This article asserts that organizations need IAM workforce planning to ensure they hire and train their IAM staff and decrease potential IAM-related attack vectors. Without knowledge and training, IAM processes may be implemented by individuals with only a basic understanding of IAM best practices, resulting in regularly exploited attack vectors.
For example, the top two exploit actions in the 2021 Verizon Data Breach Investigation Report included phishing and stolen credentials. One of the primary mechanisms to reduce the successful use of phishing and stolen credentials is to implement multi-factor authentication (MFA). Using MFA is a known best practice among IAM professionals, but is it known to software developers or system administrators?
Organizations can help address this competency gap by creating and growing a professional IAM workforce through workforce planning and a competency model.
Using the same example from above, implementing MFA is the top mitigation technique, but not all MFA is the same. An untrained professional may recommend a non-phishing-resistant option that is more robust than just a username and password.
A more experienced professional may additionally suggest a combination of phishing-resistant and non-phishing options with the risk and cost of each approach. This highlights why continuous IAM workforce training is essential for modern enterprises.
Define Your IAM Team
The Federal Identity, Credential, and Access Management (FICAM) architecture is a U.S. government reference architecture designed for federal agencies. This paper takes the U.S. Federal ICAM architecture as a starting point for IAM workforce planning, including building a competency model.
A workforce framework and competency model are guidelines, usually managed by the human resources office but developed by practitioners.
Even though the FICAM architecture was developed for the U.S. Government, many of the capabilities and services are common across organizations because all enterprises must manage identities, credentials, and access securely.
Organizations can adopt and adapt this approach to align with their own identity reference architecture and security requirements.
Evolve Your IAM Team
IAM-specific knowledge, skills, and abilities now exist to define an overall IAM competency framework. This IAM competency can be integrated into NIST NICE-defined work roles to help organizations strengthen workforce readiness.
The seven key roles commonly found within IAM programs include Program Manager, System Administrator, Software Developer, Network Specialist, Enterprise Architect, System Security Analyst, and System Testing and Evaluation Specialist.
Program Manager
A managerial role responsible for leading, coordinating, communicating, and integrating the program’s efforts. This role is accountable for the overall success of the enterprise identity program and ensures alignment with organizational priorities.
Depending on the organizational structure, this role may also be referred to as a director, branch chief, or associate vice president. The program manager should ideally report directly to executive leadership to ensure proper enterprise-wide support.
System Administrator
A purely operational role responsible for installing, configuring, troubleshooting, and maintaining server configurations to ensure confidentiality, integrity, and availability.
System administrators manage accounts, access controls, credential management, account creation, firewalls, and patches. Their role may overlap with other IT departments depending on organizational structure.
Software Developer
This role is responsible for developing and modifying applications and software systems while following software assurance best practices.
Within IAM environments, software developers may build login systems, federation assertions, authentication workflows, or identity integrations for broader enterprise applications.
Network Specialist
A network specialist plans, implements, and operates network services and infrastructure, including hardware and virtual environments.
This role may also support authentication and authorization services while collaborating closely with system administrators and cybersecurity teams.
Enterprise Architect
An enterprise architect is responsible for developing and maintaining business, systems, and information processes that support enterprise mission requirements.
Identity enterprise architects often define IAM governance structures, target architectures, security requirements, and long-term identity transformation strategies.
System Security Analyst
This role focuses on analyzing, integrating, testing, operating, and maintaining systems security across enterprise environments.
System security analysts frequently collaborate with application owners and business teams to translate business requirements into IAM workflows, access controls, and identity governance processes.
System Testing and Evaluation Specialist
This role is responsible for planning, preparing, and executing system tests to evaluate IAM processes and technical implementations against security specifications and business requirements.
They also develop and execute IAM testing procedures before deployment into production environments to ensure operational readiness and security compliance.
Organizations should ensure that their ICAM teams report to an executive steering or governance body to better integrate digital identity processes into overall enterprise risk management strategies.
Source : Idpro