A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Having an Identity Crisis? CISO’s Need to Own IAM Breadcrumb Home Insights Blog Having an Identity Crisis? CISO’s Need to Own IAM May 25, 2017 Having an Identity Crisis? CISO’s Need to Own IAM Within any company, we can find owners for every key function throughout the enterprise. If we ask, “who is in charge of human resources?” we know the name of the SVP or director of human resources will surface. If we ask, “who ultimately owns the uptime of our technology infrastructure?” our chief technology officer will raise her hand. If we want to know the strategic plan for product development, we can clearly articulate the rings of the organizational tree that represent every single leadership role supporting this function. Certainly, we know that the threat environment has changed at such a fundamental level that a chief information security officer now definitively owns information security. Which brings us to a rather strange and dangerous conundrum. If someone today asked you who owns identity in your company, what would be your answer? This simple question is the query that starts us on a path of complexities that are real and manufactured. This simple question, when answered and resolved, sends us on a trajectory of improved operations, a reduction in operating expenses and a stronger security foundation. When answered, identity and access management becomes faster, cheaper and safer. Yet, it is the asking of this question and the search for the answer that shines the light on this conundrum. Everybody owns identity. And when everybody owns a function, nobody owns it. Before delving into the question further, take a moment to think about every other critical security function in your organization. Can you imagine how effective your perimeter security, security event monitoring, threat analytics and intelligence, penetration testing or data loss protection efforts would be if ownership for the core fundamentals of that function were spread across a dozen owners? How safe would your company be if one of those owners unilaterally made a decision to open a public facing port on your network without following any processes or providing any notification? Yet, when it comes to identity, every day a manager in the line or in an HR function makes a conscious decision to backdate an employee termination that occurred four weeks ago. The employee’s manager forgot or was on vacation, and suddenly a unilateral decision due to a failed process and a failed series of controls leads to a former employee having persistent access to your network and applications for a month after being terminated. Distributed ownership of the pieces of identity results in major holes in your security program. Many companies are beginning to acknowledge and recognize the causes of these fundamental weaknesses. For example, the help desk owning the administration access function for Windows credentials while HR owns the job description and possibly the job role definition causes this weakness. An outsourced security company owning physical access credentials while a payroll function owns the employee’s place of work and place of domicile addresses causes this weakness. An application developer embedding another employee’s access credentials into a line of code or the inability to distinguish an FTE from a contractor causes this weakness. Chief information security officers and the companies they protect now realize this distribution of ownership drives the reality that IAM efforts do not result in the outcomes they need. In fact, 63 percent of breaches are still driven by the misappropriation of account credentials. CISOs understand that the simple summing up of application and OS accounts under a master account does not equal identity. In order to build a security program on a bedrock foundation, CISOs realize that the security function must set the rules, policies, procedures and standards for all key aspects of the user identity within a company. And it isn’t just employees. Every individual that has a relationship with your company is no longer an outsider. The fact that they have a relationship with you makes them an insider; whether customer, supplier, outsource provider or food service company. The time to take control of all of the levers of identity to drive a next generation identity and access management control function is now. Are you ready to take that step? The success of your security program depends on it. By: Richard Bird Executive Director, Executive Advisory - Office of the CISO Richard Bird is an information technology, risk and information security executive with more than 25 years of experience. In his current role as an executive director within the Office of the CISO executive advisory team at Optiv, he works with chief information security officers, boards of directors and senior executives within our clients as a trusted advisor helping to assess, develop, guide and improve information security management programs while ensuring alignment with business goals and objectives. Share: identity CISO
Would you like to speak to an advisor? Let's Talk Cybersecurity Provide your contact information and we will follow-up shortly. Let's Browse Cybersecurity Just looking? Explore how Optiv serves its ~6,000 clients. Show me AI Security Solutions Show me the Optiv brochure Take me to Optiv's Events page Browse all Services