Episode 185 - GluuFederation/identerati-office-hours GitHub Wiki
Title: The Human Gap in Your Identity Program
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Sean Juroviesky, Senior Security Engineer, SoundCloud
Channels
Description
Technical teams are incredible at searching out issues building frameworks and automating solutions to help strengthen their identity program. However we often find new platforms or services in use across the organization that we were never informed about. Maybe it’s a ‘one off’ program only used for one client, maybe it’s a service we just quickly onboarded through an M&A, or maybe it’s the classic oh we just didn’t want to bother your team about it. By building strong relationships across the organization and putting a friendly face on your identity program, you can help eliminate the creation of this classic shadow IT issue.
Homework
-
Dashlane Blog: 3 Recommendations for a Human-Centric Approach to IAM, According to Gartner - An identity team can't implement human-centric design if they don't have strong relationships with the business units to understand their daily workflows.
Takeaways
-
⚡ Security works better when the security team partner with the humans. People are far more likely to disclose mistakes, workarounds, or unknown tools when they believe security is not there to yell at them.
-
⚡ The point of security is risk reduction. A healthy program makes it easier for employees to report issues quickly, so the organization can contain damage instead of wasting time hiding mistakes.
-
⚡ Human-centric security still has to be tied to business reality. The security team should frame around business impact.
-
⚡ Culture matters, but it becomes real only when leadership reinforces it and operations embed it. Executives need to actively select an "approach". At the same time, it's clear that these approaches, e.g. the metrics, are not mature--we need more work here to make the governance behind the culture more effective.