Chief Identity Officer?

My colleague Matt P. recently introduced the concept of a Chief Identity Officer (CIdO) and a related Identity Management department. It's an interesting question -- who owns enterprise user identities? He's not asking who actually owns them now, but rather who should. If a CIdO presided over a department of IdM, which included HR, what would that mean for identity security and enterprise identity management? Well, I agree with Matt that one owner would certainly make IdM projects easier to manage, but that's not the greatest benefit.

I would think the CIdO would need responsibility for all user identities -- employees, partners, customers, etc.. She would find ways to enable the business while mandating the IT organization to implement solutions that follow strict security guidelines. All applications requiring user interaction would need to work through the CIdO office to get user enabled. In the real world, this seems like a long shot, but introducing the concept may provide a wake-up call to organizations with no executive sponsorship of user identities (and they do exist). I guess my vision would include a Director of Identity that reports to the CIO or equivalent. She would be responsible for compliance, attestation requirements, establishing Identity policies, ownership of IdM solutions, backup and recovery solutions for identity-enabled applications, etc..

Having a single office responsible for identity in an organization would yield numerous benefits. First, the people responsible for email systems, network OS, perimeter security, HR employee solutions, application development and others would be able to concentrate on their own responsibilities. Second, somebody would be 100% focused on how to provide the best identity solutions to the business while maintaining the highest standards of security. It's natural, for example, for application owners to make decisions that will enable their app users while diminishing audit capabilities. A director of IdM wouldn't think in those terms - she would need to find solutions that enable the business, facilitate ease-of-use and also maintain strict security guidelines. IdM solutions span the enterprise and the design, architecture and management thereof ought to be central. We've all heard the cliche - a chain is only as strong as it's weakest link. Well, if identity solutions are managed by strict policies from a single office, perhaps we would be less likely to lose a laptop holding the identity information of 250,000 people. In fact, we'd be less likely to have a laptop with important identity information at all. Less total links means less weak links in the chain. And to beat the analogy to death, a Director of IdM would mean somebody is there with a welding torch maintaining the chain and designing improvements rather than each group owning their own link. Something to think about. ...especially if you're one of those organizations with no executive IdM oversight.