Sailpoint CEO Mark McClain answers CBR’s questions and reveals his top five issues in cybersecurity Identity Management.

CBR: What’s the first question a CISO should ask you?
MMcC:
"How can identity and access management help me move my company forward and make my company more competitive in the marketplace, while simultaneously making us more secure?" IAM empowers not only IT professionals, but also business users, allowing them to do their jobs more easily and securely. With the rise of the hybrid IT environment, coupled with a growing, globally dispersed workforce; the proliferation of BYOD; the addition of contractors who need access to important business systems; and migration to the cloud, only IAM can tie everything back to the user, providing a holistic view into the enterprise’s IT infrastructure.

CBR: If you were to propose one piece of cybersecurity compliance legislation for the world, what would it be?
MMcC: While there are some clear downsides to compliance legislation (e.g. unintended consequences, too much focus on following the letter of the law and too little focus on achieving the true objective, etc.), I suppose I would be in favour of a single piece of legislation that required companies to produce a report detailing the access privileges for each and every "insider" (employee, contractor, partner, etc.) to all critical information (PII, financial, etc.). Insisting on this level of clarity would go a long way toward controlling the "breach" problems we see in the industry.

Mark McClain’s Top five issues cybersecurity issues
1. The dissolution of the traditional perimeter: The traditional network perimeter is rapidly vanishing, thanks to the increasingly complex relationships between people and data. Relying on a well-protected wall around the corporate network is no longer a sufficient form of security. Enterprise security is moving into a new paradigm, becoming identity-centric. And as identity is put at the centre of IT, organisations are becoming better equipped to optimise their workforce, reduce security risks and maximise the return on their computing, networking and application investment.

2. The proliferation of the cloud: Cloud adoption is accelerating for most enterprises, and cloud computing is becoming an integral part of enterprise IT and security infrastructure. Based on current adoption trends, it’s clear that the vast majority of new applications purchased by organisations will be SaaS applications. The allure is evident, from cost savings to speed of deployment to flexibility and simplicity. Industry experts have continued to predict that the cloud migration would stop short of mission-critical applications in some organisations, though, because of the prevalent belief that on-premises systems are more secure than those in the cloud. Although it’s clear that cloud apps are the future for enterprises, the benefits of the cloud can be negated if it leaves a business exposed to security breaches and compliance issues. An organisation’s security profile changes with the cloud, so too must its security measures.

3. The new attack vector is the human vector: In today’s digital world, business users need access to a myriad of critical systems, applications, and data in order to do their jobs. There is more data to protect than ever before, spread increasingly far and wide, and often outside the corporate firewall perimeter. At the same time, hackers have moved on to a new attack vector, the human vector (employees, contractors, partners and even suppliers). In many of these cases, a legitimate identity is knowingly or unknowingly hijacked for illicit purposes. In order to prevent or minimise data breaches tied directly to insiders, businesses have to become more user-centric when it comes to security. That means leveraging a comprehensive approach to IAM programmes, ensuring a single, unified view into and automated control over all user access.

4. The rise of shadow IT: As the proliferation of the cloud continues, so too will instances of shadow IT. On one hand, shadow IT means that business users are adopting applications and technology that give them the power and flexibility to do their job. However, without oversight from IT, those very same tools are increasing the organisation’s risk exposure. By going around IT to deploy new technologies, organisations not only have limited visibility into what data exists and where, but also who can access that data and how to govern that access. As this trend continues, it will only increase the risk of security breaches and failed audits if enterprises don’t learn how to manage it. It’s imperative that companies have automated policy and controls in place to monitor and manage user access across the entire enterprise – including mobile and cloud applications – in order to minimise that security and compliance risk.

5. Getting ready for GDPR: The battle for privacy over personal data took an important step forward recently with the EU’s approval of the General Data Protection Regulation. The new law dramatically changes how organisations approach protecting customer data. Not only does it give citizens in the EU better control over when their personal information is collected and how it will be used, but it also includes significant financial penalties if companies fail to protect their collected data. These penalties can reach up to 4 per cent of a corporation’s annual revenue – a "stick" that will definitely get the attention of senior management teams. The passage of GDPR has important implications for enterprise identity governance programmes. Now is the time for organisations to check the security of their identity, before the enforcement and penalty phases of the law take force.