Bill_Bonney_239We continue our discussion with Bill Bonney, most recently Director, Information Security & Compliance at Intuit, Inc. In Part 1, we asked Bonney about the rising importance of customer experience as a competitive differentiator. In this follow-on interview we talk about the dual priorities of security and customer engagement that digital business is pushing to the forefront, and how modernized identity management offers an opportunity to bridge the differences.

UnboundID: What are the most pressing security concerns as digital business quickly gains momentum?

Bonney: I think the biggest security concerns we’re currently facing are those of data leak and identity exploitation. Data leaks can occur because the technology is not designed securely, but it can also leak due to improper use or exploitation. As more lightweight apps are implemented, whether traditionally deployed to the desktop or deployed as a mobile app, trust in the identity of the user (or a proxy of the user for “things”) becomes paramount. By deploying so many users and proxy users in so many deployment models, we have moved the firewall from the network to the endpoint and that means we have shifted the focus from the devices and protocols to the identity.

UnboundID: How can organizations balance the competing requirements of IT teams, who are responsible for ensuring customer identity data is tightly secured, and business teams, who want to leverage identity data in multiple ways, across multiple devices and apps?

Bonney: My belief is that this new reality actually represents a great opportunity to correct some sins of the past. The legacy computing environments that grew organically from individual point solutions each had their own protocols and record structures. Trying to tie this together became an expensive, time-consuming adventure that failed to deliver on many of the promises of identity management. The new lightweight approach gives us a fresh opportunity to implement SOA (Service-Oriented Architecture) models that allow the development teams to select from a menu of technologies as they are building their app. By building and deploying superior identity management models and working with business units to fully understand the current and emerging needs, IT departments can use the same trends that are causing this rapid distribution of responsibility from large central teams to small agile teams to create a collection of tools and capabilities to help the enterprise and the businesses manage the identity information they are entrusted more securely and with more efficiency.

Data-Security-400UnboundID: What are your thoughts on “Shadow IT?” What can organizations do to regain control over data assets that may be siloed in third party repositories?

Bonney: Corporate IT was originally chartered with accelerating the adoption of technology within the enterprise. As governance of the exploding expense and rapidly increasing risk exposure became equally important, the CIO (Chief Information Officer) in many cases became more of a barrier than an accelerant to the adoption of technology. Now, it is estimated that the CMO (Chief Marketing Officer) will control more of the total IT spend at the average consumer-oriented enterprise than the CIO does by 2020. Is there a way to reverse this and would reversing this be a good thing?

In my opinion, where the CIO should focus his or her attention is on helping the enterprise successfully exploit technology to improve the customer experience and drive down cost and risk. In the days of centralized IT departments and lack of necessary skills in the business units, this was done by central command and control IT functions, later augmented by IT steering committees. I think the democratization of IT within the enterprise can be a far more efficient way of delivering on this goal. It solves part of the “who pays for IT” problem and it allows business units to invest in the technologies they believe are going to be essential for their businesses to succeed. The IT team needs to build relationships that focus on solving the problems together rather than on discovering and then centralizing or destroying the assets. I believe that’s the best way to get back control of the data.

UnboundID: What advice can you share for bringing business and IT teams together?

Bonney: I was recently a panelist on a discussion about risk in the office of the CISO (Chief Information Security Officer) and I think a lot of the ideas that were shared can be quite useful to solving this problem. I think IT really needs to “know the business.” A common anecdote over the last two years is about the CIO who declared that since he had banned SaaS products for use in the enterprise, they did not have any shadow IT to worry about, until his team was eventually prepared to drive cloud adoption for the business. We’ve likely all heard this anecdote and how it ends with analysis showing that not only was he mistaken about the amount of Shadow IT in use, but that 60% of his own organization used the services as well. If the IT teams focus on knowing their business and learn how to effectively champion their internal customer’s business objectives, learn how to amplify the outcome to the business by leveraging technology successes from one group to the rest of the company and learn how to effectively balance risk with opportunity, they can be a trusted partner to the business.


Bill Bonney and UnboundID CEO Steve Shoaff share essential best practices in leveraging and securing customer data. Don’t miss the upcoming Webinar The Best of Both Worlds – Identity Security & Customer ExperienceTuesday, April 28th 12:00pm CT

This article was originally published on the UnboundID Blog.