5 Lessons from Gartner Security and Risk 2019
1. Regulatory RoadblocksWhile IT professionals know logically that governments are increasing their legislative control over data privacy, the growth of regulatory demands will likely become a roadblock to digital transformation and cloud migration. Gartner analysts, Jay Heiser and Khushbu Pratap, confirmed these suspicions noting, “By 2025 regulatory concerns will represent a greater inhibitor for public cloud use than security concerns.” In fact, while risk managers were attending the conference, the US federal government debated several potential options for national legislation. Meanwhile, New York state legislators brought a proposed privacy act to committee. In Maine, new legislation that goes into effect on July 1, 2020 forces opt-in requirements before companies can use data. The United States is not the only harbinger of increased regulatory requirements. Sweden enacted a new law in April 2019, while India also enacted a new privacy law at the end of 2018. In short, more legislation will be creating many more problems.
2. Maturity Means MergingOrganizations seeking to mature their privacy programs need to be more aware of the ways in which they handle data. Panelists at the Gartner Security and Risk Summit discussed the importance of merging existing technologies to secure data. Leaving identity and access siloed from one another creates compliance, privacy, and security gaps. Best practices for scaling operations while maturing the compliance program starts with a convergence of Identity Governance and Administration (IGA), Privileged Access Management (PAM), Access Management, and Authentication. Currently, many organizations silo these activities by focusing on technologies. To remain compliant as the organization migrates business-critical operations to the cloud, IT, security, and risk professionals need to work together to find solutions to all of these problems in a way that enables them to create holistic, risk-based compliance programs. Focusing on IGA, analysts noted that organizations need to move beyond automated provisioning as a “one-stop” solution to their identity lifecycle management problems. Organizations need to focus their IGA programs on a Governance First approach using risk-based decision making. As more regulatory compliance requirements focus on risk-based controls, organizations need to ensure that they are meeting those requirements. Adding identity analytics to these programs enhances their effectiveness. Analysts strongly supported the idea of using identity analytics to streamline IGA programs. Role-mining and analytics enable organizations to remove redundancy and create overarching holistic programs across on-premise, hybrid, and cloud ecosystems to ensure that users only obtain the right access to the right resources at the right time for the right reason. As companies create digital transformation strategies, analytics using fine-grained, detailed, attribute-based identity definitions provide the needed visibility into how users interact with data across their ecosystems.
3. Metrics MatterAs part of creating an enhanced, analytics-enabled IGA program, organizations should be using metrics derived from their solutions. However, determining the right metrics is sometimes difficult.
- Metrics that help define success or failure of programs should:
- Have a clearly defined and defensible causal relationship to a business outcome
- Address a specific, defined audience
- Address business decision-making for the intended audience
- Be understandable by a non-IT audience
4. Inform to InfluenceMetrics only provide value if they can influence business decision-making. Not only do organizations need to implement metrics, but those metrics need to be ones that inform decision-making appropriately. Similar to the PAM example above, IT, risk, and security professionals need to step away from their traditional role as data protectors and think about exactly how to use metrics obtain buy-in. Business metrics for technology inform business decisions related to business outcomes that depend on technology. In this case, organizations should adopt a “top-down” approach to defining metrics that incorporates stakeholders across the organization. Coordinating with stakeholders eases the process of identifying the most important business processes that use sensitive data. Then, working together, everyone can negotiate controls with business process owners to include all critical processes and technologies. The best way to secure an organization is to locate the metrics that inform the right audience so that IT, security, and risk professionals can influence decision-making appropriately.
5. Analytics for AssuranceAnalysts agree that digital maturity has reached a tipping point when it comes to IGA. Underlying all of the conversations around metrics and compliance requirements is the merging of four key functions: