Catalyst Epiphany #1
I have an ugly confession to make. I watched the rise of compliance as a business driver for Identity Management, and was pleased but not particularly interested in what it was that suddenly opened the budgetary gates for the projects I was part of.
When I thought of compliance, I would briefly consider how I was helping executives sign little pieces of paper that kept them out of hot water with the auditors, and then I would go back to thinking about organizational efficiency, process for the sake of bringing order to chaos. It’s easy to say that compliance is important, without ever understanding why it is so.
This is before I saw Nick Leeson speak at this year’s Catalyst conference.
You can’t listen to Nick’s story without your jaw dropping. Nick was the trader who caused the collapse of the Barings Merchant Bank in 1995. He was able to do what he did, because he could control every single piece of information that might have led to his discovery. His superiors didn’t understand the business, and therefore could only take Nick’s word for everything. Same went for his auditors. The resulting business failure was unimaginable.
Sitting in the room, listening with disbelief and amazement to this story, everything clicked for me. Everything I do and recommend in the Enterprise Identity world is applicable to this one story.
There are two things that happen in a provisioning project that make a compliance difference I had never considered before:
- We create observability in systems beyond the control of the asset owner.
- We create referential integrity for systems such that account activity does not occur in a vacuum.
The goal is not necessarily to catch bad guys here. The goal is to ensure that nobody can take an action and also hide that action. When every account has to resolve to a real person in the Enterprise, and any account created that doesn’t do so shows up on an audit report without the system owner having any say in the matter – well that makes a difference. When the reports and summaries that are generated happen out of the control of those who might wish to change the data within – it makes a difference.
And when the executive sponsorship of an Identity Management program are truly behind a project such as provisioning, and ensure that the project stays on target and that at the end, the compliance targets match & reflect the BUSINESS (a feat that no IdM consultant can know for sure they have accomplished) — it makes a difference.
I’m not sure that I’ve expressed this well — but I can tell you that I will do my job differently from now on. From now on, when I talk about compliance, I will not be thinking of making the lives of the CxO’s easier and/or more worry-free. I will be thinking about how I can make sure that if there is a cause to worry, it will cross the desk of the person who can recognize it and act on it. It is a small difference, but a critical one.
Adventures of an Eternal Optimist 
Interesting. Thanks Pamela. I’ve been calling your point #1 “IT transparency” though I admit that I haven’t felt it resonate strongly with people in the field.
I think this post is particularly important amongst the trend to bash GRC as having importance in driving IdM. I don’t know why the discussion of GRC is threatening – I think it’s similar to an anti-FUD campaign.
But this story shows the real underlying issue. This is why we started talking about GRC in reference to IdM.
Very well stated. I too was amazed how Nick has such broad control and how the company ignored many warning signals.
Ok … wer’re dying … the 2nd Epiphany is … ?