Airplane Mode: Rise of the Chief Identity Officer

So all year I’ve been traveling around the country and having the following conversation: “Who owns identity?” ( Shout out to Richard Bird from Optiv for creating the question). The short answer: Nobody. So many hands are involved in the identity lifecycle that it’s hard to really assign it to just one person. And well, when everyone owns something, then nobody does. So maybe it’s time we change that. Whether we like it or not someone will have to be the owner of a companies identities ( and the inherent risk that comes with them), whether it’s the CISO, CIO, or CEO when things go wrong ( and they will) someone’s getting the blame. So rather than let that decision be made for us, why not define that position ourselves?

So without further ado, I present to you the Chief Identity Officer (CIDO). Their main focus is to create and manage the IAM Program within organizations. They will serve at the head of a committee of stakeholders that impact identity (HR,IT, Business line Managers). They will have budget allocation that reaches across the business units of said committee and be responsible for how identity and access controls are managed and implemented.

Ok let’s let that sink in for a minute. For those of us who have lived in this world of identity, we know that’s a big ask and something that doesn’t quite fit the model of how we do things today, and that’s exactly the point, because where has that gotten us? It’s time to give identity the attention that it deserves as having an owner directly responsible should help in giving direction and clarity to an area that is sorely needed. So what a new position? Well, why not? The CIO has the entire company infrastructure to worry about and Identity is just a portion of that, and often times it’s pushed down the priority queue. Why not the CISO? Honestly, it could be the CISO and this function may well just become a primary objective of the CISO, but Chief Identity Officer just sounds cooler! 😎. Why C level? Because as we’ve seen, this done wrong can have a dramatic impact to the business and should be something that is planned for at the strategic level of the company. A theme of this year has been how Identity should be at the center of security. If we truly believe that, ( and I do) then we are saying that the core part of our infrastructure for protecting the things that we value has no owner. And we wonder why no one ever has a good answer when we ask “What went wrong?”. Don’t take this the wrong way, I’m not saying that the CIDO will be there to solve all your problems and automagically make them disappear, but I believe it’s a start to make sure that the protection of identities and the things that those identities affect becomes a foundational part of a companies strategy. So who’s ready to volunteer? ( Queue the Hunger Games joke)