Here at One Identity and SonicWALL, we’re really excited about our new marketing campaign centered around the “Department of YES”. We think it’s cool. We think it tells a great story. And we think that it’s very relevant to you, our customer. But just because we’re in love with the campaign, doesn’t necessarily mean that it resonates with you, or even matters in your world. So let me try and explain in the hope that it will strike a chord.
In the hundreds of organizations I’ve talked to, the natural tendency for those involved with security (and particularly those dealing with identity and access management) is to focus on what people shouldn’t be doing and locking down access so that risk is minimized through maximum security. As organizations grew and technology evolved, the knee-jerk reaction to risk has always been to fall back on additional controls that make sure the vulnerabilities are eliminated. Unfortunately these controls are often implemented with a myopic manner that stands in the way of achieving the business objectives the technology was intended to deliver in the first place.
Here’s a real-world example (from my life, as painful as that is).
I previously worked at a company that implemented a virtual private network to secure remote access for employees. This VPN required an agent on my laptop and typically took 3-5 minutes to connect anytime I wanted, or needed, to access resources on the company network. And since I worked primarily remotely, that was all the time. This company was acquired by a larger company with their own different VPN. So in order to get to things like my 401K, HR system, payroll, or corporate intranet resources I would have to log in first to the original VPN, then to the parent company VPN, then enter a multifactor authentication one-time password code, then login to the individual application I needed access to. In summary I had:
- Three separate passwords to remember, manage, and enter
- A multi-factor authentication token to maintain and use
- At least 10 minutes of down-time as the various authentications and connections worked out their relationships
- Frequent incidents of having to start the whole process over again due to the touchy nature of the various technologies and the unreliability of my remote internet connections
- A total dependency of my employers various IT staffs, and company-issued device – if the company didn’t control it, it was not allowed (the anti-BYOD).
All the company’s best-efforts to implement and maintain security created an environment of security actually being perceived as the “bad guy” because they have been forced to say “no” so often. I found myself avoiding doing the right thing because it was just too inconvenient.
The “Department of YES” is the exact opposite.
Imagine if I was granted unobstructed access to all the resources I need to do my job. Imagine if I only had one password to remember, and multifactor authentication was only invoked when it actually mattered (for example when I am logging in from an unfamiliar device or outside of my normal behavior-patterns). And imagine if when new, business-enabling applications or processed came on board, they would just work for me and all my co-workers without additional security hoops to jump through, more passwords, or reinventing the wheel that is already in place for established resources.
That’s what the “Department of YES” is. Switching IT security from being the heavy-handed purveyors of restriction and denial to the enabling and empowering heroes of furthering the business and getting the job done.
For you, becoming the “Department of YES” can run the gamut from making a specific, cumbersome security requirement seamless and transparent to the users to a full-scale overhaul of authentication, authorization, and administration – and everything in between.
Find out how you can: