• 5470-elon-musk-s-hyperloop-train-could-travel-from-los-angeles-to-san_1440x900-e1376375568928-2

    Discovering your “Edge” in Identity & Access Management

    Any way you look at it, IAM will become an increasingly important area of focus for IT and business leaders. We need a vantage point which to see and better align IAM investment opportunities that will have the most impact on ability of the business to compete and grow in the coming years.

  • WP_20141125_15_24_22_Pro

    Evolving The IAM Architecture

    To effectively address IAM requires that the organization be able to understand and engage with a dynamic, changing, and complex business environment. The IAM architecture must evolve to easily integrate with cloud applications, federate with partners, support multi-factor authentication and enrich authorization and access policies. Whether your organization likes to be agile, adaptive or lean, the IAM architecture must evolve to support the growth mindset that charges the business to increase revenues, improve efficiency, achieve regulatory compliance and embrace new operating models with the cloud and services in mind.

  • 110902CVDsm

    IT Reimagined – Better Governance Ahead

    If there is one thing we should be talking more about as an industry, it is that we need better governance and to talk more about integration, management and security shaping our priorities and stop all the whining about the end of IT.

  • From Gustav Mahler to Identity & Access Governance
  • Doesn’t Anybody Use IdM Standards Anymore?

As economic growth continues and the world becomes more connected in ways never before imaginable, so too does the frequency, probability and inevitability that sensitive data and applications will be compromised within yours or your customer’s organization. To keep up with this state of constant change, you have to adapt, and change yourself in order to be effective and add value wherever you are. Eventually you will find that in order to take your efforts to the next level, you will need funding for your program, and that involves having some higher level conversations including keeping your CIO informed, if not pitching him to sponsor or fund the program you are trying to build.

Earlier this year I pitched a $6M multi-year IAM program to my CIO and the overall experience was so rich and rewarding that I wanted to dwell on it to discover what I might learn about being a more enlightened producer within my company. Lots of interesting conversations, seasoned with some challenges along the way, combined with blue sky thinking empowered me to present my work to my CIO with greater confidence and clarity.

I present the following five disciplines that you will need to get into in the right mindset for imagining, developing and pitching your ideas to your organizations leaders.

  • You are in the idea business – I spend 2 hours every day reading or listening to, thinking about and organizing news articles, white papers, audio books, emails and the like. You will need to put in the time to develop the vision, framework and model that will drive your organization’s IAM program forward. Nobody else has the expertise and knowledge of your domain, so it is up to you to evangelize and educate IT leaders and stakeholders on how the next generation of IAM will manifest inside your organization.
  • Get crystal clear on your purpose and mission – Your organization may give you a job title and annual performance objectives, but you will almost certainly burn out and never find true fulfillment in the work you do if you do not choose the work yourself or make sure that it aligns with who you are as a person. For example, “IT leader focused on the scale, security and governance of IAM” is a tagline I created to allow others to easily see who I am and what I care about in my professional life. This clarity of purpose and mission becomes the lens through which you and others will see yourself, and will lead you to important work.
  • Look at global trends – To become successful in the architecture and strategy role requires you to be hyper-focused on the future of IAM for your organization and how the undercurrents within the company the larger industry put your IAM program at greater risk. Understanding the trends, such as mobile computing, software defined networking, integrated GRC, identity-as-a-service and big data science should help you to develop ideas about how the IAM of the future must evolve to enable your business. Global trends, or even standards on the emerging end of the spectrum, will spell demise for legacy systems and processes create opportunities for others.
  • Integrate thinking and doing – It certainly helped my pitch to my CIO to be able to explain how I had already delivered a proposal for the IT projects review board for a multi-million dollar project that was accepted and approved. I never hesitated to remain actively involved in the work of the IT leader, identifying and taking on opportunities to drive the IAM program forward, at the expense of planning and strategy. The former is a rich source of insight for the latter and forms a powerful symbiotic relationship that is often lacking in organizations today.
  • Get supporters behind you – My wife asked me, on the day I was to present to my CIO, whether or not I was nervous about the big meeting. The truth is that I had rehearsed, reviewed and tested my ideas so many times with both sponsors inside the organization and mentors outside of it that there was no way I could be nervous. Not leaving anything to chance, I knew going into that meeting that collaborating with and getting on the same page as my CISO and VP of Architecture and Strategy would make my job of pitching a lot easier, and much less like trying to dribble a football down the court.

I admit that what I have described above might sound remarkably similar to the obsessive, compulsive control freak; the same horrible boss who in some organizations is unbearable to work with or gets him or herself fired for being unmanageable. But for those with an internal compass and the courage to navigate the murky waters with knowledge that what lies beyond is a clear blue sky with calm waters and white sandy beaches… to him the opportunity is given and rightly deserved.

They always say time changes things, but you actually have to change them yourself. -Andy Warhol

To hear me speak more about pitching IAM to my CIO and the rest of my Top 10 Lessons Learned, join me in my session at the Cloud Identity Summit in La Jolla, California on Monday June 8th at 4:00pm.

In thinking back over the year about what a wild ride it has been for the IAM and InfoSec community at large, there is no shortage of topics waiting to be addressed from the boardroom to the datacenter. Taking lessons learned from the headline breaches (Target, Home Depot, Sony) to emerging tech opportunities (POS, Internet of Things (IoT), Apple Pay) to dealing with challenges and problem areas in IAM, there is clearly a lot of that can be applied and carried forward that will shape our work and our lives in 2015.

