I have a regular blog on Dark Reading on Identity and Access Management topics. Three recent ones:
- The Reason the OWASP Top Ten Doesn't Change - turns out six of the OWASP Top Ten are identity and access failures, who knew?
- The Most Important IAM Question: Who Does This? A haunting question that most companies answer with ad hoc resources
- The Identity Cliff: kicking the can down the road on security works, until it doesn't.
The last one is really about how companies in general and security in particular look at hard choices around changing identity architecture as an optional thing, we'll get to it some year, but year after year the password crystal meth pipe is still getting passed around.
The can gets kicked down the road without major changes.
On consulting projects, I am usually brought in on a specific area so its not a competitive bid situation, usually. But sometimes it is. In those cases, if I am bidding on a project of course I would like to win the bid, even though I don't always. But there are plenty of reasons why people would want to go another direction, they want the reassuring embrace of a large vendor (well at least til the invoice and end product come in), or there are other styles/processes/tools they might prefer. Plenty of legit reasons to shop other firms.
Every so often, I will do a bid and not get the project, and there is one type of this scenario that really bothers me. Some years ago, I put together a proposal for helping a company on security architecture, getting better tools and techniques to developers, improving identity architecture and so on. The proposal went in, weeks went by, they came back and said no project. I said no worries, I hope the company you went with does a great job for you. There was a long pause. That was when I realized, they were not going to do the project at all. They treated security and identity as optional and were wishing it would all just go away, and a magic pizza box would save them.
If an 81 year old can dance Gangnam style, you can change and grow your identity and security architecture too.