Why Does Identity and Access Management / Governance Matter?

The risks associated with insider-threat theft and data breaches are well known. At the very least we ought to be aware of who is currently able to access our information resources and operational controls. We need to understand the risks to the enterprise if information or access falls into the wrong hands, or is corrupted in some way. Whatever products or services are produced by an organization, security is ultimately an assurance of the integrity of the environment.

Data protection compliance is an important consideration. Organizations invest capital to ensure that they conform to the guidelines of regulator and oversight entities aligned with their industry focus, such as:

  • PCI DSS to protect personally identifiable information.
  • HIPAA compliance to protect health and medical records.
  • Title 21 CFR Part 11 for pharmaceutical and medical device providers.
  • SOX for all corporate entities.
  • NERC/FERC for power generators and suppliers.
  • FISMA in the government space.

But ultimately, compliance is an obligation to protect information with effective security and governance controls. Unfortunately, compliance does not necessarily equate with security. It is simply security guidance with basic review and enforcement.

Efficiencies in the investments and operations of cybersecurity emerge as a relevant part of corporate and enterprise consideration, especially as rising costs begin to impact budgets and plans. The costs to meet cybersecurity personnel demands will become an even greater factor as staffing shortages increase. Complex legacy landscapes of disparate systems with many collections of security models must be coordinated with methods for the efficient management of identities, roles and policies, and access entitlements.

We are then faced with the challenges of implementing an agile IAM/G platform that must be configured to support the collection of identity-access rights status from a multitude of systems; as well as the connections required to support centralized, automated provisioning right back to those very same systems. The convergence of governance and technology; life cycle configuration management and embedded workflows; roles and policies; and remediation/attestation support; together provide the automated activities that can perform much cybersecurity work better, faster, and more cheaply.

Once compliance is a given, and automation efficiencies are in place, organizations can begin to focus on the effectiveness of their IAM/G environment in support of their operational mission. Real-time situational awareness, easy on-boarding of partners and contractors, defining and deploying new security contexts, risk calculation scoring, separation of duties (SOD), and continuous compliance; are examples of value derived from an increasing IAM/G maturity. A Maslow hierarchy of IAM/G needs for an organization might be characterized as follows:

Mission Value

In this hierarchy, compliance is of basic importance, but efficiencies (costs) and effectiveness (assurance of the integrity of the environment) represent higher levels of importance, leading to that which is most important: contribution of value to the mission. Ineffectiveness caused by complexity and change can put organizations in a position where they accept cybersecurity risks in exchange for operational and mission demands, especially unanticipated ad hoc demands. Minimizing those types of ineffectiveness can deliver substantial mission value.

Ultimately, organizations will need to determine how to best model and analyze the performance and value of their cybersecurity and IAM/G investments, in support of their mission. Such a performance model would serve to connect the portfolio of human capital; to the portfolios of technologies (IT) and physical assets; in the context of the capabilities that deliver the services (or products) of the mission.


If you would like more information about how the right IAM solution can transform your organization, contact Ray Brisbane via phone (571.483.2735) or via email at

Leave a Comment