IAM Lesson Learned #2: Determine The True Current State

Getting an accurate assessment of the true current state is key to the success of any IAM initiative.

But often, the true current state is not that simple to determine. We find two main challenges to collecting this information from our customers:
1. A lack of real knowledge of how the current system works; and,
2. Trying to collect information from people afraid of change.

The first is not a reflection on the competency of the IT security department at an organization. It’s attributable to the short institutional memory of how and why things are done a certain way because of the transitory nature of IT security folks. Often the people who decided upon and/or deployed the existing system are long gone, so it is now up to the current staff to explain how things work.

We also regularly find that interdependent systems each have their own system administrators that operate in silos and do not communicate with one another. So effectively, the right hand does not know what the left hand is doing.

The second obstacle is a bit more complicated.

People in general are afraid of change.

People who are afraid of becoming irrelevant and losing their jobs are really afraid of change.

Sometimes we have to draw out of people how exactly they do their job, and where they fit into the larger process. Again, this is where the silo mentality comes in, and people may be able to articulate their own role, but often have a lack of knowledge of how they fit into the bigger picture.

This can become a big problem when we find out that people have created workarounds to get their own jobs done, or are permitted to manually enter data outside of any automation or corporate policies. Their entrenched interests can cause resistance to the data collection efforts because they know what they are doing is inherently wrong.

It then becomes up to us to piece together all of the moving parts to determine the true current state.

This doesn’t just benefit a single IAM project, but rather the organization’s IT security as a whole, because it helps identify duplicated efforts, as well as any gaps.

For the IAM initiative at hand, it leads to fewer delays, better defined requirements, and a greater chance of success. And many of our customers even find out new information about their current systems and processes along the way.

Reach out to us if you’d like help determining your organization’s true current state.

IDMWORKS Lessons Learned Series

After 650+ IAM engagements, IDMWORKS has compiled what organizations need to know before, during and after implementing an IAM program. We polled our customers and our 150 IAM engineers, architects, and PMs responsible for their success, to draw from what they see on the job every day and boiled that down to a series of lessons learned. Every organization in any stage of IAM maturity will find value in these highly-accessible, technical jargon-less, universal rules-to-live-by to make your IAM program successful.