The Business Value â€“ and Results â€“ of Identity ManagementTranscript of an Interview with Greg Kyrytschenko, Information Security Manager, Peopleâ€™s United Bank Editor's Note: Identity management is vital to the work we do and people we entrust to do that work. Editor Tom Field recently caught up with Greg Kyrytschenko of People's United Bank to discuss the business value of his Identity and Access Management project.
TOM FIELD: Hi, this is Tom Field with BankInfoSecurity.com. Iâ€™m talking today with Greg Kyrytschenko, Information Security Manager with Peopleâ€™s United Bank, and we are talking about identity management.
Greg, how are you today?
GREG KYRYTSCHENKO: Very good Tom. How are you?
See Also: A Guide to Passwordless Anywhere
FIELD: Very well. Now Greg, You have recently been involved with an identity management project. What was it, and what led to your decision regarding the scope of this project?
KYRYTSCHENKO: We went ahead and actually did the full provisioning and postured management was the core function item that we looked to introduce first and then also with the postured management to incorporate some authentication synchronization.
And what led us to go down this path was regulatory compliance and intended cross-segmenting, as well as increasing efficiency by reducing the number of methods that we used prior to requesting systematic stuff.
FIELD: So Greg, what is the value to an enterprise from automating user life cycle management as you have done?
KYRYTSCHENKO: A lot of things that it has actually gone ahead and done for us, as far as value, we actually are able to achieve regulatory compliance and prove ordering capabilities for our system access. We are able to manage access control between our human resource system and our enterprises identity access management solution. And we are able definitely to reduce organizational costs and increase efficiency by improving the time to deliver any provisional request. This is a big, big factor in the whole grand scheme of things.
What used to take us approximately 10 days to complete from a provisioning user life cycle now takes about five to 10 minutes. So, the time to deliver has definitely been increased, and we have also created a more simple process to actually provision and request access so our user community is definitely much happier with the way that things are panning out.
FIELD: Sure. Those are great results.
Now I was going to--you sort of anticipated the question on the business side. I mean, the question is ROI. How do you measure ROI on something like an identity access and management project?
KYRYTSCHENKO: Great question, Tom. And what we did up front was we began establishing security metrics early on. As we did, as we began to centralize security administration, over that time we tried to get the actual metrics to show business value to the organization and with that allowed us to, the organization to, embrace the continuous improvement to the actual identity and access management process.
FIELD: Bet you got a lot of attention with this project didnâ€™t you?
KYRYTSCHENKO: We definitely got a lot of attention. Weâ€™ve received some industry awards, and we actually are incorporating a lot of things going forward from bringing a system into the actual organization.
FIELD: Excellent. Greg, what were some of the unanticipated benefits from your project? I mean, just something that came up that you never expected might come up?
KYRYTSCHENKO: Some of the big things that I definitely have noticed are just that some of the organizations, how the organizations value identity and access management.
Our initial deployment was leveraging our human resource department and our retail banking, and we established some very great working business relationships, and those relationships then go ahead and carry on into other lines of business, which has enabled us to get work done quickly and have buy-in at an early stage in the process.
FIELD: Iâ€™m curious. Who first introduced this project? Was it something that you brought forward or was it something you inherited from somebody else?
KYRYTSCHENKO: This was a project that was an ongoing project that we wanted to actually go ahead and work on. We didnâ€™t actually have the budget for it in prior years, and then I actually inherited it as new management came into the organization.
FIELD: And of course it has become a bigger priority with just everything that we have gone through in the last few years.
KYRYTSCHENKO: Correct. Absolutely.
FIELD: How long would you say the project took by the time that you got a hold of it and finished?
KYRYTSCHENKO: What we--I actually started from soup to nuts, and we got our base level core infrastructure done in under six months, which is very quick by industry standards. And we did a lot of--we leveraged a lot of key individuals to go ahead and make that happen, and we were able to increase the priority internally to make sure that we met the actual dates and we also did it to appease our auditors.
That is where we actually ended up, you know, getting to--there is continuous improvement that continues to take place today as we continue to evolve and enhance what our current offering is.
FIELD: Sure. Now, Greg, how long have you been in banking and in security?
KYRYTSCHENKO: Iâ€™ve been in banking for a little over 10 years now, and I have been in security for approximately seven years now.
FIELD: Well, that is a century in terms of security these days.
KYRYTSCHENKO: Yeah, it really is.
FIELD: Greg, what advice would you give to someone starting out in the field of financial information security? Like yourself, if you came into the job today what advice would you give to yourself?
KYRYTSCHENKO: Well actually I have an intern now that I am coaching and mentoring, and the big things that I make sure that I let him know is to understand technology. And thatâ€™s any networks, servers, PCâ€™s -- understand the technology and how it actually works, and then after that understanding the basic principles of security. The 10 domains of security that are listed in the CISSP certification, or any type of security methodology, and then the big thing is that compliments that is the risk management perspective.
Understanding your threats, what control objectives you can put in place, understanding the common vulnerabilities that are out there that exist so that you can put an appropriate safeguards to control those threats and vulnerabilities.
And then the other big thing is just to make sure you stay abreast of new security products, threats and industry activity, you know.
FIELD: How much knowledge of banking does someone need to work in your industry right now? I mean, I always hear the value of being able to speak the language of business. Does that apply as well?
KYRYTSCHENKO: Absolutely. Understanding the language is definitely a value-add for anyone working in information security within the financial industry. So, knowing the terms is essential, and also knowing what the common buzzwords are helps to go ahead and be able to make things happen. And also being able to relate it down so that the business understands what you are talking about from a technology standpoint and what the potential impact is to any risk that you may face as an organization.
FIELD: Sure. What do you see as being some of the bigger trends that will affect the nature of--well of your internâ€™s career over the next few years?
KYRYTSCHENKO: Definitely the big things I see is moving more towards risk management and, you know, making sure that communication skills and education are essential to making sure that you are successful in that position. And also staying fresh on industry trends and what way the industry is going and using and leveraging good security models for your own organization as companies derive or create them and establish them.
FIELD: Excellent. Greg I appreciate your time and your insight today.
KYRYTSCHENKO: Thanks Tom. I appreciate it. Take care.
FIELD: Weâ€™ve been talking with Greg Kyrytschenko with Peopleâ€™s United Bank, and for Information Security Media, Iâ€™m Tom Field. Thank you very much.