Most IAM projects and programs are born when something goes wrong. Whether the company suffers a data breach or fails a compliance audit, the goal of the IAM project is to make sure that the same thing doesn’t happen again.
This approach to security program design has its issues, and mistakes in program design and execution can degrade or destroy the benefits provided by an IAM program. Companies looking to develop effective, sustainable IAM programs in-house still require access to IAM expertise and experience.
Building Programs, Not Solutions
Designing an IAM program (or any security program) as a solution to a particular problem ignores the context in which the problem occurred. There is no guarantee that implementing multi-factor authentication (MFA) or another IAM solution will solve the problem or that a mistake in program design or implementation will not undermine its effectiveness.
Without considering problems within the wider context, companies can miss key factors that affect the impact of their IAM programs. For example, deploying MFA to address credential stuffing vulnerabilities in a VPN authentication portal is a security best practice. However, it can be easily bypassed if the attacker has compromised a device receiving MFA codes or the VPN endpoint itself contains an unpatched authentication bypass vulnerability.
While solving a particular problem may be the motivation behind a new IAM security program, the program should not be designed solely to solve that problem. An IAM program should be an integrated part of a larger security strategy. To design and build such a program, companies need access to knowledge and experience of how to build a security program correctly.
Augmenting, Not Replacing In-House Talent
For companies looking to design and implement a future-state IAM program, it can be difficult to define the scope and resources required. Designing and rolling out a robust cybersecurity program often requires specialized knowledge and experience, which can be difficult to attract and retain in-house.
Some organizations offer cybersecurity program development as a service. They come in, help stand up a security program, and the project is completed. However, while this solves an organization’s short-term challenges, it can create longer-term issues or, at the worst, future re-work. Cybersecurity programs should be built as dynamic, self-evaluating, self-improving frameworks. Many companies want to design, build, and operate their security programs in-house but may lack the knowledge and expertise needed to do so properly. These organizations would benefit from the creation of a strategy and roadmap for developing a program and advice and support throughout the process.
How MorganFranklin Can Help
MorganFranklin offers advisory services to partner with companies who are seeking to design, build, implement, and establish their own IAM programs. Based on our experience in assisting clients who are realizing their IAM transformations that balance inherent security with business enablement, we can provide guidance that draws from our breadth of experience across industries and organizational size. Our teams have performed assessments, implementation health checks, all aspects of standing up an enterprise-focused service, to operational support across the IAM domain.