Loading ...
Security is often accused, occasionally with merit, of being an obstacle to an organization’s business. While the drumbeat of cyber threats has at least raised the technology risk consciousness of many business managers, security professionals still have the challenge of quantifying how big an insurance policy makes sense for their organization. We will spend some time in a future article exploring effective security metrics, but one place where security can often measure both its impact and its benefit is in the provisioning process.
Several years ago, while working in financial services, we were under strict internal and regulatory duress to ensure segregation of duties and least privilege access for all associates who had exposure to investment data (about 4000 people). Unfortunately, the manual processes then in place required not only significant administrative overhead from the access administration team but, more distressingly from management’s perspective, from senior staff who were constantly barraged with access approval requests from a global user community. Needless to say, these manual processes were as ineffective as they were burdensome an almost constant stream of audit findings indicated.
As with many organizations, both the overhead and ineffectiveness of the access approval process became accepted enterprise costs and there was no organizational mandate to address the challenges strategically. However, one tactical approach after another failed to provide any lasting solution, and served only to increase stress on access administrators and approvers alike.
Security’s requests to initiate a strategic solution fell on deaf ears until we were able use some previous lessons learned to make our case financially. While working a few years earlier in the corporate security function, we had sought to quantify the cost in terms of lost productivity of provisioning delays caused by not having a single user identifier and central identity store. While our methodology was pretty raw and
