I recently saw a query from a major international consumer goods company headquartered in Europe asking “…we have a Privacy Officer, but we are also looking into the possibility for an Identity Officer, someone who is knowledgeable about SSO, identity and so forth. Unfortunately we are fairly new to the entire identity sphere.” It was an interesting question, so I started a dialog with my colleagues at KuppingerCole to see if we could come to some agreement about the need for such a position.
Martin Kuppinger voiced the thought many of us had when he said “Yet another ‘Chief whatever Officer’?” And it’s true the list of CxOs is beginning to read like the list of vice presidents of a US bank (a quick search on LinkedIn for those holding the current title “senior vice president” associated with Bank of America turns up 4706 entries!)
Since the questioner mentioned that they had a “privacy officer”, I searched to see if this was, in fact, a CPO. But it’s not. Questions about privacy are to be sent to the world headquarters “attn: Privacy Officer” or to any of their national HQs with the same notation. To me that means there’s someone in each office who is tasked with tracking privacy issues. Could an “identity officer” do the same? Since it doesn’t appear that the company wants to create yet another CxO, I decided to explore the possibilities of a privacy officer further.
A non-exhaustive search on Google brought up only one company with a person having the title “identity officer.” I did ignore the few references to people who were in marketing and were charged with creating or fostering “brand identity”: that is, the way customers/clients/consumers view the company. Palo Alto’s IdentityMind announced a Chief Identity Officer early last year. As it turns out, though, Dr. Taher Elgamal (the newly named CIdO) was to be more outward looking than to be concerned with internal identity issues. He’s quoted in the announcement as saying: “With IdentityMind we have developed a technology that allows us to establish the identity in the context of an Internet payment transaction with high degree of certainty. In this new role I now have the ability to focus on working with the Industry in expanding this definition and bridging the gap between users and their Internet identities.” So, still not what the gentleman who asked the question was looking for.
Further searching turned up a couple of postings/musings by people I follow in the Identity arena: Matt Flynn (currently with Oracle, previously with MaXware, RSA, Netvision and StealthBITS) and Matt Pollicove (currently with Commercium Technology specializing in SAP Security, previously with MaXware, Mycroft and Secude). While were initially writing in terms of a Chief Identity Officer, their thoughts are still valid for a lower level Identity Officer – even if they both wrote about this 7 years ago!
Unfortunately, no one seems to have taken up this conversation, nor done anything about instituting such a position since then. Maybe the time wasn’t ripe. Maybe now is the right time.
Pollicove, who started the conversation, stated he was doing it because “I am constantly thinking about how to make Identity Management a larger part of the enterprise, not only because it makes sense from [a] security and compliance [perspective], but because good, clean, organized IdM data results in a better running organization.” In other words, he thought IdM needed more visibility in the enterprise and that a CIdO would go a long way towards gaining this. Now I think we can agree that the visibility of Identity has risen, and risen considerably, within the enterprise without having a CIdO, but it’s generally risen for negative reasons (data breaches, cyber-snooping, etc.) rather than for, as Matt hoped, “a better running organization.”
Matt Flynn went a little further: “I agree with Matt that one owner would certainly make IdM projects easier to manage, but that's not the greatest benefit.” He elaborated: “I guess my vision would include a Director of Identity that reports to the [Chief Information Officer] or equivalent. She would be responsible for compliance, attestation requirements, establishing Identity policies, ownership of IdM solutions, backup and recovery solutions for identity-enabled applications, etc.” To which I’d also add access control.
Flynn went on to say, “A director of IdM … would need to find solutions that enable the business, facilitate ease-of-use and also maintain strict security guidelines. IdM solutions span the enterprise and the design, architecture and management thereof ought to be central.”
In your organization, especially if it’s a large one, is there a single person – or office – that’s responsible for everything touching identity throughout the entire enterprise? Does anyone coordinate policy on identity for employees, contractors, volunteers, clients, vendors, partners, etc.? If not, why not? If not – wouldn’t you operate more efficiently if there was one? More importantly, wouldn’t your organization be more secure with fewer cracks for the malefactors to slip through?
Would the director of Identity be part of the IT organization, or be on the business side? KuppingerCole’s white paper, “The Future of IT Organizations” will give you some help in making that decision.
I’m not saying you need a Chief Identity Officer, but perhaps a Director of Identity (or Identity Systems) within the office of the Chief Privacy Officer (or the CIO) might be the answer. Let me have your thoughts on this, either in the comments section, email to dk AT kuppingercole DOT com, or tweets to @dak3. If there’s enough interest, I’ll continue the conversation.
By the way, if you missed EIC last month, or missed my presentation on the Future of Authentication and Authorization, I’ll be webcasting an updated version in just a few weeks. It’s free but, of course, space is limited. Sign up now.