When identity pros get together and let their hair down, they like to swap stories about all the dumb and/or ill-advised things people do with their passwords. BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied. Which calls to mind George Bernard Shaw’s famous question “What’s better: eternal salvation or a ham sandwich. Well, nothing’s better than eternal salvation, but a ham sandwich is better than nothing…”
In fact, most of the stuff you hear about the risks of identity theft and sloppy password management are anecdotal. Which is why I really enjoyed listening to Lora Deeds of Quest Software, who used the RSA Conference in San Francisco as the venue to introduce a survey her company did with Harris Interactive on the use of policies and technologies to manage and protect users’ electronic identities, including provisioning and especially deprovisioning of those IDs.
What they did was ask some 1,500 white collar workers and an additional 500 IT decision makers to tell them the truth about some dirty little secrets surrounding identity and security. They didn’t really find out anything new, but they did provide much-needed proof for some of the things we ID Pros have been assuming for years, namely that people and companies are extremely negligent in their everyday care and feeding of digital identities.
For instance, 52 percent of employees admit that they’ve shared their work log-ins and passwords with other co-workers, and vice versa. . This is not including admins, who may actually be forced to share accounts with their peers because many corporate systems still lack modern PUM (Privilieged User Management) capabilities. Quest didn’t actually ask if people write their passwords on post-it notes and stick them one their computer screens, but anybody who has ever walked through a large office has seen these “stickies of shame”. People just don’t like to talk about it.
In many companies, identity and access management is perceived as a sort of subset of IT security and treated as such. In fact, we here at KuppingerCole have been preaching for years that IAM can and should be a major enabler for increased productivity and new business processes. I myself have used the phrase “management by identity” for many years now, up to now with mixed results.
The Quest study bears us out, at least where productivity gains are concerned. One in five IT professionals admit that they spend more than 30 minutes each day logging onto applications, databases and other system components. That’s two and a half hours every week, ten hours a month, 120 hours a year. Most CxOs could care less or are unaware of the problem. How much is that costing them? Do the math!
Stories abound about what happens when people leave a company and take their digital assets with them. So the Quest study simply confirms what we’ve known all along, but it at least gives us some numbers. Ten percent of all IT pros questioned admit that they still have access to accounts from their previous jobs. Presumably, many other preferred to remain silent. One gentleman who shall remain nameless so that he can continue to receive discounts from Marriott and AT&T based on the fact that he used to work for Microsoft years ago told me: "My wife had to call the Marriott people about one of my bills. I told her: 'Just don't say I'm no longer with the company!'"
Finally, 34 percent of IT decision makers complain that their employers do not take IAM as seriously as they should. Actually, the question was: “Do they realize the value of IAM as an integral part if their security tools?”, but it comes to the same thing. This is good news and bad news, at least for us at KuppingerCole. On the one hand, we apparently need to do a better job convincing people. But on the other hand, it means that there are still lots and lots of potential customers out there we haven’t been able to reach out to yet.
Thanks to Quest, we now have yet another argument to present, and one that is all the more persuading because it is based on real numbers versus the gut feelings of people who have been in the identity business for many years. And now: Why don’t we all go get a ham sandwich?