How to get the business to buy into User Access Reviews
Post by Glenn Folkes, Regional Sales Director
Increasingly I see compliance being used as a commercial differentiator, with purchasing departments asking for company’s current compliance status. These organisations are looking for evidence that your business practices stand up to external scrutiny and when they don’t, that you invest in business improvement. In this context, compliance is evidence of a well-run business.
Comprehensive compliance doesn’t happen by accident. It takes massive support from the business, and broad agreement that compliance adds value.
Working in IT Compliance and User Access Reviews, we frequently come across one core question.
How do we get the business to buy into User Access Reviews?
I always get the impression that people expect me to say ‘It starts with a workshop to gain executive buy-in’. You could start there, but that’s not where our value begins.
So let me walk you through it.
Step 1 starts with the delivery of accurate, up-to-date user access data.
I think user access reviews have a bad name because for years we have asked senior people to review and sign-off on access compliance based on out-of-date data.
It has lead to compliance programs, being dogged by tick and flick reviews. People end up not taking user access reviews seriously, because the data is meaningless.
I understand completely why this happens. It simply takes way too long, using conventional processes to collect access data and corelate it with user identities. By the time its ready to be delivered the data is often long out of date.
That’s why accurate data is the first problem we solve with RightCrowd IQ. Accurate, up-to-date user access data means that reviewers are making real decisions that impact compliance and security today.
It’s also incredibly powerful for gaining buy-in and future engagement. As one Team leader sees another with a better process, we often hear ‘I want what they’ve got’.
Step 2 is make user access reviews easier.
You won’t be surprised that you can quickly gain buy-in by making somebody’s life better.
RightCrowd IQ has been designed to give user access Reviewers their time back. It’s a powerful motivator. What once took days pouring over endless spreadsheets, can now be accomplished through a portal and a single report.
Access reviews no longer need to be dreaded. We make them easier and a lot of other people would like them easier too.
Step 3 is to examine your business practices.
Timely data, gives Reviewers the chance to ask ‘how did that happen?’.
The flow on effect is Reviewers and IT get the chance to examine process failures. Process improvements are made, and no surprise the conversation with Audit changes too. Auditors love hearing ‘we identified a problem, we fixed it and here is the evidence’.
RightCrowd IQ helps you identify the problem, and gives you the evidence to demonstrate you’ve fixed it.
Step 4 is Executive buy-in.
Executive buy-in becomes the end result of better user access reviews.
Executives are able to also have a different conversation with their Auditors, but more importantly the post-audit conversation changes with their Board. They are able to demonstrate the business is in control of its IT environment, they have the right tooling to identify problems and their leaders are in control of security. It’s the right type of win for any executive, it’s one they didn’t have to micro-manage.
You can get the business engaged in user access reviews, and it starts with the right tools and approach.
As always, I’d be happy to chat. Enjoy your week ahead.