- Security TWENTY
- Women in Security
However powerful your leadership, however large your organisation, however advanced your systems and however well trained your personnel, the success or failure of your critical systems can be decided in one small “go or no go” moment, writes Ben Bulpett, EMEA Director, at identity security product company SailPoint.
On July 20, 1969, the USA launched Armstrong and Aldrin in a mission to be the first men on the moon. But little known to us, that historic moment nearly never took place. It was all down to one moment, and one minor member of the mission control team in Houston. Just after 4pm, the shuttle’s rather basic on-board computer alerted the team – Programme alarm 1202. Programme alarm 1202 was just one of hundreds, kept in a large manual back in Houston that everyone hoped would never be needed.
Steve Bales was a Guidance Officer tasked with knowing the landing computer systems for the lunar module landing, powering them up, monitoring them on landing – making sure the computer and its sensors were working.
But in that moment, he was more than this – he was a highly and uniquely provisioned part of an interconnected fabric of hundreds if not thousands of different workers at NASA. And he made the right decision in under 15 seconds.
The anecdote about the moon landing’s “go or no go” moment can tell us three primary things about how access in an organisation can be make or break.
For any employee to work efficiently and effectively, it is crucial that they have the right access to information and applications. Having access assigned clearly to each individual prevents bad habits such as password sharing developing and becoming a workplace norm. With clear ownership of each login created means greater visibility for security teams, who can then effectively support users in a more targeted and tailored way.
The right access also means avoiding providing additional access that employees do not need, in order to minimise risk to the organisation and allow each individual to keep their digital footprint streamlined.
In the first instance, putting in place the systems and processes required to handle access so meticulously may sound overwhelming. But with the right tools, security teams can shift away from spending their time on password resets and other manual tasks and instead focus on more strategic priorities such as the roll out of training and advanced security defences.
Steve Bales had his comprehensive and cross-referenced manual. At the same time, providing a central location where employees can request and manage access can empower them to apply best practice even when they are time poor.
Placing self-service and even automated access controls can also support ongoing and evolving security needs, as well as employee’s day to day needs. For an organisation, a change in compliance procedures or a need to audit access can be a heavy burden if they still rely on manual systems to update and collate information. But through allowing changes in access to be automatically changed and logged, it becomes relatively easy to report on access and identify ways to prevent vulnerabilities or areas of potential risk to develop.
In many ways the ‘right time’ is more accurately ‘all the time’. Data breaches, cyberattacks or simply a sudden change in business needs can arise at any time. Therefore, those organisations that are always considering and optimising their cybersecurity will be the best prepared to respond to emerging threats.
With that in mind, what are the “go or no go” questions that could be asked in your own organisations? What’s your Steve Bales moment? What does that mean strategically for your identity governance systems? What does that mean functionally?
Do the right people have the right access? And are they able to use it to best effect? Is every person in your system where they should be, with the tools they need and the accesses they require to act if the situation demands it, and in such a way as to more likely than not create a positive outcome. These are the questions of identity security.