exactly what goes on in each IM capability, but rather focusing on what is the right thing and not having to always end up in this cognitive overload of the what if scenarios, what if this, what if that, well let's just agree that we have a process and that process includes a number of controls and we are leveraging the best possible technical capabilities we have to solve those challenges and problems.

So our approach to IM governance for this last 12 months has been not just to align with the strategic landscapes, but it's also building into supporting the business objectives, whatever they might be. We need to know what those are so that we from an IM perspective, can help realize them. And either we go to our architect community or we go to other management boards and ask them what is it we need to do? What is the objectives and key results? And it sort of helps us to really consider what we need to do operational risk. We are very much a risk-based and risk aware organization.

So we absolutely love to talk about risk in any possible way we can. And if we can argue that we can reduce operational risk in non-financial transactions, then fantastic. Then let's talk about how we manage our risk exposure. And the final part is sort of bringing in into our friends over in architectural and technical teams, is that secure by default, secure by design, or any other kind of do the right thing? Once in digital transformations is sort of where we, we want to be one step ahead of as well.

We want to know that our processes, controls and frameworks are building one solution that is possible to scale, to integrate, to adapt and to consume without causing too much of a security burden. And that is really one of the few areas where we are able to see that we are getting traction because it takes time to establish the trust relationship from from governance and process into all of these important stakeholders to understand what does the executive wants, where are our risk functions currently looking? And then finally, where is the technical landscape pushing us?

And since we are working in our governance function, we need to have our models and frameworks very much easy to understand, digest, and act upon. So I wanted to include an easy plan, do check, act just because we don't need to overcomplicate how we build out a process or a framework. We need to understand what is our surroundings requirements and needs. Do we have any frameworks and standards we can rely on?

If we do, let's not reinvent NIST or ISO or anything else. Let's just plan to execute and communicate that this is what we're gonna do, this is what we want to do, how we want to do, and now we're doing it. And then all of a sudden people have realized that, oh, we have a clear model now for how we do governance when it comes to MFA good uncertainty removed. I think for the last few months we've gone through this cycle a number of times in a very broad range of capabilities which sits within the IM domain.

And it's very nice to see that when we bring a consistent approach to build a process or a control function, it sort of makes it easier for when we are discussing with our architects and technical teams, what is it we want them to achieve. If we have the process and they have the technical means to deliver the outcomes we need, then we can prove it to everyone who needs to see it. That this is what good looks like, this is how we do security by the default, and this is how we can also prove that we have visibility, traceability, and auditability in our IM capability models.

So bringing it sort of back to the focus areas of the CISOs. So we have three bullets about what is the primary objectives and key results of our security function and how we see it, where we bring the value into that team and that function and that reporting is that we can maintain improved stakeholder trust to our supervisory authorities, to the workforce and our colleagues and how we present our solutions and capabilities to our third parties and partners. So if they trust in our capabilities, we are doing the right things.

If the supervisory authorities and auditors and others are able to say, yes, you are good to go, you don't have any deficiencies in your designs, then we are achieving the strategic goals of our security function. Simplicity when we can do the right thing for the many colleagues, partners, and customers.

Because if they don't need to know all of the details of how complex an IM process is, they just know that they tap a button and we do the magic, then I think we have one because users wants to know that they are safe and secure in their work and we think we can provide that in securing all of their devices and assets and accounts. And we should be the enabler for efficient business developments.

Not the department of, no, not the department of uncertainty, but we should really focus only on how we achieve simple, safe, secure processes and maintaining all of our regulatory demands and threats event at the same time. And the final part is something we are sort of slightly not saying, but a lot of people are saying that identity is the new perimeter. I mean we are more oriented towards empowering people to strengthen security because we believe that each individual in an organization can help us with good culture.

And if they are competent to know what to do and how, what is the right thing to do, then we have 16,000 security champions in our organization, which is really good. And that is sort of how we can see that we clear governance, we can also tie everything we want to do back into what the security team needs to do for us to be able to win against the threat actors.

So the three final points that we are looking out for and really striving for is that we are looking for alignment with the security function, strategic focus so that our IAM direction doesn't need to be its own, but rather we adopt to what the security direction tells us to. We want to build our identity processes with a focus on how we enable the business experience while building in and integrating and almost hiding all of the regulatory demands, the technical complexities and the threat events that we need to remove all protocols from.

And the final part is that we need to be able to prove that all of this is working through all of the external requirements that are put on us as an organization so that we have efficient governance and clear procedures and a good way to prove that we are in control of our IM and security processes and capabilities. And this is our pitch. We believe security is everyone's business and through IM we are making sure that everyone is fully on board and understand that they are a part of our defense. Thank you for listening and appreciate the attention. So questions from the audience?

Otherwise I have some here I pick one because I think it fits to the final picture here. And you also talked about your 16,000 security champions, which I by the way like like because I think one of the dumbest sentences we can use is the human is the weakest link. You discourage people and you disillusion them. So better think about the the other way around. So what would you like to highlight specific initiatives on empowering users to strengthen security? I think for, for us at this point in time, it's about how we work with our security awareness and culture teams.

Because when, whenever we need to talk about security, how to do security good, it tends to come back to passwords. So one of the most read articles and fourth pieces we have internally is how do you do passwords? What do you do, how do you store 'em, how do you create 'em and what should you do? So we have for the first time have a a formal opinion in how we do training on password management. And I think that has been sort of a part of telling everyone this is what you should be doing, this is what we think is safe and this is what we think is good for you and for us.

Okay, Thank you Marcus.