Identity drives the modern enterprise. It connects customers, employees and partners to their applications and APIs, whether those resources are in the cloud, mobile, SaaS or on premises. Identity helps you prevent security breaches, manage sensitive data and improve user engagement and productivity.

You know it. You get it.

But in many enterprises, senior executives don’t. They don’t fully understand the strategic importance of identity to both security and digital transformation. And while awareness may be growing, identity and access management (IAM) isn’t always the priority that it needs to be at the top.

That’s why Ping Identity recently invited the Chief Information Security Officers (CISOs) from leading enterprises to identify a “top eight” list of what the C-suite needs to know about identity. 

The CISO Advisory Council

First, a few brief introductions. Ping Identity’s CISO Advisory Council is comprised of CISOs from 12 enterprise organizations, including: 

• Diane Ball, CISO for BCBS Tennessee
• Steve Martino, CISO for Cisco
• Stanton Meyer, CSO for CoBank 
• Ben Mayrides, CISO for Cvent
• Sam Masiello, CISO for Gates Corporation 
• Larry Whiteside, CISO for Greenway Health 
• Michael Strong, CISO for GCI
• Chris Gullett, VP of Information Security for Allegiant Air
• Frank Aiello, CISO for American Red Cross
• Adrian Mayers, CISO for Vertafore 

The group looked at everything from authentication to user experience to compliance, and came up with a few key takeaways.

The Importance of Identity

#1 Identity is a key part of security, and security is a key part of business. 

It’s no longer enough to rely on the outdated perimeter-based approach. Good security has become a differentiator for modern businesses, and it requires great identity and access management (IAM). So where does IAM fit in your organization? While the council believes that ideally IAM should report into the security team, it’s not mandatory. What’s critical is that they work closely together. Make sure the IAM and security teams are closely aligned, and that each has a say in how the organization’s security and IAM decisions are made. 

Ping’s idea of identity driven security includes using tools such as contextual multi-factor authentication (MFA), federated single sign-on (SSO), standards-based access control that dynamically adapts to users and devices, an encrypted data store of consolidated user data, and data governance with a single set of policies for streamlined compliance.

#2 Multi-factor authentication is incredibly important—but not all MFA solutions are created equal.

MFA is one of the easiest and most important things you can do to quickly improve your organization’s security. And MFA can be accomplished in many ways. Some ways—like one-time passwords over SMS—are easy to scale and deploy, but also easy for attackers to compromise. Other ways—like personal identity verification cards—are very secure, but a pain for employees to carry and use. Make sure you are choosing the right levels of security and usability for the right people in your organization.

At Ping, we believe that multi-factor authentication should be every enterprise’s goal, and that best practices are to require at least two factors from different categories (something you know, something you have and something you are). For instance, an employee might be required to submit a one-time passcode issued from a hard token along with a password, while a customer might use a PIN and a mobile phone app.

#3 IAM is for everyone. 

Identity and access management isn’t just for your workforce identities. It’s for your customer and partner identities too. New regulations like the European Union’s General Data Protection Regulation (GDPR) are restricting how companies can collect customer information and what they can do with it. Having good customer and partner identity management and data governance is critical to competing in a global market in the twenty-first century.

Unlike with your employees, your customers have choices when it comes to your brand—and will go to your competitors if their expectations aren’t met quickly. You want to ensure your customers have safe interactions, but don’t want to drive them away because of a cumbersome experience. Ping’s approach is founded on the tenet that hitting the right balance of security and user-friendly experiences is key when implementing customer IAM (CIAM). 

This is just the beginning of what your C-level execs need to know about identity. To read the rest of the discussion, please download our brief, “8 Things Your C-Suite Should Know About Identity.”

About Ping’s CISO Advisory Council: Made up of CISOs from leading global enterprises, this group provides insight to Ping Identity on security, privacy and compliance challenges within the global enterprises we serve. It helps inform Ping’s strategic vision, product roadmap and go-to-market strategies. Interested in getting involved? Please reach out to your account executive to learn more.