Identity and Access Management – the power of an IT professional in a time of economic uncertainty
by James Turner
Only a few months ago I ran a survey looking at the experiences of IT professionals in regards to Identity and Access Management. (The full report is publically available, so if you’re interested in a copy please drop me a line). There were a number of very interesting findings from the survey; one of these was around the topic of constraints.
I asked the survey respondents, “In terms of deploying or extending an identity management system, what holds you back is…” and then I gave them a range of options which they could agree to (multiple responses allowed).
The two most popular answers were these:
- 58 per cent of the respondents agreed with the statement that they had higher projects or priorities at this time.
- 51 per cent of the respondents agreed with the statement that they had insufficient resources to deploy and/or support an identity management system.
Now, I ran this survey though May and June of this year, and the economy was already looking shaky, though not as calamitous as it has since October. But even at that point my IT professionals were already saying they didn’t have enough people to throw around at the projects that needed to be done. And when I say “needed to be done”, I mean, of course, that I think they need to be done.
Now I’m sure you’ve been watching the rising layoff tally mounting in the IT sector over the last few months. It’s getting nasty out there. Let’s not play make-believe on this one: in all probability it’s going to get worse. Many more people are going to lose their jobs.
Sadly, this is leading us into a nasty situation where:
1) IT professionals are having their livelihood taken away.
2) They are able to access parts of the organisation which are highly sensitive.
3) The few technologies which could have helped to mitigate any sabotage or fraud are often not adequately deployed in the first place, and they certainly won’t be getting them now.
If you’ve seen the film Fight Club, you may remember a scene where the character of Tyler Durden threatens a city official by telling him, “We cook your meals. We haul your trash. We connect your calls. We drive your ambulances. We guard you while you sleep. Do not **** with us.”. The message was pretty self-explanatory – the members of the fight club formed the backbone of society. If you turn on them, then they are in positions of power and their retaliation will be very nasty indeed.
IT professionals are in this position of power for pretty much every organisation which is large enough to have dedicated IT security staff (or even large enough to outsource this). If the IT guy turns on you, then you’re heading towards a world of hurt.
I was talking to a security system administrator a few weeks ago who works for a global organisation, and you would recognise the brand instantly. This system administrator is very senior and, knowing him well, I take him seriously. He said quite plainly that he had the capability to shut the entire organisation down for, at least, a few hours – and this would be a very expensive few hours.
Do you think that the CEOs of our ASX companies know that one disaffected IT worker could give their organisation a kick in the guts that it would take hours to recover from? Often the most damaging part of an IT attack is on the organisation’s reputation.
Now I’m certainly not saying that every fired IT professional is going to go rogue on you; we’re talking about a percentage of a percentage. But this is one area of risk that can be substantially managed with soft skills. Respect goes both ways.
The full report is publicly available. To receive a copy, email the author.