The IT Security Hot Potato

I recently witnessed a real-life case of the ‘hot potato’ game between IT Security, the Line of Business and Corporate Compliance at one of my long time and loyal customers.

I recently witnessed a real-life case of the ‘hot potato’ game between IT Security, the Line of Business and Corporate Compliance at one of my long time and loyal customers. The scene, almost as if directed by a Hollywood professional, illustrated the conflicts organizations face when it comes to rolling Identity and Access Governance projects involving many groups.

To set the stage, in my work, I speak with IT and Security personnel whose ultimate goal is to support the business in which their company functions. Whether it is a retailer, bank or an internet company, IT is there to make sure the backend processes are running efficiently and in a timely manner.

In conversations, this is a common discovery:  IT doesn’t think its organization is ready to support personal mobile devices (BYOD), but yet people already are using their personal tablets to connect into the VPN. Another example: IT doesn’t think its company is ready to move to the cloud, but it found out that a line of business has recently purchased a new cloud application using a vice president’s corporate AMEX. In both cases, it becomes IT’s job to make sure that corporate standards and regulations are still met, but rarely does IT get more people to handle the growing load.

As a result, they let the Business take responsibility when possible. A Ponemon study on cloud security showed that 77 percent of respondents believed that ensuring the security of cloud computing providers was the responsibility of the end users or business unit management. And this presents the conflict among the departments.

Technology, run by IT, helps organizations in addressing compliance needs when business managers approve employee access. It is part of an Identity and Access Governance solution and the process is usually referred to as ‘user attestation’ (also known as ‘certification’).

User Attestation is a growing requirement of all major regulations like HIPPA, SOX, PCI and now also FERC. The challenge for IT is translating into business terms some of the IT Security jargon that business managers need to understand. How can you make a business user understand that RACF transaction “SMF12a” allows users to approve payments while “SMF12c” lets them initiate a payment, and the combination of the two is a Segregation of Duties violation which can end up in an audit finding? If the business is now responsible, how can we bridge this language barrier so IT and the business can easily collaborate?

This issue is not new to organizations.  In fact, my colleague Phil Kenney recently blogged about this need as he asked the question: how does IT gain more relevance to the business leaders? One way is to start speaking the same language – or at least provide a dictionary.  We need a Business Glossary or a friendly business description instead of showing things in IT terms. For example, instead of “AD Group EX12FIN,” you could show a description of ”Expense system for non-managers.”

Playing out the scene above once in a real conversation, I explained the benefits of enriching technical entitlements with business glossary and everybody seem happy. But then I asked,  “Who should be the owner of this business glossary? Who will provide and maintain the data to make sure it is current and relevant?“ That’s when the fireworks began.

In the end, we finally recognized that while IT Security can own the process of updating the data within the application, the data has to come from the Business side of the house because they are the ones who can deem it accurate. For example, they know that they need to make sure their employee has access to the expense portal as a non-manager.

However, getting the Business to cooperate in these types of processes can be extremely difficult and can cause some of these processes to fail. This is where we need to get Corporate Compliance to make a strong mandate. It is the cooperation of IT Security, Compliance and the Line of Business that will transform IT silos into meaningful business-relevant actions and operations.

Is this the same in your organization? Comments and feedback are welcome.

Written by

Sharon Farber

Sharon, a CISSP and veteran of the Security and IAM business, is Product Manager for…

Published in


View this topic
  • James Holland

    This is great. Hooray for Disney’s imagineers!


    become a new brand in the share market research with its accurate research. Proven
    itself always right whether market is bull or bear. Last week all paid clients
    booked handsome profit in NIFTY, BANKINIFTY & STOCKS. Now for the coming
    week we expect more correction can come in NIFTY as the IRAQ issue is getting
    more tense, If it happens more then you will see a sharp fall in all world marketNSE BSE, STOCK TIPSbecause as we know all world run on
    crude & most of the crude comes from IRAQ. So be ready for a sharp fall so
    sell will be the best strategy for next week also. Traders can make a sell
    position in NIFTY around 7600-7650 with stoploss 7750 for the target of
    7300-7200.One can also make a sell call NIFTY 50 stocks as per NIFTY levels. You
    can also take our two days free trial to check our accuracy. For further updates
    you can visit our website.



  • king lear

    testing comment functionality, please do not publish this

  • Rachel Macik

    Love the personal pic :)

    • CAHighlight

      Thank you!

  • Plutora Inc

    This is a good case study. 2.3 sec’s off a login transaction is big.

  • Michele Hudnall

    While the analysts were hyping DevOps, I posted the oversight of not including security as part of that discussion as you are highlighting here. Instead of just talking DevOps, it should be DOS (what’s old is new again :-) – DevOpsSec. As a previous AppDev person, it’s the app, who’s using it, why and where rather than the device and having the service available.

    As you rightly point, out Security should be baked into the solution.

    Nice Post and Timely!


    • CAHighlight

      Thank you for your feedback Michele. Agreed – security cannot be overlooked. Appreciate your input!

  • Mitesh

    I would love a printed copy

  • Lars Johansson

    I love the idea of BYOID! This makes me choose if I am almost anonymous (with my Hotmail Nicname) or official with identity from an official organisation. My Identity Provider will attach identity with right level of LoA according to the need of the Service provider.

    • CAHighlight

      Thank you for your comment. BYOID has tangible benefits for end users and relying parties but it also has to be weighed in the balance with potential risks and liability concerns. It will be interesting to see how BYOID plays out in the enterprise.