Does your Identity Management Program Pass the ‘Marshmallow Test’?

February 17, 2016

There is a famous series of studies about self-discipline called the ‘Marshmallow Test’ that was run by Stanford University in the 60s and 70s. During these studies, children were offered a choice between getting a single marshmallow immediately or getting a whole bag of marshmallows if they waited for a short period, during which the tester left the room and then returned. Many succumbed to the pressure and ate the marshmallow shortly after the tester left the room; however, a small percentage were able to resist temptation long enough to get the bigger reward. The researchers followed up with their subjects over the years and found that children who were able to wait for the bigger reward tended to have better life outcomes.

The question we have for you today is, does your Identity Management program pass the ‘Marshmallow Test’?

Most organizations struggle with the temptation to implement an IAM technology quickly without having defined their processes, policies, and provisioning requirements.  The implementation is seen as an event and not what it really is, the start of an ongoing effort.  Without customization, the organization must shoehorn their existing processes into a rigid framework defined by their out-of-the-box IAM platform. When this happens, they have adopted a ‘build and pray’ strategy that almost always results in a bad outcome. In extreme cases, the program fails completely; however, most of the time the organization limps along and spends many additional (and painful) months ironing out the kinks, while they live with the pain of a half-baked system.

Our advice is to resist temptation and aim for the bigger reward.

Start your Identity Management program with the proper process analysis to define data flow between systems, identify bottlenecks, and target the gaps between the solution and your existing processes so that they can be addressed before you go live. By delaying the gratification that comes from “getting something done”, you get the reward of “doing the right thing”, which is deploying successfully the first time. In the end, it is possible to deliver a fully functioning solution where your business processes and IAM technology work seamlessly together.

4 Key Questions to Answer During your Process Analysis

1. How much lead time is required to provision an employee (workstation, badge, mobile device, VPN access)?

Many organizations manually provision a temporary user account in advance of a new hire to kick-off downstream provisioning processes. These provisioning processes can require a lot of lead time. By implementing an IAM solution that is tied to an HRIS system to initiate identity creation and provisioning, an organization can negatively impact existing provisioning processes.


2. What is the SLA for Human Resources to create the employee in the HRIS system?

Many times, HR does not need to enter a new employee’s data until the day before their first payroll. This means that a new hire can be onsite up to 2 weeks before they have an HR record, so if your IAM system is integrated with HR you may actually degrade service levels by automating the onboarding process.


3. Are assets (e.g., workstations) provisioned the same way in all regions?

What works at Corporate, often does not work in the field. Regional process variations need to be considered when defining a global process. Smaller offices may require drop shipment of a laptop and a month lead time, for example. Any latency introduced into the onboarding process can dramatically affect user productivity and the success of the project.


4. How are contractor identities managed?

Most organizations have a completely different process and a different set of systems to on- and off-board contractors. Often, hiring managers have the budget and authority to hire contract labor and there is not always a system of record to build and manage identities for these users; yet, they frequently have access to sensitive systems.

Remember, you can implement Identity Management with your users, or you can do it to your users. The choice is yours.

If you enjoyed this post, signup for our biweekly Cybersecurity & Identity Management newsletter here.

More News