Identity security: turning overwhelmed into opportunity

Few companies or IT professionals doubt the value of good identity security. Instead, what they often struggle with is how to implement it effectively.

“Executives often say, ‘Where do we start? It’s too much, too big to bite off.’ The scale can feel overwhelming, but breaking it into phases is key,” said Elizabeth Melvin, Senior Product Manager, Identity Access Management at EQUINIX, a global digital infrastructure company specializing in data centers and interconnectivity services and operating on six continents with over 260 data centers in over 70 major metropolitan markets.

To make identity security less intimidating, Melvin shared her experiences and best practices in rolling out advanced identity security within EQUINIX at SailPoint’s Navigate 2024 conference.

“Identity security is transformational,” Melvin said. “It’s about enabling the business while reducing risk and improving user experience.”

Making the case for identity security

To make the business case for implementing identity security, Melvin highlighted the importance of breaking down the overall task into manageable phases.

• Discovery. According to Melvin, the first step is discovering and identifying the current state of an organization’s identity security. She recommended a combination of worksheets, workshops, and interviews to gather insights and pain points from different stakeholders across the business. It’s critically important to document those pain points and collect quotes to highlight and convey them and their impact on the business.
  
  
• Metrics and maturity. The next step is using tools like maturity models to define an organization’s current state and assess progress and identity gaps. Melvin highlighted how her team used a spreadsheet to track quotes and observations from interviews so they could use it to make the business case and check them off when the new solution solved them.
  
  
• Building an executive readout. Creating an executive readout to present the assessment findings is also essential. Melvin recommended that the executive readout include feedback, observations, recommendations, and value-cost savings. It should also include visuals to convey important points quickly and enable non-technical audiences to understand the value of identity security.
  
  
• Executing the program and tracking results. Once the assessment has been completed and a new identity security solution selected, it’s important to focus on delivering achievable milestones within a multi-phase deployment. Organizations should use satisfaction surveys and track metrics to demonstrate ROI and progress.

Creating a compelling framework

During the session, Melvin also presented a sample framework that organizations can use to organize an identity security assessment and build the case for deploying a new identity security platform.

One crucial point that she emphasized was the need to collect as many relevant quotes and observations as possible from employees that speak to the challenges and needs for identity security. Stakeholder quotes can be particularly helpful for aligning technical initiatives with business priorities.

“When I tell executives what the guy running a major part of the business said about their pain points, it gets their attention more than any technical explanation I can give,” Melvin noted.

Best practices for an identity security assessment

Melvin outlined several best practices and tips for optimizing the results of an identity security assessment. For example, she recommends focusing on critical and SaaS applications first while prioritizing the user experience and the importance of aligning the proposed program with existing business initiatives and strategies. In addition, organizations need to track the program continually to help ensure its success.

Melvin also recommends conducting interviews and workshops with business stakeholders to get information on pain points and identify insights into identity security risks.

Using identity security to enable business

Ultimately, investing in identity security isn’t just about controlling access when it's done right. It’s about enabling the business. “We’re not just cleaning up data,” Melvin said. “We’re cleaning up the organization, making it more secure, efficient, and aligned globally.”

Learn more by viewing the full session

For more details, view Melvin’s Navigate session, including her Q&A section covering topics such as the timeline required for pulling all the data together, how to categorize data in a meaningful way, and how to determine the effort and resources required.