In my last post I talked about my mission and how I am focusing on advocating the separation of Identity and Access Management (IAM) as a standalone business service. I talked to a few friends since then, and the main question I received was how we get started.
Honestly, this is not an easy task given how IAM has been sold and described as a ‘Security Tool’, but with the methods in this discussion, we can start to change the narrative a bit about IAM and its use and impact to organizations.
But, before we get into that, I need to do a bit of background. I had a business coach for a while that always talked to me about Neurolinguistic Programming (NLP). Depending on who you read or trust, there are questions on the effectiveness and validity of NLP, but at its core, it:
‘…asserts that there is a connection between neurological processes, language, and acquired behavioral patterns, and these can be changed to achieve specific goals in life’
Well, reading that, is a long way of saying words have meaning, and how we speak and communicate a topic can have different outcomes on our intended audience. Anyone that has ever done sales knows this in terms of how you present, identify needs, can identify opportunities. NLP takes that opportunity and makes sure keywords, presentations, etc. are used to enhance and focus on the issue to get a desired outcome (the sale). Arguably, social networks and other digital marketing take this to extremes with targeting and other content strategies.
In practice when I am talking to friends, I’ll take a topic or something we are trying to get approved and make sure we have proper messaging around it. For example, if I am helping someone and they have things like Vulnerability, Risk, threats, hackers, etc. as their primary messaging, I’ll quickly adjust to focus more on protection of assets, organizational improvement, less cost, etc. Security is hard enough to sell, adding FUD is going to make people tense and make it more difficult to communicate the need.
Now, back to IAM, how do we start changing the messaging for IAM, when, at its core, has been communicated as a security tool. Conversations like ‘Passwords’ or ‘IAM is the new firewall’ inherently speak security. And, unfortunately, as soon as you say security, people tense up given the needs around compliance, audit, inhibiting ability, etc. So, we need to start shifting the conversation away from security and more to IAM as a capability, and it starts with messaging.
Below, I have a table of a few of the key words and shifts I have been making recently to help shift focus away from security and more to IAM as a business enabler.
| Pillar | Point | Counter Point |
|---|---|---|
| IGA | We need to implement Identity Governance to enforce and maintain compliance with organization risk and compliance policies and revoke access when needed. | We need to implement an Identity Governance program to enable employees to access data and applications on day 0 and maintain appropriate access based on job function and status. |
| IGA | We need a comprehensive Identity Governance program to enforce security policy across applications in the environment. | We need a comprehensive Identity Governance Program to get visibility into application access to enable better licensing, usage, and cost savings due to stale licenses. |
| Access Management | We need to implement Multi-factor Authentication to enforce security access and account compromise. | We need to implement an improved authentication process to enable employees to use passwords less through more modern authentication and access. |
| Access Management | We need to implement passwordless authentication to enforce risk based authentication and maintain compliance. | We need to improve the authentication experience for users to reduce password and authentication fatigue and increase usage of enterprise services. |
If you notice, in all my counterpoints, I do not say ‘Security’ or ‘enforce’ or other negative, restrictive terms, and have shifted the focus to more user and organizational experience. This inherently speaks to HR and business leader needs to help move the conversation to their specific needs.
To my friends reading this, specifically in the security industry, don’t distress, I’m not advocating that we ignore security. Security is going to be inherent in all we do in IAM, but this has to be a balance of selling security through enforcement or getting better security coverage through usage. Idea being, improve the reach of IAM and other security tools, we’ll have better coverage overall.
In closing, the next time you are going into a meeting to get a project approved, or trying to communicate a need, take a step back and look at the messaging you are communicating. Is it more fear or enforcement based or need, outcome and improvement driven? Do this little step, and focusing on the messaging, can help shift the response and reception of your message to help things move along.
