In the midst of the ongoing privacy and security conversations in financial institutions and organizations across the country, I want to put a stake in the ground and state that I believe identity is the missing leg of the security/privacy stool.
What I mean is that identity is both a means of expressing privacy requirements and a necessary set of security controls – as well as a key to delighting customers and driving business engagement. The use and protection of identity data has strong footing in both the privacy and security worlds. And yet, identity and identity management professionals are not first-class members of the conversation. Identity management is critical to your bank. Identity management is critical to any business.
One reason, in my opinion, is because we didn't expect the identity industry to stand alone for such a long time. Another reason why we didn't claim our seat at the table is because we didn't expect identity to be a subcategory of IT for so long. Ten to 15 years ago there was a thought that identity would be subsumed by larger, adjacent business process engines. Human resource management systems should have absorbed identity management, at least for employee identity. There was supposed to be a synergy between HRMS, identity and access management. The systems that managed a bank employee's job role and responsibilities ought to be managing that in both the online and offline worlds.
Similarly, looking at the business process engines that manage customer information, one would have surmised that customer relationship management systems absorbed customer identity functions. In such a world, the teams overseeing sales, service and marketing processes would be the voice of the customer and their business process engines would deliver the identity functionality the customer needed.
In both scenarios, the job of "stand-alone" identity management technology and professionals would have been greatly diminished. The path forward for professionals in such a world was to become technical HR, sales, service, or marketing, etc. professionals, acting as business system analysts serving their constituency or delivering architectures and process integrations to allow identity information to flow and be useful.
But for a series of organizational, political and cultural reasons these merged worlds did not fully materialize.
So, never expecting to be its own distinct interest group, the identity management industry never professionalized. Unlike the security and privacy sectors, which both have organizations to nurture their industries and professionals, identity management lacks such support. We turn to vendors, implementation partners, analysts and peers in our region for advice on everything from architecture, to tips and tricks, to getting a project funded, to building a career in identity management, and everything in between. Certainly, all of those can be good resources, but it is a piecemeal approach. We need a tide to lift all boats.
However, there are efforts underway to establish this type of framework for the identity industry. For example, the Kantara Initiative is a member-driven organization providing strategic vision and other means of support for the identity industry. In May, Kantara unveiled a drive to generate support from the industry for creating a nonprofit, open professional association to represent and certify digital identity professionals. Almost 400 identity professionals pledged their support online in the first 90 days. In February, the initiative plans to announce the future shape and form of the industry association. This is a good start with discussion groups underway to develop a body of knowledge, membership and services, governance and a code of conduct. Survey responses indicate certification to be a mid- to long-term goal. Building the community and a body of knowledge is the near-term priority.
The benefits to identity professionals of stronger and more widely accepted legitimacy for the industry would be far-ranging. Distinct support for the identity field would improve career development, raise self-confidence derived from the creation of a mutually supportive community for problem sharing, and deliver better, more secure outcomes for clients.
For the financial services industry as a whole, and its consumers, this type of initiative would make the industry's approach to consumer and enterprise identity management better quality, more consistent and predictable with ultimately an improved user experience.
The identity management leg of the stool didn't get sawed off by a corporate rival. It was because we lacked the confidence to say, "Identity management is crucial to both business and security."
But we have that confidence now. From all around the world we are meeting, talking and designing the future shape of this industry. In a relatively short time, history will be made as the third and final leg – identity – will be added to the security/privacy stool.
Ian Glazer is senior director for identity at Salesforce and is
the chair of the ID Pro Discussion Group for the Kantara Initiative.