In an era of widespread digitization, companies are vulnerable to criminal activities that can jeopardize businesses of all sizes anywhere and at any time. Addressing this threat, Identity Access Management (IAM) can safeguard enterprises and strengthen their path to achieving growth and business goals, says security expert Andreas Rieber.
With over 20 years of expertise in IT and cybersecurity, Andreas Rieber is far from a newcomer. Starting his career at the National Security Agency (NSM) in Norway, he worked as the Chief Information Security Officer (CISO) at Nets Group for ten years and later assumed the role of Chief Security Officer (CSO) at MasterCard Payment Services. Currently, he holds the position of Executive Director, Cyber & Security, at KPMG in Norway. He has been a long-term customer with Security in Columbus (former ICY Security) during his former employments.
As an IT security officer, you must deal with global threats, but IT security expert Andreas Rieber at KPMG believes that the general security discussion is characterized by too much hype.
Focus on local, relevant threats
There is a constant outcry of "wolf! wolf!" and ongoing apprehensions about hacking. I want to see a perspective shift. IT security should seamlessly integrate into the entire business. This holistic approach not only safeguards the enterprise but also plays a key role in facilitating business operations, aligning with specific business areas, and realizing overall company goals. I advise IT security managers to focus on relevance to their own company rather than generic warnings, says Rieber.
Rather than exclusively contemplating the threat landscape on a global, overarching scale, Rieber advises companies to shift their focus to individual, local considerations, and to factors specifically relevant to their own business.
Insufficient understanding of the company's operations among some security professionals may lead to uncertainties in prioritizing time and resources, potentially overlooking the most pertinent challenges and security solutions, warns Rieber.
Four key security questions
He highlights some important questions IT security managers should answer:
- What is unique to the industry and the market where the company operates?
- What is the cost of downtime?
- What is the most important IP (intellectual property)?
- What information and data must not go astray?
Rieber advocates for the development of a thorough and customized security strategy and plan, grounded in the unique needs and characteristics of the company.
The security strategy should meticulously factor in external conditions impacting the company, such as competitors, geopolitical conflicts, technological innovation, and vulnerabilities in new technologies. Addressing the unique aspects of the business is crucial, involving considerations like partners, the value chain, culture, and regulatory frameworks, underscores Rieber, further emphasizing:
Additionally, assessments should be conducted to gauge the company's vulnerability to current threats, evaluate compliance with relevant laws and regulations, assess the security of the company's systems and technology, and analyze past security incidents, recommends Rieber.
The security expert emphasizes that the security strategy must not be put in a drawer but form the foundation for a security culture that permeates the business. The strategy should address how the business:
- Protects itself
- Detects threats and intrusions
- Responds to events
- Restores information, data, and systems
IAM is the foundation for IT security
The foundation for IT security is to control and manage identities and access, known as Identity Access Management (IAM). All companies must have control over the identity and access of users from the time they are created until they are no longer part of the business, i.e. throughout the entire life cycle, says Andreas Rieber.
Many people are familiar with logging in through the access management systems AD (Active Directory) and LDAP (Lightweight Directory Access Protocol). AD is Microsoft's directory service for managing users, user rights, and resource control, while it is common to use LDAP as a common log in solution that provides access to several services. Rieber believes that businesses of a certain size need more than AD/LDAP to ensure good IAM.
Beyond AD and LDAP, solid processes and effective tools are essential. Maintaining comprehensive control over identity is key, as it dictates the user's access to information and systems. The risk of unauthorized individuals exploiting access to a user identity can potentially lead to security threats such as ransomware attacks, where files and systems can be compromised, says Rieber.
IAM increases productivity
The security expert emphasizes that IAM, the processes for controlling identity and managing access, must not become so cumbersome that shortcuts are created, shadow IT, and so on. Rieber points out that good IAM both increases the level of security and is also a "business enabler", which makes it easier to collaborate, support growth, make acquisitions, sell off parts of the business, and more. He explains:
Effective IAM ensures swift and secure access for new employees, enabling them to promptly utilize the necessary systems and solutions for their roles. This principle extends to both partners and employees, where IAM guarantees access only to essential services and information for a specified duration. Correct IAM processes make the business both more productive and safeguard IT security.
Rieber emphasizes the significance of solid IAM solutions, particularly during company acquisitions, merger processes, or business separations (carve-outs). IAM plays an important role in quickly granting new employees access to central business systems, services, and collaborative tools, while ensuring that departing employees lose their access promptly, aligning with the needs of organizational changes.
Cybercrime is the world's third-largest economy
According to the World Economic Forum, cybercrime ranks as the world's third-largest economy with an annual turnover of 5.2 trillion dollars. This places it behind only the economies of the United States and China, surpassing even Japan, the fourth-largest economy, with a value of $4.4 trillion. The reality is that cybercrime proves lucrative, with minimal risk for criminals. Investigating and penalizing criminal hackers is challenging due to the fragmented nature of the crime, involving numerous people often situated far from the companies they target.
At first glance, the digital globalization of recent decades has led to many common denominators across the security domain. Threat actors operate globally and can hit businesses anywhere. Zero-day vulnerabilities are spreading fast across the globe. Hacking software and recipes are shared in global online forums along with login credentials, and more. In addition, wars and political conflicts lead to cyber threats from countries that want to attack the enemy.
For an IT strategy to successfully permeate the entire organization, the IT security manager must set an example. Acknowledging individual differences is crucial, as attempting to impose a one-size-fits-all template with cumbersome solutions often leads to individuals resorting to shortcuts, thereby exposing the business to unacceptable security risks, Rieber emphasizes.