The Identity Perimeter Paradox

Businessman fishing nothing from the cloud with free copyspaceLast month during Identiverse 2021, an annual conference by identity professionals for identity professionals, I attended several sessions that got me thinking a lot about the C-suite, specifically Chief Information Officers (CIO), Chief Information Security Officers (CISO), and Chief Privacy Officers (CPO).

The CIO functions as the business and information technology head of an organization, aligning all goals of the enterprise with a strategic plan; directing IT staff in the execution of the plan; and ensuring that all IT-related assets, environments, and systems are optimally managed.

The CISO functions as the head of the security and risk management program for an enterprise, overseeing incident response protocols, security training and operations, and data security and compliance policies and ensuring that all IT-related assets, environments, and systems are protected.

And the CPO’s essential responsibilities relate to a corporate privacy program, conducting privacy impact assessments, designing privacy controls within products and services, and monitoring the effectiveness of privacy-related policies and procedures.

Who do people-related, digital identity, and user-protection experience programs belong to?

Every digital experience begins with an identity experience, whether you are aware of it or not. For example, new employee onboarding is part of an employee experience, and new customer onboarding is a critical customer experience. Both examples are orchestrated digital identity experiences; do either of them belong to the CIO, CISO, or CPO?

Despite a decade of data breach reports quantifying the severity, simplicity, and causation of compromised user credentials due to passwords and phishing techniques—and an abundance of solutions and platforms to support digital identity and know your customer (KYC) programs—identity security is a paradox (a proposition that, despite apparently sound reasoning from acceptable premises, leads to a conclusion that seems senseless, logically unacceptable, or self-contradictory) because it:

  1. Makes passwords more complex and equally useless in proving the authenticity and presence of a real human user.
  2. Tricks people into clicking on fake phishing emails to teach them how useless password complexity rules are.

And while I am only covering a basic paradoxical example in this blog, there are a dozen more examples associated with authorization, permissions, applications, and machines, so ESG is fielding new research on the identity perimeter paradox for identity professionals and by identity professionals to:

  • Understand the community that is influencing and prioritizing IAM initiatives, their journeys to a modern identity strategy, and what resonates with them.
  • Determine the breadth of which products, platforms, and technologies are being included to support current business operations and how that is expected to evolve over time.
  • Examine the results of successful zero trust/least privilege access projects, lessons learned, gaps, and remaining hurdles.
  • Gain differentiated insights into the awareness, planning, budgeting, purchasing, and implementation dynamics across organizations.

If you would like to learn more and participate in this multi-client study, please reach out to me by August 13, 2021.

Topics: Identity and Access Management