Navigate 2022: CISO-to-CISO Panel (Day 2)
Authored by Brian Royer, Content Marketing Writer
The Navigate 2022 Customer Panel: CISO to CISO proved one of our most popular sessions. It featured an expert group of CISOs who brought their unique perspectives on the best practices and successful outcomes they’ve experienced when taking an “uncompromising” approach to identity security, including Zero Trust.
SailPoint’s CISO, Heather Gantt-Evans, opened the session with research that found 96% of companies who have experienced an identity-related breach could have prevented or minimized them with identity security best practices. However, many companies are still getting their identity security basics in order, even as the business must prioritize identity security. As a result, the CISO often finds themselves at odds with the industry at the mere mention of Zero Trust.
The session assembled distinguished CISOs from a variety of organizations. These included: Omar Khawaja, CISO, Highmark Health; Mary Ann Blair, CISO, Carnegie Mellon University; and Greg Hall, Assistant Director/CISO, Department of Justice, Executive Office for the United States Attorneys.
Business Essential
Gantt prompted her panelists with advice on where to start setting a tone of identity security as foundational across the business for all stakeholders — not just optional or nice-to-have, but essential to properly securing the enterprise.
“What sets identity apart from every other part of security is that it defines both the brand and the reputation for the security organization that, ultimately, empowers users, internal and external, to interact with the organization at large,” said Khawaja. “If that experience is negative, for example, if the day they’re onboarded it takes forever for them to get access and their password isn’t working, they immediately think ‘these guys don’t know what they’re doing, and from there it becomes an uphill battle for security to be a positive experience for them. “
He added, “However, if we do things well like passwords, self-serve, roles, and automated provisioning, we find that ends up having a positive effect on the overall security brand so that when we do have an ask from technology leaders, they can say these folks know what they’re doing.”
“Identity security is ultimately and most importantly a business enabler. To speak in the language of the business and showing how identity helps the different business units meet their needs and goals by providing the right people access to the right information at the right time for the right reason,” said Blair. “When done well, it accelerates the time to business impact and mitigates business risk. It is the front door to the organization, and often the first experience community members will have. It must be business-driven and user-centric and meet the needs of a multitude of stakeholders.”
“The adage of garbage in, garbage out, is true,” said Hall. “We have to prioritize our data clean-up efforts. We must make time for process improvement and understand the relationship between data sources and critical business processes, as well as the people and devices and the data sources we have for them.”
Likewise, there are dependencies on foundational data sources that, while they can often slow down the initial time to value, can also serve as a living record of what’s possible when implementing successful identity security management.
Showcase Value
As Gantt directed, it is essential for a project of this caliber, its length of time, and its investments to showcase value across the business. She then asked the panelists for their recommendations on pacing the roadmap to showcase critical wins along the way as that value, with its outcomes clearly articulated, can resonate powerfully with stakeholders.
“This might be counterintuitive, but outside of IAM, we should not be talking to stakeholders about technology,” said Khawaja. “All our reporting should not focus on what we did but why we did it; focusing clearly on its benefits and expressing quantitatively wherever possible. Let’s say we commit to giving the business a million hours of productivity back. To have that outcome, you need to improve the service — and that’s where we are allowed to talk about identity: did we fix the provisioning process? Did we fix the access review process? And then you have to quantify it. Did we make it faster, increase its quality, and give hours back?”
“My advice is to take every opportunity to showcase the value and take giant steps forward,” said Blair. “Opportunities can flow from positive events, a new line of business, or a new global campus. They can flow from negative events like a cyber incident. We like to say, ‘never let a good crisis go to waste.’ In some cases, we showcase how our program avoided a breach that has happened elsewhere. Showing folks how we dodged a bullet is important to message investment value. Metrics also play into the message. If you can gather pre-project stats like ‘time to onboarded and then compare them post-project, you can tell a qualitative story as well as a quantitative one.”
Showing value was also crucial for the members of Hall’s team at DOJ. “It was important for us to identify business applications that would immediately be integrated with identity security services so we could demonstrate value to the organization. It was also important for us to choose the right development methodology — in our case, that was agile — we could deliver continuous operational capability. Then we could engage other business unit leaders and demonstrate value for our identity security initiatives and programming.”
Zero to Hero
In the session’s final portion, Gantt proposed that identity security is critical for success in Zero Trust, especially as enterprise security begins and ends with identities. In turn, the panelists discussed how identity fits into implementing Zero Trust for their respective organizations.
“In a higher ed environment, we rarely have a perimeter. Instead, we have a residential environment on our network because our customers are on our networks, unlike other organizations. They’re on our networks during business hours, as well as non-working hours. They literally live on our networks. In fact, we’ve always treated our internal networks as the internet,” said Blair.
She added: “Safeguarding student credentials and access is as important as for faculty and staff. Identity security must support and enable that culture, including administrators who may manage their own sets of local accounts at varying levels of rigor. Identity security must support and enable that culture.”
Khawaja believes CX, or customer experience, is key to making a case for it in the business. “You have to engineer IAM for customer experience, just as much as Zero Trust – if the CX is poor, the ZT objectives will not be met sustainably. Think about it this way: just because we get more security doesn’t mean it’s a good thing. If we get more security at the expense of the customer experience, you’ve irritated your customers and motivated them to find ways around it, which could lead to higher, rather than lower risk.”
“It’s not all or nothing. Zero Trust has to fit in with risk-based assessment,” said Blair. “You have to trust some things — you don’t want to step up authentication with every transaction; rather, understand what’s normal. Based on an environment like higher ed with new research being done, new devices coming online, robots walking around the campus, and so on, all these dynamics require an understanding of what’s normal today but also an acknowledgment of where the business is headed and understanding how all of it affects security.”
Final Thoughts
As the session drew to a close, Gantt asked her panelists for their parting thoughts, which, for Khawaja, reminded him of something Nobel Prize winner Daniel Kahneman said. “If you do something bad, the negative value of that is significantly worse than if you do that thing well. So, in that context, when I think of IAM, we should focus more on eliminating pain than creating delight because eliminating pain has a way more positive impact than introducing new delighters. If there are cases where your customers, your business, your technology teams are in pain, find ways to eliminate that pain before you try and do something that’s really, really techy.”