Engaging the Right Teams
Even under optimal conditions, the implementation of PAM tools is hard, and it can be made even harder if users don’t want to use it — or if there are technical problems that need to be solved. This can lead to the implementation taking longer than planned, stalling out after reaching a baseline functionality (such as administrator account vaulting), or not happening at all.
So as you begin building support for your JIT PAM initiatives, getting buy-in from every department is critical. PAM programs affect different teams in different ways, so it’s helpful to understand the different roles, their relationship to risk, and the approach you should take to build consensus.
IT Users
While they may be the most resistant to change, user buy-in is the most critical. To them, access may equal status, and many of them have had very high levels of privilege for long periods of time. They’re also busy people who are suspicious of anything that’s going to create additional friction in their workday. If they don’t like a tool, they will always find a backdoor around it.
Approach: Step one is understanding how they do their jobs. What apps and systems do they connect to and how do they access them? What tasks do they do when they are working in the environment? Try providing early access to the PAM tool to increase their comfort with the new processes. Technology shouldn’t be a barrier. It should be an enabler. The closer we can get our technology to fit normal user behavior, the better.
Executive Management
Management is in charge of keeping the organization secure against threats, so they’re going to understand different drivers for embarking on a PAM program. They know the stakes: data breaches cost businesses an average of $4.35M, and privileged access abuse acccounts for 80% of attacks. PAM tools help them stay ahead of these risks, so they’re the people that can help craft that all-important top down messaging,
Approach: It’s important to provide context on the business risks of NOT having a mature PAM program that supports just-in-time capabilities. Executive support can be helpful if projects get stuck.
Security Teams
These folks are tasked with getting ahead of risks and minimizing the attack surface. Their responsibilities include aligning to best practice frameworks, cyber insurance, and other mandates.They own the identity stack – including PAM, IAM, MFA, and SSO – and the rest of the security portfolio.
Approach: Since orgs have an average of 76 security tools to manage, they’re interested in tools that can help them cut out the clutter and consolidate vendors.
Audit and Compliance Teams
These teams are tasked with reporting on past or present-day risks. Above all, they need to know who has access to what — and what they’re doing with that access.
Approach: To them, intuitive reporting is key. If a PAM tool can help them automate the collection and analysis of data, it’s going to win hearts.