With enterprises rapidly transforming their businesses to take advantage of the new digital economy, digital identity has come to the fore. As topics such as cyber threat mitigation and customer engagement have moved up the enterprise food chain, digital identity has become a topic of importance at the executive level, increasingly gaining board level visibility.
In a new European study 'Identity and Access Management in the Digital Age' sponsored by KPMG International, CyberArk and SailPoint, exploring the issues faced in managing digital identities, 77 percent of information security executives had transformed at least some enterprise operations. Asked about the important goals of their organisation’s digital transformation, 48 percent cited threat or breach mitigation, making it the most common objective.
Significantly, the study found respondents were very aware of the transformation goals of other parts of the business. Increased revenue potential (important to 73 percent), enhanced customer experience and customer relationship management (70 percent), and creating a more agile business (68 percent) all ranked highly.
"These figures would not be very different in either Asia Pacific or North America" says co-authors John Havers, KPMG Australia and Toby Emden, KPMG US.
While the study only surveyed information security executives, the role of digital identity as a transformational capability goes well beyond traditional functions like user provisioning and authentication. It also underpins privacy protection, provides the basis for improving customer relationships and customer experience, facilitates an increasingly mobile and geographically dispersed workforce, and enables tighter collaboration between businesses.
The immediate challenge that information security executives face, however, is that transformation introduces new cyber threat or breach vectors, with the potential to incur enormous damage and cost to business operations. This has major implications for the traditional enterprise digital identity function known as Identity and Access Management (IAM).
Almost two-thirds (65 percent) of respondents said Shadow IT, including cloud systems outside the control of the IT department, presented a challenge to their IAM capabilities. Newly connected devices (cited by 50 percent) and the Internet of Things (48 percent), were also cited as common challenges.
65 percent of senior information security decision makers in Europe see Shadow IT as a challenge to creating a secure IAM solution.
This was reflected in respondents' IAM investment planning, with endpoint security included by 73 percent, the number one choice, and consumer identity applications by 65 percent. However, only a minority of respondents’ IAM investments included social identities and logins (41 percent), Machine to Machine (M2) or Internet of Things (IoT) applications (37 percent), or big data applications (28 percent).
It is here that the study reveals a divergence we often see between enterprise groups with different agendas. When it comes to investments in digital identity, it is likely in many cases that the information security executives surveyed were not speaking for their entire organisation. Although this is hardly a new trend, it does emphasize the continued importance of ensuring alignment between business leaders and information security executives.
This provides what is possibly the biggest take-away from this study. "While digital identity is attracting greater focus in the enterprise, different stakeholders need to come together if transformation is to succeed", says Emden, KPMG US. Information security plays a key role, enabling a new set of opportunities to engage customers digitally, protect their privacy, reduce organisational risk and create trust.
Ultimately, the identity issue transcends technology, serving as a trust anchor for people, processes, data and governance. IAM is one of the most complex undertakings for any organisation, sharing many characteristics with an ERP program. It has a direct impact on how users interact with systems, perform their jobs and access sensitive data.
Accordingly, IAM can result in profound cultural change that requires sustained executive focus in order to be effective. "That makes it an organisational challenge that must be tackled holistically, not just by the IT department", says Havers. While this has always been the case, the emergence of disruptive trends such as cloud, Bring Your Own Device (BYOD) and an increasingly dangerous threat landscape makes IAM more important than ever.