In our Executive Summary on the Future of Digital Identities we reported how digital identities are becoming the foundation of our rapidly evolving technology-based and data-driven economy and society. It is a worldwide evolution across organisations of all kinds; private companies, government bodies and civil society organisations, and the people and organisations they serve.
If senior management puts digital identity at the centre of its data driven business model and operations it leads to concrete business benefits. For example, more efficiency as governance and processes are aligned, better user experience as colleagues feel facilitated in their work, more revenue as clients favour them thanks to a better digital customer journey, and increased protection as human errors are reduced and access rights to data is more controlled.
Organisations that are digitised to some extent, will have a range of digital identities, including:
- For itself, its employees and (third party) co-workers.
- For its customers if it is a business, and for citizens if it is government body.
- For the sophisticated devices it operates, such as computers and other internet-connected equipment as part of machine-to-machine engagement.
Each of the identities listed will be discussed individually in upcoming publications. In this article we focus on digital identities for the organisation’s employees. For reasons of simplicity and clarity, it is written on the assumption that the organisation is a private sector business. Where we state “employees” this could also mean third party co-workers. The underlying principles shared also hold true for government bodies and their workforces.
Read the executive summery
The paradox of facilitating employees and protecting the business
As organisations digitise and become more data driven, the purpose of digital identities is to both facilitate employees and the organisation in leveraging technology and data with low friction, and to protect the organisation at the same time. In short, it is knowing and controlling who, in terms of role and accountability, should have access to which systems and data, and with which rights, often referred to as role based access.
Central to facilitating employees in their role are the processes around employees joining, moving and leaving an organisation. This is referred to as an ‘identity lifecycle’. Any change in the identity life cycle will have implications on the systems and data an employee should have access to and with which rights. The relevance of protecting your data is increasingly apparent from the evolving sophistication of attackers’ social engineering techniques where through human interaction (for example text, voice or video via email, social media or phone) manipulation is used to obtain sensitive information. At the same time there is an increase in data protection and privacy rules and regulations organisations must comply with.
In summary, the paradox is immediately apparent: how can an organisation minimise administrative issues, whilst protecting the organisation and its data at the same time? Whilst this proves a challenge for start-up organisations, the challenge only increases in organisations who have existing legacy processes, governance and technology to deal with, especially as they become more digitised internally and externally. Furthermore, digitised collaboration is continually growing within industries, value-chains and across eco-systems. This increases the necessity and complexity of managing digital identities as system and data access rights may be more situational, for example in different cross business unit or cross value-chain project teams.
A well-executed digital identity strategy is fundamental for companies to efficiently and effectively leverage digitalisation in a responsible and secure way. Senior management generally acknowledge this, but often think or act like digital identity is a technology issue as they lack clarity on how digital identities create real value for their company in the short, medium, or long term. Unfortunately, this lack of understanding can lead to reduced leadership attention or guidance, and silos within organisations. The associated consequences undermine the success of the unified data driven business model and can impact the organisation in five domains: (1) mounting inefficiencies when governance and processes are not aligned; (2) poor user experience due to different systems; (3) added complexity with isolated, often operational and technology driven decisions; (4) lack of control when activities are predominantly manual; and (5) increase in security issues as manual activities enable human error.
How for along the digital identity transition journey are you?
So, how can organisations approach the digital identity opportunity?
It is all about the key factors to consider in getting things right and how far along that digital identity transition journey you are. As part of the business benefit specification, define why digital identities are a key strategic component for the organisation. C-level business leaders require both quantitative and qualitative business benefit insight regarding digital identity enabled user-experience, operational and cost efficiencies, and control.
Examples of potential business benefits are:
- Drive digital transformation – once you have aligned governance and processes, and simplified your technology architecture, you can accelerate and control digital transformation across the organisation as well as in any merger and acquisition activity.
- Improved user experience – as you have an improved security posture with advanced authentication, users have a better experience and the organisation has a higher level of authentication assurance.
- Increased operational and cost efficiencies –by creating centralised governance and automating processes such as new joiners, movers, and leavers processes, you can reduce manual activities and their associated costs.
- More business control – you can create real-time automated reports into who has access to which systems and associated data, enabling governance, privacy and audit.
By providing business leaders with insight into the quantified and qualified business benefits of digital identities, you add strategic value to the business model. This will support the integration of digital identities into the data driven strategy and operations allowing an overarching and responsible risk management based approach on business priorities. This can then be translated into a roadmap covering people and processes, and the associated decisions around technology.
The majority of such roadmaps unfortunately do not succeed to deliver the business benefits in full. This is a result of appointing inexperienced teams with knowledge of their part of the organisation but no change management skills and/or understanding of other business areas. This leads to silos and poor collaboration across roadmap clusters, teams, and regions. At the same time the communication plan often ignores important stakeholders who are not engaged due to a lack understanding of the roadmap benefits and their role. As such, key success factors in any such roadmap include experienced change management, proactive stakeholder management, and a focus on effective communications.
Levels of digitalisation in terms of adoption and risk appetite can differ across countries within the same organisation.
Across the Asia Pacific region, for example, digital identity strategies adopted by more regional oriented companies are diverse, but tend to fall into four broad regional categories:
- In South East Asia, companies are on the cusp of introducing digital identities systems, but many are struggling with how to include them in their overall strategy.
- Australia is more advanced, with some companies developing their own systems and some buying off-the-shelf solutions.
- In India, companies are making sure their data sets are integrated and their channels updated to ensure they capture the mobile and web traffic of the growing population.
- In China most platforms are developed and run by Chinese organisations with significant market dominance.
To create long term value as a business leader, it is relevant to understand that there are different approaches to defining and executing data driven business models and digital identity plans.
The role of Senior leadership
The examples in this article demonstrate that digital identities have value across the organisation, for each employee and as such each member of the executive management, has a role to play. The Chief Executive Officer (CEO) is ultimately accountable for the integrity of the brand of the organisation. For brand integrity, stakeholder trust is vital and stakeholders such as investors and clients trust in an organisations’ ability to avoid and manage malicious attacks generated through social engineering and mis-use of digital identities. The CEO should lead by example by positioning digital identity as key to protecting brand integrity as part of the data driven business model. Top down leadership will have major influence on an organisation’s risk management as they digitise with digital identities at the core.
For the Chief Financial Officer (CFO), control and real time insight into the business is fundamental. In addition, the CFO and its department are a popular target for malicious social engineering to obtain sensitive data and trick organisations for example into incorrectly transferring money. As such, CFOs should ensure proper, automated segregation of duties and advanced authentication to significantly increase control and mitigate the risk of compromised credentials.
Above all, digital identity is a people challenge that requires the right governance, processes, and technology to succeed. Employees are challenged to demonstrate consistent security “hygiene”. It is up to the CHRO to ensure continuous awareness training as part of the training curriculum as well as efficient, uniform HR processes. In that context the Chief Human Resources Officer (CHRO) must work alongside the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) to limit human weaknesses as well as IT vulnerabilities.
Digital identity is about business benefits and the ability of an organisation to leverage digitalisation in a responsible way. As such, it is core to any organisation’s data driven business model and operations, and encompasses the activities of all employees and each executive board member has a role to play.
In our next, soon to be published, chapter we will elaborate on the client specifics regarding digital identities and how as an organisation you can set yourself apart to generate more client loyalty and business growth. Watch this space!