Tuesday, September 02, 2008

Another view on outsourcing Identity Management

I wrote about outsourcing Identity Management back in July, which was an extension to another post I made in 2007.

Corbin Links left a well thought out, rather lengthy (in a good way) comment in response and makes a couple of good points.

He submits that businesses do not care about security and best practices:
"I’m sure I may ruffle a few feathers by saying this to some, but business -- by and large -- does not care about security. (Except for providers of security-related products and services...) Or rather, business only cares to the extent that market forces, customers, and regulatory agencies demands it."

...

"businesses invest in security because they have to, not because they want to."

and that best practices
"are the practices all organizations think they should be practicing, but in actuality do not. It’s a term that helps sell frameworks, tools, and conference passes, but that has very little tangible impact in many organizations."

He goes on to say:
"What businesses *do* care about, is processes, methods, and tools that can facilitate making money, improving bottom and top-lines, improving customer satisfaction, improving end-user experience, reducing time to marketing, reducing help desk costs and calls, streamlining processes, etc."


He brings up the point that industries that do not traditionally buy Identity and Access Management solutions would like them, but just don't have the expertise or the budgets. In this respect, they would gladly pay for the service and outsource it all:
"For many, the premise of outsourced management of IAM is very attractive. Because, many organizations realize that they:

1)Do not have the core competencies
2)Will never have the core competencies
3)Will never be in the business themselves of providing IAM-related services
4)Do not have their processes modeled
5)Do not have enough information or expertise, or time to define their current, much less future-state business processes
6)Are not qualified to determine accurately what risks really exist, levels of data protection needed, data classification levels, etc."


I agree with some of what he says through his comments, particularly regarding the fact that the "non-traditional Identity Management buying market" (particularly SMB) just don't do it because they can't justify the costs and effort required. A managed offering would certainly be more attractive in this respect.

I still don't discount the fact that there are data, privacy and security concerns that need to be worked through. Sure, some organisations will not care too much (probably because they don't have the big regulatory stick being waved at them) but it is up to us as professionals to make sure they care, especially if we're the ones providing the service to them. We have an ethical obligation to do so. And if in the process of educating organisations they decide not to buy anything, so be it (I can see all the sales people saying "nooooo why are you saying that?!?!").

As for the statement that business does not care about security and best practices (or only care as much as they need to), it depends. A majority behave this way (and I've been in many sales situations where we play on this fact), but I've also met C-level executives (including CEOs) that certainly do care about security. Sure, most of the time it's because they "don't want to be on the front page of the Wall Street Journal". It is rare that someone will care just because of ethical reasons and want their overal security posture to be sound (or dare I say, world class). But they do exist. And the ones that care know that they MUST have security in mind because they "do not know what they do not know." That is, they need to be proactive about security rather than reactive. Unfortunately, most organisations fall into the reactive category and so Corbin is mostly right.

I encourage you to read the comments and submit your own thoughts.

2 comments:

Anonymous said...

Hello Ian:

Thank you for your responses. A very interesting conversation.

Ian said:
I still don't discount the fact that there are data, privacy and security concerns that need to be worked through.

Corbin replies:
Great point, and these issues can never be discounted - and should not be. That said, they need not be insurmountable barriers to a strategic and well-managed outsourcing arrangement, which was where I was going in my previous comment.

Ian goes on to say:
Sure, some organisations will not care too much (probably because they don't have the big regulatory stick being waved at them) but it is up to us as professionals to make sure they care, especially if we're the ones providing the service to them. We have an ethical obligation to do so.

Corbin replies:
I don't necessarily agree with this. Any commercial organization's obligation to any other is in the context of what is best for the client's or partner's business. In some cases, that may be preparation of a stronger audit response. Or a reusable data classification system, or reusable business processes, and the like. There is no obligation, moral or otherwise to sell or not sell a product or a service, or to use FUD, as in the case of some vendors, to panic the client into changing their entire business model solely for pleasing an auditor or selling more software licenses. This is not say that audit and regulatory issues are to be discounted -- far from it. Rather, these issues should be factored into doing business, and not used as sole justification for multimillion dollar (or Euro) software implementation.

Ian goes on to say:
And if in the process of educating organisations they decide not to buy anything, so be it (I can see all the sales people saying "nooooo why are you saying that?!?!").

Corbin replies:
The part about organizations deciding (or not) to buy something I completely agree with. In the ideal world, product vendors (and service providers) give honest, up-front assessments of client environments and help them decide if to buy, and if so, then *what* to buy. If the vendor solution set is not a particular fit for the client's particular need, then perhaps vendor partners can fit the bill. It may not be a product at all. Services perhaps. Client needs dictate (or should dictate) what is ultimately offered as the solution set.

Ian goes on to say:
As for the statement that business does not care about security and best practices (or only care as much as they need to), it depends. A majority behave this way (and I've been in many sales situations where we play on this fact), but I've also met C-level executives (including CEOs) that certainly do care about security. Sure, most of the time it's because they "don't want to be on the front page of the Wall Street Journal". It is rare that someone will care just because of ethical reasons and want their overal security posture to be sound (or dare I say, world class). But they do exist. And the ones that care know that they MUST have security in mind because they "do not know what they do not know." That is, they need to be proactive about security rather than reactive. Unfortunately, most organisations fall into the reactive category and so Corbin is mostly right

Corbin replies:
This is what I was saying in the previous post. Yes, there are some that truly do care for intrinsic, moral, fiduciary, and world-class client service reasons. They are a breath of fresh air and easier for product vendors and service providers to work with, and their organizations require far less in the way of retrofitting to accommodate regulatory requirements.

Thanks again Ian for the engaging and interesting discussion! I found your blog highly insightful, and we have added it to our recommended reading list.

Ian said...

Thanks Corbin. Looks like we agree on most of the points, but not all. That's fine as it fuels interesting conversations. Look forward to future discussions with you.