Identity drives the modern enterprise. It connects customers, employees and partners to their applications and APIs, whether those resources are in the cloud, mobile, SaaS or on premises. Identity helps you prevent security breaches, manage sensitive data and improve user engagement and productivity.
You know it. You get it.
But in many enterprises, senior executives don’t. They don’t fully understand the strategic importance of identity to both security and digital transformation. And while awareness may be growing, identity and access management (IAM) isn’t always the priority that it needs to be at the top.
That’s why Ping Identity recently invited the Chief Information Security Officers (CISOs) from leading enterprises to identify a “top eight” list of what the C-suite needs to know about identity.
The CISO Advisory Council
First, a few brief introductions. Ping Identity’s CISO Advisory Council is comprised of CISOs from 12 enterprise organizations, including:
Diane Ball, CISO for BCBS Tennessee
Steve Martino, CISO for Cisco
Stanton Meyer, CSO for CoBank
Ben Mayrides, CISO for Cvent
Sam Masiello, CISO for Gates Corporation
Larry Whiteside, CISO for Greenway Health
Michael Strong, CISO for GCI
Chris Gullett, VP of Information Security for Allegiant Air
Frank Aiello, CISO for American Red Cross
Adrian Mayers, CISO for Vertafore
The group looked at everything from authentication to user experience to compliance, and came up with a few key takeaways.
The Importance of Identity
#1 Identity is a key part of security, and security is a key part of business.
It’s no longer enough to rely on the outdated perimeter-based approach. Good security has become a differentiator for modern businesses, and it requires great identity and access management (IAM). So where does IAM fit in your organization? While the council believes that ideally IAM should report into the security team, it’s not mandatory. What’s critical is that they work closely together. Make sure the IAM and security teams are closely aligned, and that each has a say in how the organization’s security and IAM decisions are made.
#2 Multi-factor authentication is incredibly important—but not all MFA solutions are created equal.
MFA is one of the easiest and most important things you can do to quickly improve your organization’s security. And MFA can be accomplished in many ways. Some ways—like one-time passwords over SMS—are easy to scale and deploy, but also easy for attackers to compromise. Other ways—like personal identity verification cards—are very secure, but a pain for employees to carry and use. Make sure you are choosing the right levels of security and usability for the right people in your organization.
At Ping, we believe that multi-factor authentication should be every enterprise’s goal, and that best practices are to require at least two factors from different categories (something you know, something you have and something you are). For instance, an employee might be required to submit a one-time passcode issued from a hard token along with a password, while a customer might use a PIN and a mobile phone app.
#3 IAM is for everyone.
Identity and access management isn’t just for your workforce identities. It’s for your customer and partner identities too. New regulations like the European Union’s General Data Protection Regulation (GDPR) are restricting how companies can collect customer information and what they can do with it. Having good customer and partner identity management and data governance is critical to competing in a global market in the twenty-first century.
Unlike with your employees, your customers have choices when it comes to your brand—and will go to your competitors if their expectations aren’t met quickly. You want to ensure your customers have safe interactions, but don’t want to drive them away because of a cumbersome experience. Ping’s approach is founded on the tenet that hitting the right balance of security and user-friendly experiences is key when implementing customer IAM (CIAM).
About Ping’s CISO Advisory Council: Made up of CISOs from leading global enterprises, this group provides insight to Ping Identity on security, privacy and compliance challenges within the global enterprises we serve. It helps inform Ping’s strategic vision, product roadmap and go-to-market strategies. Interested in getting involved? Please reach out to your account executive to learn more.