You want to improve your cybersecurity defenses. There’s just one problem. There are many different security products and projects you could start. Is access governance the right project? To guide you through the decision-making process, use the questions in this article.
Know Your Organization’s Priorities and Context: Going Outside the IT Department
Your IT project ideas do not exist in a vacuum. Instead, they need to be seen in the broader context of your company’s resources and goals. Ignoring this context is one of the reasons why IT professionals are sometimes labeled as not being business oriented. Before you propose an access government project, get the lay of the land using the following three questions.
1) What are the organization’s goals for the year?
Highly successful organizations focus on goals, and your company is no different. Examples of company-level goals include:
- Financial performance. Achieve 10% growth on last year’s revenues or profits.
- Strategic Goals. Establish a new strategy, such as outsourcing a few functions.
- Product innovation. Develop and launch a new product into the market. IT resources may be needed to support the launch.
- Talent. Whether you are running a startup in San Francisco or managing a New York bank, attracting the right talent makes a huge difference.
If you are in a public company, check the organization’s annual report. If that document is not available, ask other managers about the division’s goals.
2) What is the organization’s appetite for technology and innovation?
Does your organization love to innovate and experiment with new technologies? In that case, securing approval for an access governance project is going to be a walk in the park. At least, so you might imagine.
In reality, there are always more exciting ideas available than resources. To discover your organization’s actual appetite for new technology, look for the following points:
- Maintenance vs. innovation project spending. Some amount of technology spending is needed to keep the lights on. The critical question is whether the organization is funding innovative projects. Even if the organization is only focused on maintenance, cybersecurity is still needed.
- Recent cybersecurity experience. What cybersecurity incidents has the company suffered in the past year? Recent attacks and data loss events are likely to increase the appetite for access governance.
- Staff changes. The number of staff changes (e.g., new hires, changing jobs, layoffs) increases the need for access governance. Ask HR for data on this point or do a quick straw poll with a few managers.
3) What is the organization’s change management process for technology and cybersecurity?
Funding an access governance project is no small decision. You will be changing some of the core security processes and technologies in your company. Before you start investigating supplies, find out the internal process for implementing change.
The following points will get you headed in the right direction.
- Change management professionals. Some larger companies are investing in dedicated change management professionals to guide their people. If your organization has such experts, ask about their capacity to support an access governance project.
- Number of recent cybersecurity changes. If you overwhelm your staff with new cybersecurity processes, they will struggle to remember all the new rules and requirements. Ask both cybersecurity managers and business users how many IT and security changes they have gone through in the past year.
- Training support. As a technology professional, you might find access governance easy to understand. Your business users may find it harder to understand. Check to see what kind of training support you can leverage internally and from outside providers.
Define Your Approach to Access Governance in Three Questions
By going through the steps described above, you will understand your company’s goals, resources, and interest in technology. To fund access governance adequately, make sure you answer the following questions.
1) What access governance software solution will you use?
Your software development team probably does not have the capacity or expertise to build an access governance solution in-house. That means you will need to buy a solution. Of course, we recommend Compliance Auditor. It is made with the needs of auditors and corporate governance in mind.
How do you make sure you are making a smart buying decision? Use these resources:
- When Access Governance Fails: Lost Time, Lost Money and More Hacking Incidents. This article underscores the cost of weak access governance — share this with your skeptical colleagues.
- Do They Get It? Assessing a Vendor’s Industry Experience. Working with a vendor who gets your industry saves you time and money.
- How To Work With Procurement Without Tearing Your Hair Out. Yes, there is a way to work efficiently with the procurement department.
2) What implementation effort is required to put access governance into place?
Buying new technology is only the start of the project. You will also need to organize an implementation project. At a minimum, think through the following points:
- Project Charter. This high-level document describes the overall rationale for pursuing access governance.
- Project Champion. Nominate a business executive to support access governance — ideally someone who truly understands the project’s value.
- Project Manager. On a day-to-day basis, you will need a single individual to plan and run the project.
- Project Team. We recommend asking your project manager to develop the team and provide them with the support they need. If the project manager has difficulty recruiting staff, involve the project champion in building the project team.
- Project Budget, Schedule, and Scope. These three elements define the parameters of the access governance project. If you have a small budget, give your staff greater flexibility on scope and schedule.
Now, what happens after the project is complete?
3) Who will own enterprise responsibility for access governance after implementation?
Once the access governance project is complete, who will take responsibility for keeping it going? Forgetting this point is a typical failure project in many technology projects. We recommend nominating a single manager to oversee access governance for the next year. At that point, you can reassess if your arrangements need to change.
