Gartner 2023: The State of IAM Program Management 

By Addy Agee

The establishment and delivery of an IAM Program is vital to delivering Identity First security. Whether you are new to identity or delivering identity and access management currently, you need to understand and communicate the role that identity plays within your organization to enable your workforce, customers and business partners to deliver their strategic initiatives.

This session discussed the driving forces behind the changes in IAM program management, emerging trends and best practices, and what you should be doing this year to improve your organization’s IAM program.

The key questions were:

1. What is driving change in IAM program management?
2. What are the emerging trends and best practices? 
3. What should I be doing this year?

Identity and Access Management (IAM) programs are crucial in ensuring the security and privacy of an organization’s digital assets. IAM programs are designed to manage and control user access to sensitive information, applications, and systems. As technology continues to evolve, the need for effective IAM programs also increases and organizations may struggle to keep up with the changing landscape, leading to gaps in the program’s coverage. The lack of clear risk ownership can lead to confusion about who is responsible for specific risks and how they should be addressed. Some organizations may fail to recognize the role that identity plays in their overall security posture or may focus too narrowly on implementing IAM features without considering their strategic value. It is important to communicate the value of IAM programs in terms of enabling business processes rather than just securing them.

What Is Driving Change In IAM Program Management?

The rapid digital transformation and the increase in cyber threats are the primary drivers of change in IAM program management. As organizations continue to adopt new technologies such as cloud computing, mobile devices, and the Internet of Things (IoT), they face new security challenges. These new technologies are increasing the attack surface and making it more difficult to manage user identities and access rights.

As new technologies are adopted, the risk of cyber threats, such as phishing attacks and data breaches, increases. As cyber threats become more sophisticated and frequent, organizations need to implement robust IAM programs to ensure the security and privacy of their digital assets. This, along with the number of people now working remotely, make it much more difficult to defend against these threats. 

“Credential Misuse Was Involved in 40% of Security Breaches in 2021”

What Are Emerging Trends And Best Practices?

Emerging trends and best practices in IAM program management focuses on Identity First Security. 

Identity First Security – Three C’s

Consistency of the experience regardless of where the infrastructure is. All users, employees, business partners, customers, etc, need to have the same experience. That experience must be as frictionless as possible. 

Context awareness includes taking all the data from IAM and non-IAM systems and bringing the data to the forefront. Decisions should be based on that context. 

Continuous – IAM is a program, not a project. Constant change brings constant projects. 

According to Gartner, in order to successfully follow the three C’s, you must focus on the user journey and break down the steps it takes for a customer, employee, api, machine, etc to arrive at their destination – recognizing things like location, IP addresses, common clicks. Businesses should also implement an ITDR to successfully achieve the three C’s. Protecting your infrastructure helps mitigate risks by adding a new layer in defense posture. 

“By 2026, 70% of identity-first security strategies will fail unless organizations adopt context-based access policies that are continuous and consistent.”

What Should I Be Doing This Year?

To improve your organization’s IAM program this year, it’s time to develop or refine your IAM vision and strategy. Treat your IAM program as a critical service that focuses on people and processes. Educate stakeholders with a goal to balance risk, productivity and user experience. Aim to deliver value early and often, as incremental values may be seen as more positive rather than a large single milestone – IAM is a program made up of several projects. Gartner recommends starting to review use cases to understand where you could apply identity-first security. 

“An IAM program is a critical service for every organization to evolve to “identity first” security”

Last but not least, stay informed about emerging trends and best practices in IAM program management. Attend conferences and seminars, read industry publications, and engage with IAM experts to stay up-to-date with the latest developments. Idenhaus’ experts are here to help!