Professionalization of Identity Management
Within the enterprise, the relationship between privacy and security gets rightly deserved attention. But neither privacy nor security professionals can fully address the challenges presented to them, because their default toolbox is incomplete. The tools they are missing are the stock-in-trade of the identity and access management professional - the very peers that are frequently excluded from the conversation. Digital identity is the primary way that privacy professionals operationalize the controls they need ; in particular the governance of who has access to what information. Furthermore, identity provides indispensable context to security professionals to help understand who is doing what. Identity’s voice is missing from the table and this is most unfortunate. I believe this is in part because, unlike the privacy and security industries, identity has fully not professionalized.
This is by no means to suggest that identity and access management practitioners are not professional in their approach: far from it! Consider, however, that privacy and security have professional organizations dedicated to the betterment of their industries and of those who work in them. These organizations provide a range of support, including professional development, shared good practices, certifications, forums for interaction, and provide a collective voice for their members.
Where can the identity management practitioner turn for advice? Vendors and implementation partners certainly can educate us about their products and approaches - and many of them do a very good job. Analyst firms can inform us about the market and in some cases, system designs and architectures. Local user groups can help as well. But this is a piecemeal and often biased approach.
This lack of professionalization has real impacts on the identity industry - and, by extension, the business customers and consumers it serves. First, learning about digital identity is a long process. Most identity professionals I speak with share a similar origin story: they learned a specific product, then another, then another, and then had the experience and vision to generalize their knowledge. As a beginning identity professional, you often learn one vendor’s user provisioning tool, another’s a federation tool, and yet another’s a privileged account management tool. And only with years of experience under your belt do you begin to fully understand identity management as a cohesive whole or even begin considering yourself as an identity professional.
Identity professionals are looking beyond current enterprise funding cycles and priorities to where the next challenges lay
One of the reasons why learning to become an identity professional is so time-consuming is because there is no vendor-neutral body of knowledge for the industry. Without such a body of knowledge, it is difficult and time-consuming to build a new identity professional -- a problem compounded by the fact that there are no identity management curricula at the undergraduate level. Unless your organization is a professional services company, the best you can do is very likely to hand a new hire a vendor manual, point her to a few blogs, and hope Stack Overflow and LinkedIn have some answers.
Second, to become a great identity professional requires interacting with your peers and, hopefully, finding a mentor. But that discovery process isn’t straightforward. If you are lucky, there is an identity and access management meetup in your city. If you are not, you might find a helpful group online. But even then, your interactions will likely be infrequent, tactical rather than strategic, and so insufficient to accelerate the development of your own career.
In 2017, IDPro, the professional organization for identity, was formed to tackle these challenges and more. A non-profit, member-driven organization, IDPro provides a clearinghouse of identity meetups around the world so professionals can meet one another. It has a master calendar of identity-related events so that people can attend and learn. It offers an online forum where professionals can help one another. And IDPro publishes a monthly newsletter written by professionals for professionals with topics ranging from the identity of bots to the privacy implications of identity management.
IDPro is in the process of building a body of knowledge. Identity professionals from around the world are volunteering to help shepherd and write sections of a vendor-neutral living document that, in the future, will serve as the basis for professional certifications. As the body of knowledge coalesces, the membership has built an annotated bibliography of works that the members feel have been useful to them as they have grown as identity professionals.
Lastly, IDPro has, since its inception, conducted an annual Skills and Programs Survey. Among the questions we asked were: ‘what are the top priorities for your enterprise in the next 18 months’ and ‘what areas are you interested in learning about in the next 18 months’. The top 3 priorities for the enterprise were multi-factor and strong authentication, privileged access management, and user provisioning and lifecycle management. Interestingly, those three areas scored poorly in terms of individuals’ priorities; at the same time, the IDPro survey data revealed that a majority of respondents had experience in all three areas.
When asked about their own areas of interest, respondents identified API protection, blockchain (or similar) identity, and identity for IoT and Connected Device as the top 3 areas they want to learn about in the next 18 months. Of those, only API protection was highlighted as an enterprise priority by more than 10% of the respondents. This indicates that identity professionals are looking beyond current enterprise funding cycles and priorities to where the next challenges lay.
The one area in which enterprise and individuals’ priorities and interests were aligned was customer identity and access management (CIAM.) About 20% of respondents identified CIAM as a priority for their business and an area of individual interest in the next 18 months.
For a CIAM program to be successful in the long term requires that the enterprise puts the customer at the center of its thoughts, designs, and service. Perhaps more than any other business initiative, CIAM requires that identity, security, and privacy professionals work together in support of stakeholders from all parts of the business to deliver services which respect and delight the customer.
The professionalization of identity management won’t guarantee your CIAM endeavor - or any other business objective - will be a success. But it will help to find, build and strengthen identity professionals who can be productive peers to your privacy and security teams. And that can only be a good thing.