The ignorance you’re fighting against

Folks, it appears that you haven’t been doing your job, or perhaps you’re just being ignored. I’m speaking to both vendors and IT personnel here. The security execs and “senior IT” people don’t seem to get it when we talk about identity management.

BNX Systems recently surveyed attendees at the Institutional Investor’s Financial Technology Forum IT Security Conference in New York. The 70 respondents were senior IT and security executives of leading asset management and investment firms. Some of the results were interesting, and some were eyebrow raising. Here are the results from five of the questions asked:

When asked to describe their understanding of the term “identity management,” 39% replied they had little or no understanding of what the term means.

When the question was, “Do you currently have an identity management solution in place?”, though, 84% answered, “Yes”! That must mean that somewhere between one-third and one-sixth of the people surveyed thought they had an identity management project going, but weren’t sure what identity management actually was.

When they were asked what measures they had taken to tighten security in the past year, only 4% – FOUR PERCENT! – mentioned identity management as an area that had been touched. Of course, the 39% who admitted they were shaky on the meaning of identity management could have instituted changes and not even recognized them.

In an area that, to many of you, is the hottest thing in identity management, the attendees were asked how they are dealing with federal and state regulations. We talk about rollouts and completed solutions, but these “senior IT and security executives” are still, mostly, just talking about it. A full 56% haven’t even started implementing regulatory compliance.

But I have saved the “best” (really, of course, the worst) for last. When asked to rate the impact of identity management on business regulatory compliance, almost 1-in-3 (32%) of these senior execs said it had little or no impact!

I had thought that the prominence of regulatory compliance, which has been in all the tech journals, business magazines and even the popular press, coupled with the need for both privacy and accountability, meant that no one with any interest could doubt that identity management was central to being in full compliance with the regulations.

Where have we gone wrong? What else could we have done? What more must we do, and is the effort worth the candle?

Well, yes, the effort probably is worth the candle. Full security and full compliance can’t be achieved without a reasonable identity management strategy. But in order to throw more light on the subject we might have to burn that candle at both ends. Still, to paraphrase Eleanor Roosevelt, it’s better to light one candle of learning then to curse the darkness of ignorance. Keep up the fight.