Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

How to Tell Whether You’re Getting a Return on Governance

Like Many Security Technologies, Access Governance Won’t Directly Drive More Revenue for a Business. So How Can You Deliver a Return on Governance?

Like Many Security Technologies, Access Governance Won’t Directly Drive More Revenue for a Business. So How Can You Deliver a Return on Governance?

Surveys can be mind-numbingly dry, but there is occasionally something surprising to be learned about what is happening in the industry. Ponemon’s 2015 Cost of Cyber Crime Study (PDF) shows Access Governance tools as the number one deployed security technology to enable a reduction in the cost of cyber crime. This marks the first time that Access Governance has been at the top of this list in this survey.

More interesting is the fact that despite its wide adoption, Access Governance falls to fourth place in terms of return on investment (ROI) in that same survey. Why is the return so much lower?

Why is Access Governance implemented?

To understand why return on Access Governance is lower versus other security technologies, we first need to understand why Access Governance is implemented in the first place. More times than not, the driver for implementing Access Governance (and the source of budget) is compliance.

Governance ROILike kicking bickering family members out of the house after a holiday meal, we seek to make the auditors go away by demonstrating an effective access certification control. And we’ve been relatively successful at that. But there’s a downside to the focus on compliance.

Our line of business managers have figured out how to rubber-stamp the certifications, which may be enough to satisfy an auditor, but it hasn’t reduced risk for our organizations. By allowing those managers to mindlessly approve access for everyone, there are too many people with too much access. Even worse, people who leave our organizations often continue to retain access for significant periods of time.

We have to ask ourselves, how long will CFOs and CISOs accept this pretense? CFOs want to know that the significant spend on Access Governance is providing a return on the investment, and CISOs want to reduce risk in the environment, not just satisfy auditors.

What kind of return can be expected on Access Governance?

Like many security technologies, Access Governance is not going to directly drive more revenue for a business. So the question of ROI has to be reconsidered in terms of return on governance, specifically measuring the cost of Access Governance versus the risk reduced.

Accurately representing costs is a challenge, but generally achievable if direct and indirect costs are understood. The more difficult measure is risk reduction.

Fortunately, while imperfect, there is a metric that is an outcome of Access Governance, which can be used to measure some amount of risk reduction – the percentage of access revocation following each round of access certification. We can use %R as shorthand for this metric.

So, what is an acceptable %R?

This question falls into the infamous “it depends” category. Consider what a 0%R means. Perhaps your access provisioning and deprovisioning process is so good that there are no situations where someone is granted more access than they need. Of course, the more likely answer is not that your organization is perfect, but rather that your managers are rubber-stamping every certification.

So we can assume that 0%R isn’t good. But what should the upper boundary be? The reality is that this will be influenced by actions of the business. For example,

· Has there recently been a merger or acquisition that could cause a spike?

· What is the typical amount of job changes that happen in your organization?

· Do you have a cadence of contract work that requires regular access provisioning and de-provisioning?

· Is your organization matrixed, such that personnel switch projects from time to time reporting to different managers?

· Is your organization growing and adding new people, where there is a temptation to clone access rights based on someone who has been in the organization longer?

Finding the appropriate %R for your organization will require base lining the current state, and applying corrections
for business conditions. An acceptable %R will meet or exceed the expectations.

For example, imagine a publically traded hotel group that has financial applications that are governed by SOX section 404. Perhaps the baseline for %R on these applications is relatively low, maybe 1%, as there are contractors working on maintaining it occasionally. But there is an acquisition of another hotel group and more people are going to be given access to a new financial application that will replace the previous one. And some people will leave the organization a few months after the acquisition is completed.

We would expect to see a spike in %R during the initial roll out of the new application, only if the process for revoking access isn’t automated as part of the rollout. And there would be a follow-on spike of %R once the second wave of organizational change occurs. But all conditional on the level of process maturity for de-provisioning access.

Delivering a return on governance

This methodology is only a portion of delivering a return on governance. Keeping users from obtaining too much access in the first place is a far better way to reduce risk. To accomplish that, in the near future, Identity Analytics and Intelligence (IAI) will identify high-risk requests for access and those accounts that need special attention during access certification that will make these processes more efficient.

For now, access certifications remain the focus of Access Governance, and delivering a return means driving an appropriate access revocation percentage.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.