Who should be in charge of Digital Identity and of IAM?
IAM (Identity and Access Management) has become an established discipline in organizations. Two decades ago, that hasn't been the case. But as everything in IT, IAM also is under constant change. There is IAM, mostly in the sense of Enterprise IAM or Consumer IAM (CIAM, also sometimes referred to as Customer IAM). And there is the term of "Digital Identity" or Digital ID. The latter takes a different perspective.
If we would draw a Venn diagram, there would be a considerable intersection. However, there is the technical angle of IAM such as in PAM (Privileged Access Management) and other disciplines within IAM, while there is a non-administrative, non-security focus of Digital Identity in the context of Digital Business. Digital Identities are at the core of digital services and of success in the digital business. This is just starting, with Decentralized Identities becoming a big game changer.
Why is this bit of history and distinction between terms relevant to an article with a headline of "who should be in charge"? Because this impacts the organization. Purpose and ownership must be a fit.
In the early days of what became IAM - frequently not even named that way back then - the focus was on administration. We looked at metadirectory services and the management and synchronization of user accounts between different directories and systems such as the (back then frequently still rather new) email system. These tools usually were in ownership of the IT infrastructure department.
When IAM evolved, user experience shifted into focus. The purpose changed. Efficient provisioning processes and SSO (Single Sign-On) became important. Still, IAM commonly resided in the IT infrastructure department.
In 2002, the Sarbanes-Oxley Act came into effect and compliance became important to IAM. Enforcing the least privilege principle and access recertification were added to what IAM had to deliver. Specifically in industries with strong regulatory pressure, IAM moved from IT infrastructure into independent IAM departments.
领英推荐
Nowadays, the focus is on Identity Security (yet another term), the intersection of IAM and cybersecurity and a bit of digital ID. It is not just about managing entitlements anymore, but about mitigating identity-related threats. We see ownership shifting to the CISO, with IAM department being one of the departments belonging to the (first line of defense) CISO.
This is not the end of the journey, though. With a shift to Digital Identities, the CDO (Chief Digital Officer) comes into play. The perspective then is business enablement, not "just" security anymore. On the other hand, security remains essential. However, from an ownership perspective, this leads to a challenge: There is a logic of the CISO owning IAM. There is a logic of the CDO owning Digital Identity. Going back to the Venn diagram, while there is an intersection, there also are specifics.
The art will be to assign responsibility clearly between the CISO on one hand and the CDO on the other, for serving both purposes. There are blurring lines, thus this is a matter of defining responsibilities and accountabilities, processes, interfaces, etc., for an TOM (Target Operating Model) that works seamless as the foundation for a secure digital business. Identity Security is the CISO business. Digital IDs enabling the business, specifically with focus on the identity of external parties and connected devices and things, will fall into the CDO domain, working closely with the CISO to enforce security.
CISOs and CDOs must became best friends. Only if the collaborate closely, businesses will succeed in the digital age. And only then, they will not fail due to security incidents.
Oh, and there is one more way to organize this - more on this in the next article.
#iam #identityandaccessmanagement #identitymanagement #digitalid #digitalidentity #pam #decentralizedid #decentralizedidentity #did
The article lays out a compelling case for the evolving ownership of IAM (Identity and Access Management) within organizations. It highlights the historical shift from IT administration to security (CISO) and now ponders the future with the rise of Digital Identity and the CDO.
Head of CIAM business
8 个月An interesting read. From the customer’s perspective, the boundaries between various channels and touchpoints are increasingly blurred. Customers expect a seamless and consistent brand experience, no matter the channel or touchpoint. This shift demands breaking up silos, sharing customer data across departments, and aligning strategies to ensure unified experiences across all touchpoints expecting a Total Experience (TX) strategy. Gartner defines TX strategy as leveraging technology and interactions to enhance, empower, and embolden both customers and employees. A unified digital identity, linked to holistic data management, is key for harnessing TX, allowing for personalized and seamless interactions between customers and employees. Gartner predicts that by 2024, organizations embracing TX will outperform competitors by 25% in CX and EX satisfaction. The realization of Gartner’s predictions underscores the importance of effectively managing digital identities. To me, this suggests the co-ownership of IAM between CXOs—who, according to CXToday, are catalysts of customer-obsessed business strategies, fighting for the needs and wants of a company’s customers—and guide employees with the tools and knowledge they need to excel.
Chief Information Security Officer ? Non-Exec Board Member ? Product Management
8 个月Great article Martin. Couple of observations based on what I have seen out there: 1. CDO role is rare even within big tech companies. What I have seen is that product (and the Chief Product Officer at the helm of it) owns CIAM. This enables them to align identity and its usage (e.g. customisation, personalisation etc.) to be more aligned to business. The CISO and infosec team in this case becomes a key stakeholder but not the primary owner. 2. Even in organisations where CISO owned CIAM and customer identity to begin with, there has been a gradual move that saw the domain landing up either in the wider Tech org or the Product org just because of the key enabling focus of these domains. This probably points to an inherent concern around how a front-line CISO can manage a core business-enabling capability like customer identity (+ access).
vp Enterprise Platforms
8 个月This is a limited perspective. Actually anything that is pulled apart to fit into a sub optimal organisational structure with three letters, no matter that they are is an incorrect approach in my view. What is the value chain you enabling. What are the features that product needs to have ? This should be the focus, not to artificially have to neatly put in one or another silo. Org contructs will always be imperfect. We need to focus on the customer and the product that support the customer. And remeber the customer does not even care for identity, they just want to execute the task. Identity is a contract we have to manage it. We really need to more on from this retoric if we are to evolve.