How do you choose which programs and solutions make sense in your cybersecurity program? Should you pursue penetration testing, increase employee training, or upgrade the firewall? All those solutions play a role in cybersecurity. However, if you merely choose the “flavor of the month” in security, you’ll miss the benefit of a security strategy.
First, Do This to Ground Your Cybersecurity Strategy in Reality
When you develop a strategy for your company, it’s easy to get lost in the clouds and theoretical debates. To prevent this problem, we recommend connecting your cybersecurity strategy to risk. Specifically, what are the IT security risks that can hurt your organization? What measures do you have to reduce the likelihood and impact of those events? Use this short self-assessment to guide your work:
- What’s your risk appetite for cybersecurity? If you’re a bank, you may have a very low tolerance for failures. Other companies, in contrast, may be willing to accept an occasional failure.
- What specific IT security risks have you identified? When was the last time you thoroughly evaluated your organization’s IT systems? If the answer is never, or you can’t remember, you are probably operating in the dark.
- What are the most significant cybersecurity problems suffered by your organization? Learn your lessons from the company’s history with security. You might have struggled with password management. Alternatively, you may have had problems with access governance audits. Take some time to compile a short list of specific issues your organization has suffered.
With the above information in hand, review your cybersecurity strategy. Is it designed with your organization’s risk appetite in mind? Is it informed by your organization’s particular security exposures? You may find that your greatest gap relates to identity management. In that case, read on for advice on how to improve in this vital area.
Resource: Have you struggled with IT audits? Having an outside party review your security arrangements and find them wanting is painful. Instead of suffering through painful audits, take a proactive approach to get your house in order first. Read “How to Prepare for an Access Governance Audit” for more on how to get ready.
Introducing Risk-based Identity Management
Maintaining a comprehensive identity management program is difficult. We’ve seen banks that attempt to do this manually using spreadsheets. Unfortunately, you just need one or two managers to forget their duties and your program suddenly has a gap. Whether you’re optimizing your identity management program or implementing a program for the first time, this program will help you manage risk.
- Review current identity management gaps. Find out the lay of the land before you start to make improvements. A few meetings with IT administrators and IT security staff will usually be enough to get you started. If they don’t have any identity management observations to share, ask about other security failures and gaps. In many cases, poor identity management is a contributing factor to other security problems.
- Evaluate identity management practices. Meeting with IT will only tell you so much. We recommend that you meet with front line managers and a few employees to find out about identity management. To simplify the process, focus on new user set up as a use case.
- Identify high-risk systems and resources. This step is critical for large organizations where you have dozens of applications. Use the 80/20 principle to identify the 20% of your systems that pose the most significant security risk. As a rule, these systems tend to contain customer information and payment data. You might also decide to include IT administrative systems such as password management tools.
- Identify high-risk user profiles. Build on the step above by focusing on the highest risk users. We suggest including the following roles: IT administrators with administrative privileges, executive positions, and software developers. For more insight on privileged users, find out how to reduce your cybersecurity risk exposure by managing privileged users.
- Create a project plan. Now that you’ve found your gaps and have priority areas identified, start to build your project plan. Remember to include essential stakeholders such as human resources. Find out how to win HR support in 5 steps.
- Select an identity management software solution. The best way to achieve consistent identity management lies in using a solution such as Lifecycle Management. It’s built with segregation of duties requirements in mind so you can reduce risk.
- Monitor the identity management program. The work of cybersecurity is never done. To keep your program operating smoothly, ongoing monitoring is critical. What does effective identity management monitoring look like?
Optimize Your Identity Management Monitoring Program
Without ongoing monitoring, you’ll never really know if your identity management program is working. It’s the best way to detect and prevent problems early on. Use the following techniques to set up your monitoring program.
- Set goals for monitoring. On a strategic level, why do you want identity management monitoring? We see it as a way to detect risks early and reduce the likelihood of breaches. Your goals might also include responding to an access governance audit.
- Design monitoring reports. Simplicity is your ally when it comes to identity management monitoring. We recommend choosing a few data points such as training (e.g., what percentage of people managers have completed identity management training in the past 12 months) and compliance.
- Present reports to management. Writing a report – even a simple one-page dashboard – adds no value unless it’s presented and discussed with management. Make sure to set time aside to meet with managers to discuss identity management issues on a quarterly basis.
Identify Continuous Improvement Opportunities
In the course of creating identity management monitoring reports, you’ll find problems. To take your risk-based program to the next level, come up with suggestions on how to address the gaps. For example, you might decide to recommend a single sign-on solution to simplify security management. Find out how to get your SSO software project funded with a business case.