You’ve made the three decisions necessary to start building your privileged account management (PAM) plan. The next step is to build consensus and create stakeholder buy-in by having four pivotal conversations with key members of your executive, business process, and IT teams.
Who you should talk to – and what you should say
Executive Team – Lead with, “It’s time to make privileged account management a priority.”
Getting Ready & Intel
- Secure buy-in from the top – The initial deployment will require senior leadership to understand the risks of unsecured privileged accounts, and just as importantly they will need to specify deadlines by which all privileged accounts need to be compliant. The prioritization of a successful PAM project will be driven from the top down. In addition to establishing accord with the CIO/CTO/CISO, It’s important that you have engagement with the compliance and financial executives.
- Garner support to obtain budget and resources – Executive leadership can rally employees to make your PAM initiative an organizational priority, impart a sense of urgency and ownership across the organization, and prevent it from being derailed by minor issues.
- Analysis of high-profile breaches – Describe how privileged access controls factored into particular breaches and relate it to your company’s own risk profile.
- Penetration testing results – Assess how long it would take for a skilled adversary to compromise your organization’s privileged accounts. Show what assets an attacker can get to.
- Benchmarking – Reference industry practices for securing privileged access.
- Compliance requirements – Outline the privileged access regulations applicable to your organization.
- Proof-of-concept results – Do a proof-of-concept in which you implement increased privileged account monitoring and report on the results.
Business and IT Process Owners – Lead with, “Let’s optimize how privileged credentials are used.”
Getting Ready & Intel
- Emphasize teamwork and desire to increase task efficiency with initiative – Privileged accounts will be involved at some level in almost every critical business and IT process. For the most part, improving the security around privileged accounts will not deeply affect existing processes. Work closely with the owners of these processes to understand the underlying credential usage, and bring that knowledge into the design of controls and see opportunities to improve security, streamline tasks, and reduce errors.
- Make business users allies – By helping leaders in business and IT to improve the security and efficiency of their processes, your security team can gain important allies. If prominent leaders in business and IT are champions of the initiative to improve privileged access controls, it can influence the privileged users within their groups.
- Who needs elevated privileges and when – Review how privileges are used as an opportunity to reinforce the principle of least privilege.
- Feasibility of restricting an account’s use of certain commands – Talk about automated privileged access technology and how granular restrictions can be enforced.
- Risks and process change necessities – Balance the level of protection with the need to meet other business goals such as efficiency.
- Principle of separation of duties for this process – Look for ways to redesign processes so that technology automatically enforces separation of duties.
- Preventable error patterns – Talk about configuring controls to ensure certain steps require approval.
- Applications in use – Uninstall applications with embedded credentials if the application is no longer used.
- Session script requirements – Consider redesigning a script so that it requires shorter privileged sessions.
IT Admins and Other Privileged Users – Lead with, “We’re going to change privileged access procedures for the better.”
Getting Ready & Intel
- Show empathy and challenge perceptions – Buy-in from IT Admins is essential for the success of your PAM initiative. The “default” view of IT administrators is that they could do their job better with unfettered access and freedom to choose their own tools. They may see any additional steps or restrictions as making their job harder and slowing them down.
- Select security team spokesperson wisely – The team member that you put in charge of this type of conversation needs to articulate the threat and technical knowledge of the platforms and applications involved. If your security team doesn’t deal with objections at a detailed technical level, it’s possible that the process will be derailed.
- Know that other privileged users are typically more accepting – Staff in non-IT roles who have privileged access – such as those who need to work with financial reports and bank accounts – tend to be more accepting of new controls.
- Changes to workflow – Demonstrate that the PAM effort will streamline some tasks and make how they operate with credentials much more efficient .
- Strong executive mandate – Discuss the importance of the initiative and persuade administrators to accept changes.
Developers – Lead with, “How can we better secure the use of privileged credentials in these apps?”
Getting Ready & Intel
- Acknowledge that refactoring applications can be a challenge – Many applications, scripts, and configuration files include hardcoded privileged credentials. There are inherent difficulties in updating older code and platforms make it hard to operate with less than the highest possible permissions.
- The right level of privilege for each application – Work together to determine the privilege rights for all your organization’s applications.
- Understanding least and excessive privileges – Discuss the principle of least privilege. Help developers understand the consequences of excessive privileges.
Be prepared to manage objections that may emerge during deployment.
- “You can’t take away those rights – I need them!” – Often you will need to convince people that the privileges they are losing are not necessary. Point out that the change protects them by reducing the risk that their accounts will be compromised.
- “I tried it and it doesn’t work.” – As changes to controls are implemented, users may report problems. Proactively set up a process ahead of time for responding to concerns. Be responsive as people adopt new processes and technologies. Maximize usability of the control design.
- “I don’t have time for this.” – When you encounter pushback, strong executive sponsorship of the initiative is extremely important. Focus on the value you bring to users and help them to see the benefits.
- “This feels like Big Brother.” – Administrators can be sensitive about increased monitoring. Reassure them and address governance issues such as what reports are run when and by whom.
Technical expertise and soft skills are needed to pull off these conversations. The third and and final blog will expand on the skillsets you need to be successful and will explore some of the elements of an effective PAM deployment.
And if you’d like assistance from our team on how to have these conversations with your stakeholders, contact us. We’ll here to help.