Expert Kelly Manthey shows an identity management maturity model which highlights program maturity along with program capabilities.
- Capability maturity model (1:19)
- Role of auditors (2:06)
About the experts:
Kelly Manthey is the Vice President of Consulting Services at Solstice Consulting, a Chicago-based technology management consulting firm that helps companies be more successful through business process optimization and custom software development.
Peter Gyurko is a Senior Consultant with Solstice Consulting. His areas of expertise include custom application development, agile adoption with scrum, and Identity and Access Management.
Read the full transcript from this video below: Identity management maturity model
Kelly Manthey: So, let's talk about the maturity model a little bit. One of the key things that we're going to keep touching on over and over again is that maturity means making progress across three fronts: people, process and technology.
So, if you leave here with one thing today that you're sick of hearing out of our mouths, it's, "People, process, and technology." It's fundamental, it's simple, but don't forget about it. The reason that we're harping on it a little bit today is because IT and IS are typically the divisions that your IDM projects stem from. Has anybody had somebody in a business unit or somebody in a customer facing role at your company say, "I think we should do an identity management project"?
How many times does the business come to you and say that? They don't. It's an uphill battle a little bit because at the end of the day, who's the most impacted by this? It's the business that's the most impacted. Again, IT and IS organizations are a segment of the corporation.
In order to move from--and by the way this was adapted from my good friend, David Sherry, who's also presenting. This is a maturity model that he authored, and I thought it was awesome. I thought that he had presented it really well when he did it, so why reinvent the wheel. Let's go with what works. It makes sense, and it's very simple--so in moving from ad hoc and manual to standard and repeatable, you're becoming more established. Moving into simplified and automated, you're becoming even more established, and then, moving up into integrating all of your compliance requirements to become more optimized. There is no done. There is no end point on here. You are never done, and that's really the key thing.
I was having an interesting conversation with somebody yesterday, a technology vendor partner that we work with, and one of the comments that he made to me that really stuck was that audit is always going to find something else that you could be doing. It's not because they necessarily want to pick on you, but that's their job. Their job is to help you evolve your company, and it's really up to your company to decide, what's our tolerance for risk?
What's the cost benefit of continuing to grow or to stay where we are right now? If everybody's comfortable with staying where we are right now, then maybe that's optimized for us. Just know that your internal auditors and your external auditors, it's their job to always push you just a little bit further than you already are today, and it's a good thing. It's a really good thing.