Should all technology matters in your company be centralized in a single function? That used to be an easy question to answer. However, the rise of cloud technologies has changed the picture. Now, every business unit can purchase their own SaaS licenses using a company credit card. Left unmonitored, your company can quickly take on far more IT security risk than you know how to manage.
Centralized IT vs Decentralized IT: Which Model Is Best?
Before we take a look at access management models, let’s take a step back to consider the more general question of centralized IT. Both of these models have their advantages. Let’s look at both models.
Centralized IT Model
The advantages of this model include full coverage of all technology in the company, volume discounts and better IT support. When all IT resources are centrally managed, there is a smaller chance of losing track of critical areas. However, there is a significant trade-off to the centralized model. Business users may find it difficult to get responses to their requests. They may feel that their need for innovation and process changes are not given the proper priority. That’s why we see the rise of decentralized IT.
Decentralized IT Model
The decentralized IT model manifests in a variety of ways. It could involve setting up multiple support desks, embedding IT business analysts in each division, and other arrangements. Alternatively, it might be something less structured, such as business end-users purchasing cloud services like software as a service (SaaS) licenses.
The main advantage of a decentralized IT model is speed and flexibility. When IT is closely linked to the sales department, for example, business users do not have to explain their needs in-depth every time they make a request. If a new app is needed, it can be purchased and configured quickly. There’s just one problem. Overall, enterprise matters such as IT security, contract compliance and related issues are unlikely to be managed effectively with a decentralized model.
Making Access Management Work Regardless Of Your IT Centralization Model
With IT security, you need to worry about the weakest link. For example, if a department has never gone through an IT audit, there is likely to be a higher chance of unmanaged risks. To make access management work, let’s step away from the centralized vs. decentralized debate for a moment. Instead, let’s ask a different question: how do we achieve effective IT security?
The answer is simple: everybody in the company has a role to play in supporting adequate IT security. When every person plays their part, the company will be better protected. Next, you will find out about the minimum roles and responsibilities you need for successful access management.
Defining Roles and Responsibilities In Modern Access Management
In this example, we will assume you are in a 500-person company with significant corporate functions.
● Access Management Team. The access management team may be a whole department or something smaller. This team has an overall responsibility to design access management, issue reports to executives and devises ways to improve the program. This team may also provide customer service to employees and managers who need help with access management issues.
● Managers. While they are not technical specialists, managers have an essential role to play in access management. When they receive an access request from their team, they play a role by asking: is this access required to do the job? For example, a reporting analyst probably only needs “read-only” access to systems to do their work. Besides, managers play a role in removing access when employees leave their departments.
● End Users. Ultimately, each employee needs to speak up when their access needs change. For example, if a person changes jobs, they need to ask colleagues and their managers regarding what access they need to request. Access management should be covered as a topic in your new employee training.
● Executives. Your senior management team plays a role by emphasizing the importance of robust security. They also need to play a role by proactively asking IT if they have the software tools and staff to fulfill access management effectively.
● IT Audit. It is difficult to detect problems in the systems you set up. That’s one reason why IT audit adds value — they bring a second set of critical eyes to your access management program. Ask them to review the program for consistency and take their recommendations seriously.
● Human Resources. In many companies, the HR department is responsible for employee training. Therefore, we suggest asking HR to provide coverage for access management fundamentals within your IT security training.
What Should You Optimize After Access Management?
Once everybody in the organization is playing their role in access management, celebrate! That is a major success. However, do not rest on your laurels for too long. The price of IT security success is constant vigilance. To keep your company safe from IT security incidents, here are some other areas you can improve next.
● Simplify IT Security For End-Users. Business users care about security to a degree, but they want to get their work done. Make life easier for them by implementing a single sign-on software solution. They will have fewer passwords to memorize!
● Improve Password Training. Passwords remain a critical part of adequate IT security. However, many people continue to use easy-to-guess passwords (e.g. 10 Easiest Passwords to Hack). Fortunately, you can reduce this problem substantially by delivering password training.
● Leverage A Chatbot To Handle Routine IT Security Tasks. Use an IT security chatbot to handle routine IT security tasks like password resets. Empowering end-users to get new passwords whenever they need them makes the IT department look good.
Even as you pursue other projects, make a note to return to your access management program regularly. At a minimum, we suggest reviewing your program annually. Check to see if all of the stakeholders — from executives to end-users — need more support, tools or training to maintain robust access controls.
