CISOs Should Be Directing IAM Strategy — Here’s Why

by Umaimah Khan on October 25, 2024

Have you ever seen a beginner’s Rubik’s Cube? It only has four squares per side, and it’s much easier to solve than its nine-square-per-side counterpart. The comparison reminds me of how identity and access management (IAM) has evolved and how much more difficult it is to address for the modern enterprise.

Twenty years ago, the IAM strategy was more easily dictated by the IT department. However, enterprise security challenges have grown increasingly complex, and the threats to identities have too. Today, effective IAM must be a more stringent, security-focused strategy. While the day-to-day execution of IAM activities belongs to IT, the direction that outlines those actions should come from the CISO.

To understand why, let’s delve into the emerging IAM challenges companies face and how a CISO’s team is better equipped to address them.

Modern IAM Challenges are Too Complex for IT

IT departments traditionally managed IAM in a way that prioritized operational efficiency and user productivity. But as we know, that’s no longer an effective approach. The 2023 Google Cloud Threat Horizons Report found that 86% of breaches involve compromised credentials. Given the emergence of identity exploitation, it makes sense for IAM strategy to be built and owned by the CISO to ensure execution of IAM activities is aligned with the overall security strategy.

Because security teams are responsible for reducing risk stemming from unauthorized access and IT is responsible for granting that access, it only makes sense that IAM strategy should come from the CISO. This gives CISOs direct insight into who has access to what and, perhaps more importantly, what access needs to be remediated to reduce risk. Such remediation tactics may include unused access, former employee accounts that are still active, etc.

A common concern about this approach is efficiency. Security-focused IAM strategies are based on the principle of least privilege, which only allows systems and individuals access to what they need to do their jobs. Access requests and approvals are more time-consuming than simply giving employees access to everything on day one. However, a CISO-led IAM strategy doesn’t have to be a productivity drain. With the right technology, certain IAM jobs can be automated and managed within predetermined security rules. When CISOs are in charge of IAM strategy, they’re able to contextualize access statistics, like average access approval time, against security metrics to ensure optimized efficiency and protection.

The Benefits of CISO-Led IAM Strategy

Making IAM strategy the responsibility of the CISO aligns identity management with the broader cybersecurity strategy of the organization. And because CISOs possess deep expertise in both security and business, they’re in a unique position to ensure IAM yields both technical and business benefits.

Technical benefits:

Centralized oversight: By placing IAM strategy under the CISO’s direct control, organizations can ensure that IAM policies are aligned with the overall security strategy. This approach reduces the risk of inconsistencies and vulnerabilities.

Enhanced risk assessment: The CISO’s understanding of security threats and vulnerabilities allows for a more effective IAM strategy. This includes identifying potential attack vectors, assessing the impact of data breaches and prioritizing mitigation efforts.

Improved incident response: In a security breach, a CISO-led IAM strategy positions teams to quickly isolate compromised accounts, revoke access and implement containment measures to minimize damage. This rapid-response capability is essential for protecting sensitive data and maintaining business continuity.

Stronger compliance adherence: Many regulatory frameworks (e.g., HIPAA, GDPR) have stringent access control requirements. A CISO can ensure that the organization’s IAM practices comply with these standards, reducing the risk of fines and legal repercussions.

Business benefits:

Improved efficiency: Centralized IAM strategy can streamline identity provisioning, de-provisioning and life-cycle management processes. This can reduce administrative overhead, improve productivity and lower operational costs.

Enhanced user experience: By implementing CISO-led IAM policies and modern tools, security teams can give users a seamless and secure access experience, boosting employee satisfaction and productivity.

Reduced risk of business disruption: A strong IAM strategy can help prevent unauthorized access, data breaches and other security incidents that could disrupt business operations. Enterprises can protect the bottom line by minimizing downtime and mitigating financial losses.

Enhanced reputation: A strong security posture, including a well-managed IAM system, can improve the organization’s reputation and build trust with customers, partners and investors.

As security becomes an increasingly important business priority, enterprises’ methods of addressing it should be in line with other executive-level initiatives. By placing IAM strategy and enforcement under the CISO’s purview, enterprises can ensure that it is treated as a critical component of the overall security strategy. This approach will not only enhance technical security capabilities but also deliver significant business value through reduced risk, improved compliance and increased operational efficiency.