How are you managing lack of interoperability among your organization’s tools for data security and IAM (identity and access management)? Have you found a way to orchestrate data security policies across these tools to avoid control gaps?

I think it goes back to the importance of data governance and classification strategy. We have tool sprawl because we used to let everyone buy whatever tool best fit their needs, which led to a less centralized model. Removing tools is always challenging because someone is always clinging to using them. Managing and orchestrating across all these tools is something many are still figuring out. For us, it's about applying our data policy across our entire infrastructure. Tools now ingest data across the entire stack, so PII isn't just stored in a specific HRIS tool anymore; it can be found in a wiki page or a conference page. Understanding what you're ingesting and where it's coming from is crucial to avoid control gaps. I don't think anyone has fully figured this out yet, but I'm open to hearing how others are tackling it.

This is a tough one. Organizations seem to be doing better on the IAM side, especially with roles-based access across disparate systems, even in hybrid environments with cloud services and legacy systems. However, data security remains challenging due to the different controls and capabilities required for structured and unstructured data sets. Cloud-based services that take our data and adjust it add another layer of complexity. There isn't a single set of tools that can manage the entire landscape of data security, so we end up using multiple systems and services. Hopefully, future technologies will address this disparate landscape more effectively.

Theis question goes back to what we need to do. For example, our identity and access management solutions were scrutinized when COVID hit because the way people connected to us changed. We had to ensure the solutions were right for that time. It's important to use the right solution at the right time and for the right purpose. If you're going to a hot site, your IAM solution might need to be different, especially for critical reasons as opposed to day-to-day operations. You need to consider the temporal and contextual aspects of when and how you need things, not just look at it from a high level.