“No Win” Situation for Corporate IT
Facing market churn, constrained budgets and fewer resources, Fortune 1000 companies surveyed by SailPoint Technologies described the major struggle their corporate security departments face in preventing identity-related losses and complying with regulations. The SailPoint survey was conducted in November 2008 and focused on identity governance during a recession. Most participants indicated that the greatest risk to their organizations was managing to the same performance expectations with lower budgets.
Of the 100-plus IT managers and directors who responded to the survey, the majority believe they do not have the information they need to adequately manage the risk of data breaches or internal fraud. In fact, nearly 70 percent can’t summarize which workers have access to the most critical applications and data. Further, if faced with a layoff, 44 percent of respondents are unable to remove access privileges of terminated employees on a timely basis.
“We’re in a period of high churn - layoffs, divestitures and mergers and acquisitions,” said Mark McClain, CEO and founder of SailPoint. “These factors create a ripe environment for abuse of access privileges. IT departments are responsible for managing access to critical data and applications, but as that task gets more complex, they’re faced with lower budgets and fewer people. That’s a formula for increased risk, leaving companies vulnerable to disgruntled employees and even ex-employees who retain access after they leave.”
The survey also revealed that nearly half of the companies surveyed (46 percent) have failed IT audits due to access control deficiencies in the last five years. Yet, 61 percent of surveyed companies said their company policies and controls remain unchanged despite the economic downturn and increased risk exposure. When asked to name their company’s biggest risk exposure for 2009, no single answer dominated. Data breaches, meeting security needs with constrained budgets, weak access controls and poor provisioning processes were also top of mind.
“Corporate IT and security managers, like consumers, are being forced to make tough tradeoffs due to the economic downturn,” said SailPoint Vice President of Marketing and Founder Jackie Gilbert. “They’re caught in an unforgiving squeeze between fewer resources and higher demands, and are struggling to adequately address the spectrum of internal security risks. The proactive companies with identity governance strategies in place are better prepared to address these challenges, but the reality is that most companies are still reacting tactically to compliance mandates and haven’t had time to focus on this critical initiative.
“Today’s market dynamics have created an acute need for more people on the business side of organizations to become involved with identity management,” continued Gilbert. “Identity governance is the emerging category within identity management that brings benefits for both business people and IT teams. It provides the missing on-demand visibility into a company’s identity data and a layer of intelligence that gives companies the business insights needed to strengthen IT controls, holistically manage user access to sensitive data and reduce the risk of insider fraud or sabotage.”