Real-World Events of a CISO
I’m on the road again, sitting in a club lounge at O’Hare airport. It’s another typical Tuesday late morning with a decent number of people busy typing (or in some case hunting and pecking) through emails.
With that setting here is a recap of a scenario that has just played out just a few feet from me:
The CISO Scenario
10:45am: I’m sitting at a communal work table and can’t help but overhear a CISO next to me struggle with someone on the phone about trying to determine what access three individuals have. I can’t be certain, but the situation doesn’t sound good. In my experience, a CISO is only on the phone with someone from IAM if there is a problem.
11:00am: The CISO and mysterious IAM person on the phone are, in real-time, looking up what these people have access to. I can see Active Directory Users and Computers open, along with a 3270 client accessing group connections in a RACF based system. They are now trying to figure out when they logged in, and what they think the people might be doing. It’s not going well based on statements like “How long will it take you do that? That long?!” and “Why are we not storing that info?” “so we are in the dark here.” I have a feeling someone is going to be making the case for an investment in some better privileged access management tools soon.
11:05am: The CISO is now pretty frustrated. He has accepted that he is not going to be able to get the information he wants and that the limited information they have will take some time to pull together.
11:06am: The CISO gets up agitatedly and heads to get coffee. He left his machine unlocked and his Outlook email client open on the screen. This is how I knew he was a CISO – based on his email signature. You cannot make this stuff up, folks. ☹
The Struggle Continues in 2017
This gets me thinking about how many companies still – in 2017 – struggle with just the basics of IAM. If a CISO called you – or if you are a CISO calling someone – how quickly and accurately could a report of what a person has access to be generated?
Do you know what they have done with the access they have? Is it a manual, semi-manual, or fully automated process? When you are dealing with access issues, you want that information fast and you want it to be accurate. Knowing who has access to what is fundamental to an effective information security program. If you need help assessing the current state of IAM for your organization, we’d be glad to help.