My near philosophical musings about the world in general its problems and possible ways out.


IAM, a purely organizational task

Identity- & Access Management (IAM) quite often is regarded as just another part of information security management (ISM).

Information Security management in turn often suffers from its not totally positive reputation. Well, everybody agrees that some level of Information Security seems to be necessary after all. But on the other hand we have to carry the heavy burden of high cost and key person effort. Most often no one in the corporation is able to prove with reasonable certainty to what degree it contributes to the corporate success. On the other hand everyone can feel in his daily life that strict security measures slow down the affected activities and introduce inconveniences. Moreover vendors in the Information security arena tend to sell their products via the fear factor – putting unsavoury pressure on the top management.

Oh my god, not a very pleasant situation – for IAM as well.

But wait a minute, there is a solution – no, even two of them.
    First of all there is a way to tie Information security measures to the corporate success – if done right on top of a delivering OpsRisk (see my previous post:

    Second, who said IAM is integral part of ISM? Well, IT needs to implement IAM controls in order to maintain a certain security level. There is some operational pressure to be felt in the IT being the last element of the chain. “Ok, if you need it fix it. Don’t bother us with such trivial down to earth tasks. We have to keep the business running after all!” might be a typical response from the other department. So again the big finger points at the poor IT people. They are in charge now; they have to carry the burden. And quite often they fail.
But why not IT?

IT people most often are technical people. When they think of IAM they think of implementing an IAM system. And more often than not IAM projects start exactly that way – looking for a system to solve the problem. And now the trouble starts. Having a closer look to the distribution of the efforts we can easily recognise, that the major part is sunk in processes, roles & rules, policies and responsibilities – pure organisational stuff.

But who is mandated to (re-) organize to corporation? Most often IT is not in charge to tailor and optimize business processes, define roles of process actors and issue business policies. If so, who then is?

For me it was fun to ask this question again and again to different companies. Quite rarely I received a convincing answer.
  1. IT as pointed out most often is not mandated for corporate change.

  2. ISM has quite a narrow focus on Information Security. Well, it’s their job. But they will not be of much help to unleash IAMs true power as an enabler for business automation.

  3. HR could be regarded as the natural host for identities and their attributes. But HR people quite often don’t share this view. To make things worse they typically are not know for true real time behaviour but rather think in payment cycles.

  4. The business departments on the other hand tend to have a narrow focus on their LOB and the operational business. They don’t feel in charge for conceptual cross corporate activities.

  5. We found a better fit when it was assigned to the COO, Corporate governance, the corporate change function or similar high level cross company functions.
IT – unless mandated otherwise - you better focus solely on the implementation. Keep your fingers off the corporate change.

But in the majority of the corporations for some high level corporate functions there is still some homework to be done. May be they end up with a new function.


No risk no business

Just recently the Gartner group reported shrinking IT security budgets – by 3 – 6%. Only identity Management makes an exception. Identity Management – or, let’s be a bit more specific: Identity- & Access Management (IAM) - part of IT security? Hmmm …

Maybe the IT security budgets ware already inflated? Gartner further writes that on the other hand the related threats to IT security have increased. But allow rising threats for a satisfactory justification already? Well, not really.

No risk no fun we once tended to respond to our parents when they were hinting us at the dangers of life. No risk no business we could translate this term into the economical space. It’s true, that we can only have total online security if we cut all lines to the cruel outside world. And if we follow the advice of the IT security professionals in our own companies we could as well shut down our business.

But is there a right measure? There must be an adequate response to IT security threats, right? But how to find it?

Well the answer is simple. But it is not as easy to follow the advice: IT security measures can only be argued to be adequate if they are defined and implemented on top of a functioning operational risk management (OpsRisk).

This is not an easy task. That’s what we can conclude from observations in market sectors where (some kind of) risk management is mandatory, e.g. banking or the insurance sector. Let’s take the compelling suggestions from the Basel II accord to introduce a sound management for credit risks, market risks and – well, if there is still time and capacity – for the 3rd pillar: OpsRisk. Or the insurance sector: risk management is the very heart of the insurance business. This is true for the probability of damages (=risk) to the insured objects like cars, houses or living human bodies. But when it comes to OpsRisk most of them find themselves barely covered.

  1. At first risks are tied to a stochastic view of the world – rather uncommon for most of us – even the few mathematicians among us.

  2. Second operational risk, as implied by its very name, refers to all operations which are performed in our day-to-day business – I dare to say often unconsciously. And those are quite a lot.

  3. Third OpsRisk is a very basic discipline at the very basis of the corporate pyramid. It is hard work, touches a running business (which you should never touch) and doesn’t deliver quick wins.
But once we have established an OpsRisk Management function and made it running and – finally - delivering. When we have established a database covering all classes of damages that looks sufficiently long back to the past. When we have customized our risk model that hopefully goes beyond the common VaR approach and covers the “fat tail” of rare but high damages as well. And when business even understands the signals emitted those esoteric risk people. Well, then finally we have a valid basis to justify risk mitigation – and IT Security measures are just a part of it.

Are IAM investments then covered by this justification as well? Good question. But this post is already too long. So you better stay tuned and look for my next post.