Cyber incidents for the thrill of it?

A note from Oleria CEO, Jim Alkove:

Leaders I meet often remind me why I’m passionate about building a world where every organization is trusted to protect the data of all people. Phil Quade is one of those leaders. With decades in operations and administration at the NSA, Phil brings unique insight on risks that organizations and governments alike are navigating. He’s always willing to share his knowledge — and often puts things into sharp new perspective.

During a recent conversation, Phil and I talked through an analogy that’s both entertaining and deeply relevant to identity security. I asked him to share his perspective in this newsletter, and I think you’ll find his words both enlightening and thought-provoking.

Attention thrill seekers

Who needs drinks when you can instead have the excitement of a cybersecurity incident?

It’s hard to make the topic of IT operations a stirring drinks & dinner conversation — with all the technical jargon, acronyms, and mind-numbing regulations. But talking about the ‘adventure’ of dealing with a cybersecurity incident — now that’s thrilling, high-suspense drama.

In fact, if you like living on the edge, there’s a very sure way to keep the cybersecurity excitement high: neglect your identity governance, just for the thrill of it.

A Game of Thrones drama

Imagine your company as a medieval castle (a very original analogy, I know): You've got your sturdy walls, a right-sized moat, and your trusty knights.

Identity Governance is like the castle’s gatekeeper, making sure only the right people get access to the good stuff. And neglecting Identity Governance is like removing that gatekeeper — it makes all of those defenses pretty worthless. What good are they if you let just anyone wander in and out?

A primer on Identity Governance

Jumping out of the castle and back to the real world, Identity Governance in IT is the process of managing and controlling digital identities within an organization. It's about knowing who has access to what and making sure that access is appropriate and secure.

Why is it so important? For starters, it helps prevent data breaches. If you don't know who's logging in, and what permissions people and processes have once logged in, how can you be sure they're not up to no good? It’s also critical for compliance with various regulations, such as GDPR and HIPAA. And let's not forget about productivity: When employees have the right access to the right tools, they can work more efficiently and effectively.

Choose your own adventure: Two paths to implement Identity Governance

If I were talking to a dinner table of sober-eyed, cybersecurity incident-scared peers, I’d pass along a few tips on how to effectively implement Identity Governance. But to make it less preachy, I’d probably note that they have a choice:

Choice 1 - Do each of the following very thoroughly:

Identity discovery and classification: Like digital detectives, find and categorize all your digital identities—identities used by people, software, and processes. This helps you understand who has access to what.
Access certification and review: Regularly check if people still need the access they have. And I mean beyond the "rubber stamp" access reviews that happen currently. It's like spring cleaning for your digital permissions.
Privilege management: Make sure people only have the access they need to do their jobs. No more unnecessary privileges!
Identity lifecycle management: Automate the entire process of creating, modifying, and deleting user identities. If you’re not using automation—if not machine learning—you’ll fall behind.

Choice 2 - Get ready for some changes in your life:

Update your LinkedIn profile: Maybe it’s time to put your name out there in case you need to look for a new job soon.
Warn your family & friends: You may have to put in more evenings and weekends. Cybersecurity incident response is a heavy lift. No, wait; that’s too charming of a description. It's not a party, it's a crisis. Expect long nights and weekend work. It’s intense — and rightly so, with the need both to right the ship and ensure it won’t immediately happen again. Stakeholders demand answers. Your General Counsel and PR teams practically lose their minds. Say goodbye to evenings, weekends, and vacation plans.
Line up a lawyer: Because things could get really bad, really fast. Dereliction of duty by an IT security executive is no longer ‘just’ a professional embarrassment, a cause for job loss, or personal financial hit (due to lost business or stock price drop) — it can now land you in jail under a criminal charge.

While Identity Governance may not be the most exciting dinner topic, it's essential if you want to avoid ‘the thrill of the breach’. But if you’re tempted to roll the dice by not getting control of your Identity attack surface, brace yourself for some excitement.