The Role of CISOs In Identity Governance and Administration

Sagar Patel, Director Analyst at Gartner discusses the importance of Identity governance and administration to improve the identity and access management process and reduce risks of unauthorized access.

Identity governance and administration (IGA) is responsible for the life cycle management and control of digital identities across a range of environments. Inadequate IGA integration directly affects the level of identity and access management (IAM) effectiveness and outcomes, impacting alignment to cybersecurity strategies. Therefore, it is crucial for chief information and security officers (CISOs) to understand the importance and role of IGA in the wider scope of identity and access management (IAM) and cybersecurity.

To ensure IGA outcomes support the cybersecurity strategy and the overall cybersecurity program, CISOs must take the following steps into consideration.

Identify and Assess the Capabilities and Potential Value of IGA
There are some common and fundamental capabilities that an IGA capability should deliver. This includes:

  • Managing the complex array of access rights and identity repositories within organizations, across their entire digital ecosystem.
  • Providing a policy-based approach to managing identity and access control.
  • Promoting automated user provisioning and deprovisioning workflows.

Based on the IGA responsibilities and accountabilities model, a clear method of measuring outcomes should be agreed upon by relevant stakeholders within the organization.

A failure in understanding the key role of IGA and the associated challenges will directly impact the ability of cybersecurity to enable digital innovation and support dynamic and scaled business objectives. To this effect, it is imperative that end-to-end, use-case-aligned performance and risk management metrics are established, measured and continuously reviewed for improvement and optimization. This approach should directly integrate and dynamically enable business-driven change initiatives at a faster speed and with greater accuracy.

Weave IGA Into Your Cybersecurity Strategy
CISO must ensure that their current IGA capabilities are fully understood and proven, to enable its alignment with their future cybersecurity strategy.

While IGA solutions and capabilities are highly valuable for most organizations, implementation can be challenging, expensive and time-consuming. It’s essential to gain a comprehensive understanding of what makes IGA deployments successful, before embarking on adoption.

CISOs must ensure that IGA capabilities are appropriately evaluated and tested within the context of the cybersecurity strategy before acquiring a specific IGA solution.

Integrate IGA’s Value into Your Cybersecurity Program
The IGA discipline exists to guarantee that only the right people get the correct access to required resources (for example, applications and data) at the right time for the right reasons. CISOs must engage with IAM colleagues to ensure IAM outcomes that align with the success of their cybersecurity program deliverables.

Along with the IAM team, CISOs must establish simple and effective aligned common criteria that is defendable. This will allow integrated value to be delivered by maintaining and continuously optimizing the contribution of IGA toward the cybersecurity program’s objectives.

Effective IGA leads to dramatically improved identity process maturity, facilitated compliance, and reduced risk of unauthorized access. It also provides more visible and efficient controls to the identity life cycle administration processes.

To better understand and align IGA’s functionality to their cybersecurity program, CISOs must consider the following:

  • Identity governance: Involves processes and policies for access certification, segregation of duties/controls segregation, role management, logging, access reviews, analytics, and reporting.
  • Identity administration: Encompasses account and credential management, user and device provisioning/deprovisioning, and entitlement management.

Adopting value-driven outcome metrics that map IGA outcomes to business-objective-driven cybersecurity program initiatives is a key aspect of achieving an appropriate level of assurance in your IGA and IAM capabilities.

Additional analysis on cybersecurity and risk management will be presented during Gartner Security & Risk Management Summit 2024 in Dubai, February 12-13.