2019 SailPoint Identity Insider Magazine - Magazine - Page 14
MATT KARNAS
Cybersecurity & Risk
Practice Lead, Sila
Using Risk to Align IAM
with Business Objectives
Why Alignment Matters
It is easy to see how an IAM initiative relates to
your organization’s process, data, and technology
needs. However, the connection between your
IAM program’s direction and your organization’s
overarching business objectives can be more
difficult to spot. Don’t let that fool you – aligning
IAM and business objectives is incredibly valuable
to both information security and to achieving
enterprise-level goals. Incorporating risk data into
your approach can help you get there.
Tying your IAM program to business objectives
provides overall direction, clarifies purpose, and
strengthens executive sponsorship. Incorporating
a risk-based perspective is a strong strategy to
enhance alignment between IAM and business
objectives and to communicate program value.
Using Risk Data to Demonstrate Value
Cybersecurity risk describes how much and
how often loss is going to occur. It is typically
calculated as Likelihood (Threat x Vulnerability)
versus Impact (Loss Event) and expressed in
qualitative or quantitative terms.
Understanding and using risk-related data can
assist your IAM program to prioritize functionality,
fine-tune direction, and provide business value
measurement.
• Prioritize Functionality: Review risks based
on organizational objectives mapped to your
IAM program.
o Example: Increase the number of
resources vaulting privileged accounts
based on your organization’s priority to
secure customer data
• Fine-Tune Direction: Proactively automate
protection into your current IAM processes.
14
|
SAILPOINT IDENTIT Y INSIDER
•
o Example: Ingest cybersecurity data to
drive more frequent access certification
of high-risk systems containing PII data
Measure Business Value: Discuss IAM
business value in terms of reducing event
loss cost and potential threat likelihood
rather than reporting typical IAM statistics
such as the number of accounts provisioned
or entitlements revoked.
o Example: “Based on our organizational
priority to secure customer data, the
IAM program has reduced potential
threats by 25% and event losses by
$100,000 through our privileged account
management project this past quarter.”
Five Steps Towards Alignment
The following steps will put you on the path to a
business-aligned, risk-informed IAM program that
advances business goals, increases organizational
security, and clearly communicates its value.
1. Start with the business: Understand business
objectives and how they map to the IAM
program.
2. Understand your risks: Compile risk and
asset-related information, and perform risk
assessments.
3. Evaluate current and future state: Complete
an IAM program assessment, build a
roadmap based on organizational objectives
and their related risks.
4. Implement change: Begin alignment project
activities, including organizational change
management to support stakeholders and
end users.
5. Measure and report out through a business
and risk lens: Demonstrate IAM program
value through risk-related reporting.