When the CISO of a large organization calls and starts the conversation with “you’ll never guess why I’m calling”, usually I do have a pretty good idea of why they called. Something bad has already happened. Even though organizations claim to know the best security practices, it does no good if pre-emptive actions are not taken. You must eliminate bad news from happening in the first place.
Like drivers before safety belt laws, organizations know being proactive about security saves. Yet, why did so many drivers not wear their belts? In the case of information security, the problem is not from a lack of awareness, but the prevalence of bad habits along with a failure to take the necessary preemptive steps to ensure security.
Security Should Not Interfere with Work
Thanks to bad habits and the dynamic nature of the enterprise these days to improve security, you must first change your culture. This statement may sound trivial, but it also explains why organizations do not change. More than anything, what is needed is an aware motivator. A Champion who can brings change and raises awareness to the dangers of the status quo.
A recent CISO phone call highlighted this point in spades when it was discovered that several employees used company laptops with account access to sensitive systems in a public hackathon.
Once the discovery was made, immediate action had to be taken. Terminations were the easy part. On the laptops, no access management was in place to audit activity. They had no ability to report the accounts and systems accessed during the hackathon. No one could say whether sensitive systems and data were compromised. It gets worse.
After the terminations, the organization had to manually track down access, passwords and privileges. They had no governance for searching out the users’ access to systems and sensitive networks. They had no mechanism for guarding against weak passwords. All total, they de-provisioned access to thirty-nine systems over a six week period and lost several employees.
With frustration peaking, the CISO picked up the phone.
Identity Management Provides Cost Effective Information Security
His first call was to a data forensics security company to detect unauthorized access. From the conversation, he learned it would take six months before work could begin and six to twelve more months for a solution – costing six figures to get started. This approach represents a reactive rather than a proactive approach.
An identity and access management (IAM) solution takes another approach to risks. With an identity management solution, access to systems is monitored and can be alerted upon request. As a for instance, if the discovery where made during the event, administrators could have been alerted. This would have allowed the monitoring of access during the event without interruption, and potentially provided valuable employee retention information.
This is just one example of how having an identity and access management tool in place would have mitigated this fiasco. Some other ways include: The immediate reporting on governance; Instantaneous de-provisioning from all systems with one click, and strong password policies with multi-factor authentication for privileged account access to sensitive systems.
You need security without interfering with the work. You also can’t wait for people to change. They take too long. You need to put systems in place now to safeguard staff and systems. It’s the only way to ensure security today. Most of all don’t wait to pick up the phone. I can save you on cost. Only you can save yourself from me guessing, “why you called.”
Begin your identity management initiative by following what corporate compliance experts recommend for the workflow automation of businesses processes, self-service administration and IT operations.