Blogger: Kevin Kampman
In a conversation with one of our subscribers last week, we heard about an unintended consequence of an identity management (IdM) initiative. After putting all of the people with associations to the enterprise into the Human Resource Management System (HRMS), the executives of the organization got the mistaken impression that there were more employees on the payroll than they anticipated. This was a result of classification issues, but it gave the IdM initiative a bad name.
In this case, the data was correct, just not organized to tell the right story. There were more people working for the organization than expected; not all of them were employees. This is a useful metric, and it’s unfortunate that the reporting system took the blame. It is a possible case of “shooting the messenger”. This organization needed to look at the overall picture, not just one number. In an upcoming report, analysts Gerry Gebel and Lori Rowland will address the issues associated with managing identities who aren’t employees.
In a case of “doing more with less”, however, we’ve also discovered that this kind of information can be used for fraudulent purposes. B. Ramalinga Raju, the founder and chairman of Satyam Computer Services, an Indian information services outsourcing firm, reportedly confessed to padding the company’s employee count by nearly 10,000 people and then directing those payroll funds for personal gain, according to the New York Times. As a provider to some very large companies, Satyam will be scrutinized for possibly charging those customers for phantom resources.
Whenever we architect solutions, we focus on what they are intended to do. If you’ve ever seen a string used to open the drawer on a cash register, however, you know it’s likely that someone is running two sets of books. There’s always someone looking for a way to compromise the system. For example, imagine if a company received a tax concession in return for creating more jobs in a community. Unless someone watched the overall headcount, they could lay off staff, hire replacements and claim to meet hiring expectations.
IdM solutions can tell the right story to those willing to listen. It is the responsibility of the entire IdM community to listen to business management, to regulators, and to shareholders, and anticipate that the questions they’ll ask can be answered accurately. The biggest risk to IT is in not understanding and promoting the real value and benefits that IdM brings to the enterprise. A possible outcome of the Satyam situation is that there will be more scrutiny of IdM and HRMS solutions. We should be prepared for additional controls and accountability, as well as tighter coupling between the all of the systems that deal with identity information. IdM should provide transparency, that is, effective information to whoever is pulling the strings.
Comments