How to Tell Whether You're Getting a Return on Governance
By Travis Green
Like Many Security Technologies, Access Governance Won't Directly Drive More Revenue for a Business. So How Can You Deliver a Return on Governance?
Surveys can be mind-numbingly dry, but there is occasionally something surprising to be learned about what is happening in the industry. Ponemon’s 2015 Cost of Cyber Crime Study (PDF) shows Access Governance tools as the number one deployed security technology to enable a reduction in the cost of cyber crime. This marks the first time that Access Governance has been at the top of this list in this survey.
More interesting is the fact that despite its wide adoption, Access Governance falls to fourth place in terms of return on investment (ROI) in that same survey. Why is the return so much lower?
Why is Access Governance implemented?
To understand why return on Access Governance is lower versus other security technologies, we first need to understand why Access Governance is implemented in the first place. More times than not, the driver for implementing Access Governance (and the source of budget) is compliance.
Like kicking bickering family members out of the house after a holiday meal, we seek to make the auditors go away by demonstrating an effective access certification control. And we’ve been relatively successful at that. But there’s a downside to the focus on compliance.
Our line of business managers have figured out how to rubber-stamp the certifications, which may be enough to satisfy an auditor, but it hasn’t reduced risk for our organizations. By allowing those managers to mindlessly approve access for everyone, there are too many people with too much access. Even worse, people who leave our organizations often continue to retain access for significant periods of time.
We have to ask ourselves, how long will CFOs and CISOs accept this pretense? CFOs want to know that the significant spend on Access Governance is providing a return on the investment, and CISOs want to reduce risk in the environment, not just satisfy auditors.
What kind of return can be expected on Access Governance?
Like many security technologies, Access Governance is not going to directly drive more revenue for a business. So the question of ROI has to be reconsidered in terms of return on governance, specifically measuring the cost of Access Governance versus the risk reduced.
Accurately representing costs is a challenge, but generally achievable if direct and indirect costs are understood. The more difficult measure is risk reduction.
Fortunately, while imperfect, there is a metric that is an outcome of Access Governance, which can be used to measure some amount of risk reduction – the percentage of access revocation following each round of access certification. We can use %R as shorthand for this metric.
So, what is an acceptable %R?
This question falls into the infamous “it depends” category. Consider what a 0%R means. Perhaps your access provisioning and deprovisioning process is so good that there are no situations where someone is granted more access than they need. Of course, the more likely answer is not that your organization is perfect, but rather that your managers are rubber-stamping every certification.
So we can assume that 0%R isn’t good. But what should the upper boundary be? The reality is that this will be influenced by actions of the business. For example,
· Has there recently been a merger or acquisition that could cause a spike?
· What is the typical amount of job changes that happen in your organization?
· Do you have a cadence of contract work that requires regular access provisioning and de-provisioning?
· Is your organization matrixed, such that personnel switch projects from time to time reporting to different managers?
· Is your organization growing and adding new people, where there is a temptation to clone access rights based on someone who has been in the organization longer?
Finding the appropriate %R for your organization will require base lining the current state, and applying corrections for business conditions. An acceptable %R will meet or exceed the expectations.
For example, imagine a publically traded hotel group that has financial applications that are governed by SOX section 404. Perhaps the baseline for %R on these applications is relatively low, maybe 1%, as there are contractors working on maintaining it occasionally. But there is an acquisition of another hotel group and more people are going to be given access to a new financial application that will replace the previous one. And some people will leave the organization a few months after the acquisition is completed.
We would expect to see a spike in %R during the initial roll out of the new application, only if the process for revoking access isn’t automated as part of the rollout. And there would be a follow-on spike of %R once the second wave of organizational change occurs. But all conditional on the level of process maturity for de-provisioning access.
Delivering a return on governance
This methodology is only a portion of delivering a return on governance. Keeping users from obtaining too much access in the first place is a far better way to reduce risk. To accomplish that, in the near future, Identity Analytics and Intelligence (IAI) will identify high-risk requests for access and those accounts that need special attention during access certification that will make these processes more efficient.
For now, access certifications remain the focus of Access Governance, and delivering a return means driving an appropriate access revocation percentage.