Editorial

Securing the perimeter: Lessons from implementing identity management in a complex government organisation

Tracey Mills, a former senior leader in a large government department and now a director of cybersecurity at KPMG, shared her experience of implementing an enterprise-wide IAM strategy within a complex government organisation.

Posted 28 October 2024 by Christine Horton


As government agencies face increasing cyber threats, the importance of robust identity and access management (IAM) strategies has come into sharp focus. While much of the attention has been on securing citizen identities and external access to government services, internal identity management is equally critical to ensuring the continuity of government operations.

“A lot of the talk is about securing citizen identities and external access to government services, but we have an awful lot of civil servants, contractors and third parties working across government,” said Matthew Cooper, client director, central government at SailPoint. “Securing internal access to applications and internal services is equally important, if not more so, to ensure that government operations can continue on a daily basis.”

Cooper was speaking at the Think Digital Identity and Cybersecurity for Government event in London. He was joined by Tracey Mills, a former senior leader in a large government department and now a director of cybersecurity at KPMG, who shared her experience of implementing an enterprise-wide IAM strategy within a complex government organisation

Mills highlighted the significant risks posed by the low maturity of IAM practices within the government department she previously worked for. “We didn’t really have the ability to confidently say who has access to what,” she explained. “That’s a significant source of risk that needed to be addressed.”

In tackling this challenge, Mills and her team developed an enterprise-wide IAM service, starting with the most critical systems and applications. However, she emphasised that the implementation was not just a technology project, but a broader programme focused on people and processes.

“It’s about stakeholder relationship management, governance, and using carrots rather than sticks to drive adoption,” said Mills.

Integrating the IAM service into the wider enterprise architecture and technology governance was also crucial, according to Mills. “Make sure you’re part of that wider environment, so you can leverage design patterns and anti-patterns to ensure new technologies don’t add to the pile of technical debt.”

Building a robust business case was another key element of the IAM implementation. Mills and her team focused on four key areas: cyber risk reduction, improving user experience, productivity benefits, and efficiency gains.

“It’s not just about cost avoidance,” said Mills. “There are tangible benefits in terms of user experience, productivity, and efficiency that can be quantified and used to build the business case.”

When it came to addressing the organisational complexity, Mills emphasised the importance of engaging with stakeholders and understanding the different levels and moving parts within the government department.

“It’s about talking to stakeholders, keeping your eyes on all the different parts of the organisation, and thinking about governance and how you fit into the wider enterprise,” she said.

Looking to the future, Mills sees potential in leveraging AI and machine learning to enhance IAM capabilities, particularly in the area of risk management. “AI and machine learning can be really beneficial in terms of identifying patterns and improving risk management,” she said. “But you have to be mature in how you use these tools, and ensure the organisation has the right level of maturity to leverage them effectively.”

The lessons learned from Mills’ experience underscore the importance of taking a holistic, business-driven approach to IAM implementation, particularly in complex government environments. By focusing on people, processes, and integration with the wider enterprise, organisations can build robust identity management strategies that protect both internal and external access to critical systems and services.

Event Logo

If you are interested in this article, why not register to attend our Think Digital Identity and Cybersecurity for Government conference, where digital leaders tackle the most pressing issues facing government today.


Register Now