Identity First Modeling

I was talking to some non-IT colleagues recently in HR / People management and they were talking how challenging it is to attract, onboard, and retain talent.  They talked a lot about general resourcing challenges, but also got into challenges with the experience candidates and employees must go through from talent acquisition to pre-hire, to day 1 and beyond.  This is attributed to feelings by candidates of not feeling enabled, not fulfilled in their job duties, and general displeasure with companies and how they operated which forced them to seek employment elsewhere. In an article after that conversation, I read an article talking to Identity First Security and how that is used to lock down and enforce organizational security policy.  So, in short order, I talked to colleagues who had identity challenges and read something talking how this is policy; I have issue with this.

If you’ve seen some of my other content, I have two main themes (well, I talk about a lot of things, but am trying to focus on a couple themes).

1. We cannot respond with ‘No’ when asked for help and guidance on Identity (and security issues)
2. Identity is more than Security!

Given the above, I wanted to start the conversation on where Identity and Access Management is more than security, but should be viewed as a business infrastructure service.  Yes, Identity is a key component of our security plans and programs (and saying this is counter-intuitive to my security background), but we need to start abstracting Identity out to more than just an enforcement tool.  So how do we do this?

To start, we need to start building roles and responsibilities in organizations for Identity that does not have a Security overlay on top of it.  If we are part of the Security organization, we are viewed as a security tool.  Well, that seems odd given we have been fighting for years to get representation and we naturally gravitated to security.  But, with that gravitation and security backing, we have become a security service.  And, given most organizations I have worked with, security may not always have the best reputation.  Or, worse yet, may not have any representation.  So, if we want to become a business enabler as Identity professionals, we need to start standing alone as a technology, security, people management, and sales service. 

As we remove the Security moniker from the Identity function, we need to start building relationships.  I advise Identity professionals on four main groups they need to establish relationships with. This is more than just friendly conversations, these should be strategic and reciprocal relationships to help drive agendas.  The groups include:

1. Security:  Yes, I know I just said Identity should be moved out of the Security function, but Identity will remain a key component of the security program.  And, this is where Identity is going to get most of its requirements for the program to support the Security, Risk, and Compliance functions.
2. Technology / CIO:  Identity, and Identity services are going to be a key enabler for fast technology deployments and integrations.  The easier you can make the technology integration with Identity, and enable developers to release applications faster, you’ll have more Identity usage, better user experience, and less challenges across technology stacks. Think about devops and the reliance on secrets and workload identities, the easier you can make this, and more secure, technology is going to move faster and support the security function.
3. HR / People Management:  I have been doing Identity Governance for years, and my first meeting is always going to be HR.  This is usually the start for any JML operation in terms of getting an authoritative feed of employee and near-employee (notice I focus on employee only) and processing them accordingly within the organization.   Additionally, HR data is usually the basis for RBAC models and appropriate role provisioning plans. If you can make the employee experience better, and HR can use that as a selling tool, its win / win.
   1. This is one of the hardest and most disconnected relationships I see with Identity programs and professionals.  Often, when I facilitate these meetings, we are speaking different languages across teams so frustration sets in and challenges will continue. If you want to have good data, processes, etc., establish this relationship early and maintain it.
4. Sales / Marketing / Partner Management (SMP):  This is how you enable the business to make revenue.  Sales, Marketing, and Partner management is always viewed as separate function from core identity.  As such, when employees need to support those functions, we have hacks, risks, and run into issues.  When customers need access across functions, they have multiple logins, challenges, and bad experience.  As the core identity program is matured, this relationship needs to be established so you can enable the SMP team to do what they need (sell / build relationships) and build identity services.

Once you have the role and built the relationships, the last big item that needs to be done is establishing your plan and communicating it.  I am a huge advocate for Identity roadmaps and strategic BHGs.  This is your opportunity to take the security, technology, people, and revenue goals and build a service tier to support those functions.  This should be communicated to not only your consumers, but to leadership so they can see the value and direction of the program. 

Following this format, we can start to move beyond concepts like Identity First Security and just talk Identity First.  This will allow for cross-functional identity programs that support more than security, but also support people, technology, and the business.