How to Engage Business Managers in Identity Management Compliance and Security Processes

Today's complex IT infrastructures have made identity management a business issue that engages not only IT in identity management compliance and security processes but business managers as well. Here, Knowledge Center contributor Mark McClain shares three best practices that IT should follow to ensure that business managers are active and effective participants in identity management compliance and security processes.


Global corporations have recently begun to recognize that identity management is very much a business process that underpins compliance and security efforts. Identity management has always been an extension of core business processes, ensuring that users have the access they need to do their jobs. When users leave the organization, that access is promptly removed.

In the last decade, however, government regulations have added new security and compliance demands that require companies to demonstrate and prove strong controls over "who has access to what." This shift has made it all the more imperative that IT organizations work closely with business managers. Because they are the ones who understand the business risks facing the organization, business managers can and should make the appropriate trade-offs between benefits and risks to the organization.

Many people in technology talk about bridging the gap between business and IT, or more accurately, aligning business and IT. But the reality is that engaging business users in security and compliance processes is no easy task. Addressing this difficulty can help organizations ensure the effectiveness of IT controls in managing risk and reducing corporate liability. To get organizations started in the right direction, the following are three best practices that IT managers can take to ensure that business managers are active and effective participants in identity management processes.

1. Build a culture of business accountability

Good identity governance ensures that organizations have full visibility into who has access to each critical application and system-and the risk this represents. The better managers understand the potential risks associated with access privileges, the better the company can mitigate those risks.

Business managers provide valuable insights into business risk, so a good identity governance program should regularly include review and approval of access privileges by business managers. By establishing a regular, automated process for business managers to review access, you can begin building a culture of accountability. You will be well on your way to ensuring controls that prevent fraud and enforce corporate policy.