Are you getting a 'Return on Governance'?

David Mount discusses the need for access governance, the kind of return that can be expected on it, and delivering a return on governance

David Mount, director, security solutions consulting EMEA, Micro Focus
David Mount, director, security solutions consulting EMEA, Micro Focus

When reading the latest Cost of Cyber-Crime Study by Ponemon, I was surprised to read that for the first time Access Governance tools were shown to be the number one deployed technology to enable a reduction in the cost of cyber-crime. But despite that, the study also found that when it comes to return on investment (ROI), Access Governance falls to fourth place.

So why is the return so much lower? And what can you do to deliver a better ‘Return on Governance'?

Access Governance – the ‘why'

As a starting point, it's important to look at the reasons for implementing identity governance tools in the first place. Often this is driven – and funded – by compliance. Organisations look to demonstrate effective access certification control through governance tools, and have done so reasonably successfully up to now.

However, solely focusing on compliance is not going to help when it comes to ROI. Auditors may be satisfied by the “rubber-stamping” of certifications across the business, but ultimately the mindless approval of access means there will be too many people with too many privileges. Not only that, these people often retain access long after they have left the company.

It's only a matter of time before the CFO and the CISO start to question this approach – and rightly so. Identity governance isn't just about satisfying auditors. It's also about reducing risk and, in turn, providing a return on the investment.

Managing expectations

Identity governance won't directly drive revenue for the business, as is the way with the majority of security technologies. This means that ROI can't be thought of in a traditional sense but instead needs to be considered in terms of a return on governance – the cost of access governance versus the risk reduced.

The cost of identity governance can be found with relative ease if the organisation has a good understanding of direct and indirect costs. But complications arise when it comes to measuring risk reduction.

However, there is a metric related to Access Governance – referred to as %R in this piece – which can be used to measure risk reduction. This is the percentage of access revocation following each round of access certification.

Setting the benchmark  

When looking at what would be an acceptable %R for your organisation, it's important to firstly think about what 0%R looks like. No organisation is perfect, so unless your provisioning and de-provisioning process is so good that no one is ever granted more access than they need, this is an important step.

But what should the upper boundary look like? This will be influenced by numerous different aspects of each individual business – anything from a recent merger, the number of job changes within the company, the amount of regular contract workers and the company's pace of growth.

In order to find the right %R, it's important to base line the current state and apply these corrections. The acceptable %R will exceed – or at least meet – these expectations.

Let's put this in context with a real-world example. Imagine a publically traded restaurant group, with an initial low %R – say, 1%. The company acquires another restaurant group, which means people are going to be given access to a new financial application, while others will leave after the acquisition. All of this will affect the %R.

We expect the %R to spike while the new application is initially rolled out, assuming the revocation of access hasn't been automated. In turn, there would be an additional spike once the next phase of change has happened within the organisation. All of this is dependent on the process to de-provision access and how mature this is.

‘Return on Governance'

This methodology is just the first step in delivering a return on governance. What's more important is that users are given the correct levels of access from the outset.

In future, I expect there to be a bigger focus on Identity Analytics and Intelligence (IAI) as a means of identifying the highest risks within the organisation. But for the time being, access certification is the focus of identity governance. Organisations need to look at driving an appropriate access revocation percentage if they are to provide CFOs and CISOs with a return on this essential investment.

Contributed by David Mount, director, security solutions consulting EMEA, Micro Focus