Building a Robust IAM Team
Building an IAM team is strategic, challenging, and extremely beneficial for companies that need to strengthen the security of their systems. Anyone pursuing a career in identity and access management, or IAM, is in the right place at the right time. In banking, finance, insurance, energy, health care, retail and other industries, companies are scrambling for qualified professional to build or maintain robust IAM teams.
Two recent surveys focused on identity and access management, one of which was conducted by LastPass, involved a total of more than 1,200 security decision-makers. The respondents worked in companies of all sizes and across a range of industries. The results were eye-opening.
- Midsize to large businesses are grappling with up to a fivefold increase in identity workforce. Even small businesses struggle to manage user credentials if their networks are open to customers or vendors. The dramatic spike in identities is largely due to evolving cloud and mobile technology.
- Almost all respondents agreed that weak or nonexistent IAM strategies pose increased security risks. IAM is more important to them now than ever. They worry about phishing attacks, compromised credentials, unauthorized access to data, loss of data, violations of users’ privacy and social engineering.
- In the survey, when participants were asked about their top priority for the coming year, 65 percent said it was upgrading their identity management programs.
- In both studies, though, participants cited challenges to improving. For one thing, few of the IT professionals surveyed were especially knowledgeable about their own company’s IAM strategies or about how to implement IAM. Even seasoned IT experts are simply not trained in this relatively new field of expertise.
Clearly, the time is now for business owners and executives to build dedicated IAM teams. That’s great news for both professionals who want to expand their horizons and computer-savvy students who are drawn to a career in cybersecurity.
A New Urgency
It’s tough to pin down how many businesses currently have an IAM team. In the study, however, a whopping 98 percent of respondents who work in companies that employ remote workers said that they do.
Since most businesses employ remote workers these days, it’s highly likely that most either have an IAM team or are working to build one.
Depending on company size and structure, teams report to either the chief security officer or the chief information officer. Many small to midsize companies may engage one executive in a dual role called CISO. IAM has tended to migrate from IT to security over time.
In any case, there’s a whole new urgency to implementing this extra layer of protection. As technology evolves, cyberthieves are never far behind, and their schemes get more sophisticated all the time.
Demand for dedicated IAM teams is only expected to grow over the next several years.
The Numerous Benefits of an IAM Team
The greatest benefit of IAM is reasonable assurance that networks, databases and applications are secure and private. Ideally, users must have the appropriate entitlements to access only the resources they need to do their jobs and only at certain times.
However, more and more companies are discovering additional benefits:
• Frustrated workers find somewhere else to work. A skilled IAM team ensures a first-rate user experience and improves employee retention and morale.
• A streamlined, automated experience boosts productivity whether users are on the premises, traveling or working from home.
• Companies can open their networks for the convenience of customers, vendors and contract workers.
• Automated IAM reduces calls to the IT help desk and subsequent waiting time for assistance. That saves manpower and money as well.
• Centralized security across a range of databases, networks and mobile apps gets users at all levels on the same page. Better communication, alignment of goals and collaboration are among the positive outcomes.
• Teams help organizations become audit-ready, remain compliant with security and privacy regulations, and avoid hefty fines.
How to Build a Robust IAM Team
A one-size-fits-all approach doesn’t work for IAM teams. Teams are as unique as the organizations and specific projects they’re created for.
Anyone building a team must first consider the size of the company and the scope of the project. A business with 250 workforce identities won’t need as many team members as one with 10,000 identities. There is really no average size when it comes to IAM teams. The number of members is dictated by the size of the business and its security requirements.
Once the company’s ongoing or project-specific needs are identified, it’s crucial for the team builder or project manager to engage early on with all the stakeholders who will be involved. The audit and compliance departments should be among the first stops.
If an IAM team is being built from scratch, there may not yet be a budget for it. The team builder might have to sell the idea by demonstrating its value to the decision-makers.
This is a fairly new development. Even in businesses that had existing IAM departments, identity management professionals were once seemingly invisible. Their roles were considered strictly technical.
That’s not the case anymore. IAM team members are emerging from the basement, so to speak, to meet with top-level executives so that business goals and budgets for various projects align. They’re getting input from stakeholder groups, such as human resources or accounting, and designing solutions with diverse user types and capabilities in mind.
There are many different hats to wear in IAM. Some roles, like engineering, database management and programming, are strictly technical. Others, like risk assessment and project management, are nontechnical. IAM is a complex job that requires a range of both hard and soft skills. That’s why job postings are so specific.
Almost all robust, cohesive teams comprise both technical and nontechnical professionals. IAM is not just about technology. It’s about people too.
Tips for Building a Strong IAM Team
• If necessary, demonstrate the value of IAM. For instance, point out the high number of IT help-desk tickets. Some experts estimate that every instance of a forgotten password costs a company around $70. Calculate and show the annual loss that could be avoided.
• Engage the audit and compliance staff. Show how automation will reduce mundane tasks and eliminate costly errors.
• Collect feedback from stakeholders at all levels in every affected department. Show how an IAM team will cut costs, streamline processes and generate revenue. Make sure that goals and business drivers are in sync between the team and various stakeholders.
• Select a small core group for project management across the entire team. Based on stakeholders’ feedback, choose supporting team members that are equipped to meet stakeholders’ needs. Group them according to specific project requirements or skills and experience. Select a representative with good communication skills from each group. Clearly define the goals, responsibilities and expectations for each new project or phase.
From there, plan carefully, delegate and consult the road map often to measure progress.
Choosing (or Becoming) Top IAM Talent
Superstars in IAM aren’t merely technologically gifted.
They’re wildly creative. They’re avid learners who continually expand their knowledge and pick up new skills. They can contribute to multiple projects, easily adapt to evolving technology, and communicate well.
Most importantly, perhaps, they earn as many certifications as possible. Diverse experience increases their value to any project or organization.
There are technologists, system architects, and IAM engineers who build and deploy identity management systems, and governance experts who build IAM programs. There are identity and access managers transforming IAM, identity protection advisors helping consumers, or red flag specialists trained to watch for warning signs of identity theft in high risk businesses. And, access management specialists who keep tight control over system access and respond to incidents. These are just a few of the specialties in IAM that require certification.
Identity Management Institute, founded in 2007, is an international industry leader in IAM certifications. Every day, we certify professionals in data protection, identity management, governance and technology, identity fraud prevention, access management, identity theft protection, and compliance.
In addition, we work with a variety of businesses to help them build or improve their IAM teams.
Given the rate at which demand for IAM is growing, we strive to help professionals get certified and companies get the talent they need.