In thinking about our roles in this thing we call our work, it is easy to lose sight of how our assumptions and plans can be foiled and disrupted by threats and trends that you were not focusing on before. Many of the professionals I run into at conferences, especially vendors, tend to be focused on solving problems that their particular solution solves for without much respect to the broader concerns of the business. That is why it is important for IT leaders and architects to frequently spend time staying on top of what is happening in the industry, in business and in the world. As professionals who have responsibility for or a stake in IAM for your organization, we ought to care deeply about making sure that scale, efficiency and superior security are top principles that define our work and our legacy. As a business, not having these principles to guide investments in IAM will have a direct and immediate impact on customer experience and employee productivity. (more on this in another blog post)

2015-01-01_13-50-58

If you are making the effort to find more meaning in your career, and to enhance your overall value to your clients or employer, then it is imperative to discover, develop and maintain our “Edge” in our chosen craft. My own experience with discovering and developing an edge started with writing and blogging on the management and strategy of IAM, and not the technology itself. It’s not that execution is not important, its that having peripheral vision and managing from this vantage point is a necessary and valuable activity. Most technicians (E.g. architects, developers, managers, etc…) who set their sights on architecture and strategy will not truly become liberated from their past lives and effective in the business of IAM until their peripheral vision is developed adequately. Marc Cuban, in his book How to Win at the Sport of Business stresses, “It’s not whom you know. It’s not how much money you have. It’s very simple. It’s whether or not you have the edge and have the guts to use it.”

“It’s not whom you know. It’s not how much money you have. It’s very simple. It’s whether or not you have the edge and have the guts to use it.”  – Marc Cuban

If you are focused on addressing the problems your organization faces today, you are focused on the wrong problem. As leaders, we need to be thinking about the new models and strategies that will entirely transform the way we do things today and help the organization become more agile and customer focused. One of the great opportunities today is to look at how an integrated view of IAM and GRC will begin to address issues that span a diverse range of applications and user experiences and make existing investments even more effective. One way for an organization to discover an edge is in the way it manages IAM through integration with GRC and automation within its own operations.

IAM spheres of influence

When I discuss this vision for the future of IAM with the leaders and stakeholders at my company, initial reactions range from blank stares to flat out skepticism due to the magnitude of change (and potentially disruption) that implementing this model can bring to the IT department, and in some cases the business itself. For one, I don’t disagree that the effort is significant, will require a budget on par with a frontier investment, or that there is risk involved. Imagine if Elon Must were the CIO or CISO of your organization, the pervading attitude must be “If something is important enough, even if the odds are against you, you should still do it.” (Hyperloop anyone?)

“If something is important enough, even if the odds are against you, you should still do it.” – Elon Musk

Any way you look at it, IAM will become an increasingly important area of focus for IT and business leaders. We need a vantage point which to see and better align IAM investment opportunities that will have the most impact on ability of the business to compete and grow in the coming years. This is not exactly something I can prescribe as each organization will have a unique set of challenges. On a professional level, you can begin with discovering your edge and doing the work of vision, architecture and strategy for your clients or your company. You can begin expanding your influence and credibility by starting the conversations with stakeholders and leaders in your company who will be involved in some way in your overall IAM strategy.

One place you might begin discovering your edge, if you haven’t done so already, is by reading this short paper I wrote on Managing IAM.

I am always happy to respond to questions either on Twitter, or in the comments section of this post.

All the best to you and your career in the coming year!

For those of you following the progress of my book Virtual Identity, I just completed Chapter 3 Evolving The IAM Architecture, and would like to offer a preview of the goodness to come.

To effectively address IAM requires that the organization be able to understand and engage with a dynamic, changing, and complex business environment. The IAM architecture must evolve to easily integrate with cloud applications, federate with partners, support multi-factor authentication and enrich authorization and access policies. Whether your organization likes to be agile, adaptive or lean, the IAM architecture must evolve to support the growth mindset that charges the business to increase revenues, improve efficiency, achieve regulatory compliance and embrace new operating models with the cloud and services in mind. All the while, the IAM architecture must evolve as the business evolves, taking the following opportunities into consideration:

  • The opportunity to transform the IT operating model from legacy to ITaaS
  • The opportunity to securely integrate with partners and 3rd parties, extending operations outside of the corporate network to business networks for distributors, resellers and developers
  • Replace legacy IAM stacks with more cost effective tools appropriate for the needs of the business
  • Applying IT policies consistently from server farms and infrastructure, to databases, ERP and HR applications, enterprise portals, mobile applications and the growing number of SaaS applications utilized by the organization
  • Monitoring, threat modeling, threat detection, remediation and governance for SaaS

These opportunities are not to be overshadowed by the threats and vulnerabilities facing organizations today, many of which were discussed in Chapter 2 Security Driven IAM. From an architecture perspective, we need to expect that nothing short of massive scale, security and governance of IAM will allow organizations to realize the full potential of IAM and GRC initiatives, integrating important high level capabilities as shown in the following figure, The Venn of IAM and GRC.

The Venn of IAM and GRC