SailPoint has discovered that organisations have a long way to go when it comes to digital identity. Its recent The Horizons of Identity Security report (registration required) shows even mature organisations are struggling. One of the key challenges is articulating the business value to executives.
Matt Mills, President of Worldwide Field Operations, SailPoint, said, “A strong identity security program can generate real value for today’s organizations, but that value isn’t always obvious to business stakeholders.
“In today’s threat landscape, stopping just one breach can save millions of dollars in lost revenue, regulatory fines, and reputational damage. It’s important for security teams to have the information they need to communicate their needs in an outcomes-based way.
“Focusing on the business value that identity security drives is going to resonate best with executives and help them understand the pressing need to accelerate their identity maturity if they want to avoid becoming the next major victim.”
First learnings from the report
At 39 pages, this is not a report that lends itself to a quick read. The report opens with a number of examples that show the benefits of digital identities. It highlights how the ability to identify and communicate the investment case for digital identities delivered benefits.
However, it also highlights how gains are easily eroded. It states, “most security professionals are failing to build this business case – with 91% of our survey respondents citing a constrained budget as a primary obstacle to investment, and 77% citing limited executive sponsorship or focus.”
It goes on to group organisations into five horizons based on their strategy, talent, operating model, and technology capabilities:
- The lowest-maturity, companies lack the strategy and technology to enable digital identities
- Have adopted some identity technology but still rely heavily on manual processes
- Have adopted identity capabilities at scale
- Have automated capabilities at scale and use AI to enhance digital identities
- Is closest to the future of identity, where boundaries are blurred between enterprise identity controls and the external identity ecosystem, and identity supports the business in next-gen technology innovations
Those horizon levels, when examined in depth, showed that there were other key factors in play. Companies were quick to learn from their peers to avoid barriers and pitfalls. They also used that information to accelerate their journey. However, even mature organisations were surprised at how few of the identities in their organisation were impacted.
The latter issue is interesting. There is a tendency to see identity as a human-related item. Yet, the explosion of IoT, devices and apps has created a many-headed problem when it comes to security and identity.
Some key messages from the report
There are some surprising and some not-so-surprising messages from the report. Among those are:
- A failure of security professionals to adequately communicate the business value of identity
- 44% of organisations are still in the early stages of their identity-security journey
- In the last year, 8% made the jump from Horizon 2 to Horizon 3 last year. However, only 1% escaped Horizon 1. The report cites operating models, technical debt and business cases as reasons for the failure.
- Scaling is difficult no matter how mature you are, with both immature and mature companies having the same success at scaling
- Those companies that leveraged SaaS, AI and automation scale 10-30% faster than those that don’t
- Federated Identities will enable verifiable credentials and a Universal ID
- AI is a central enabler
Four elements are key to the future of identity
The report calls out four key elements that will define the future of identity:
- Integrated Identity Program
- Dynamic Trust Models
- Frictionless Access
- Federated Identities
Each of these four elements has advanced significantly over the last 12 months. Part of this has been driven by regulatory demands over the security of personal data. Another technology that has had an impact has been the increase in the use of biometrics, especially across mobile devices.
To be successful, there is a need for a common fabric. It is composed of privacy, customer experience, trust and AI. With the exception of AI, the remaining three are items that everyone would expect in an identity model.
SailPoint sees the use of AI in identity security as key to driving user experience and building new models. However, it also recognises that AI is far from perfect and increased AI use brings with it a number of risks that need to be addressed.
Skills shortages, budget constraints and poor exec sponsorship created drag
There are six areas that the report highlights as creating drag when it comes to crossing horizon boundaries. Unsurprisingly, skills shortages (85%), constrained budgets (91%) and limited exec sponsorship (77%) are the top three.
The remaining three are technical debt (72%), impact of organisational changes (72%) and underdeveloped asset and data management. Technical debt is the non-surprise in this second group. There is still significant technical debt that has built up as organisations have struggled to add multi-factor authentication (MFA) and other technologies to strengthen or replace passwords. There is no easy solution to that technical debt, and it will continue to be a drag on any passwordless future.
The other two are interesting because they show how the introduction of digital identity must be integrated with organisational change. It must also build on and make better use of the tools that are already in place. The report singles out the need for better IAM capabilities that understand legacy integration.
Putting a value on this
Of interest to execs will be that the report provides value quantifications around examples of different organisations. The report gives eight different examples. It cites a retail organisation with more than 10,000 employees as saving in excess of $1 million in annual costs through automation of governance processes.
Another example refers to a utility company with more than 15,000 employees showing a $3.6m gain in annual productivity. This was all possible by the introduction of a better identity solution.
Just as important is a section on how to demonstrate ROI to the C-Suite. It is a section of the report that all CISOs should take a close look at.
Enterprise Times: What does this mean
There is much more than just the items mentioned above in this report which makes it an interesting read. However, it is important to read this report with an open mind. As useful as it is, there are still many unanswered questions, especially about implementation.
What is important, however, is that the report is not the usual run-of-the-mill numbers fest. Yes, there are a lot of statistics in it. But there is also a lot of well-thought-out and well-reasoned interpretation of those numbers. It makes it different from many other reports and, for that reason, is worth the time required to read it.