Maturity Assessment and Strategy for a Global Investment Manager

How It Started

Our client, a leading international investment manager, struggled with Identity Security due to fragmented and manual processes following the merger of core business units. Despite years of investment, they lacked a cohesive Identity Security framework that could meet their operational and regulatory demands. After recognising the need for a strategic and structured approach, they engaged us to conduct an in-depth assessment and to develop a stratergic roadmap to support their complex business environment.

Challenges and Discoveries

The Identity Security landscape at the client organisation was marked by serious gaps in strategy, governance, and process efficiency, which exposed them to significantly increased security and regulatory risks:

• IAM as a Tactical Technology Project: The Identity Security initiative was initially structured as a stand-alone technology project rather than a business transformation programme, resulting in a lack of strategic alignment with broader organisational objectives.
• Shadow Identity and Technical Debt: The absence of a cohesive Identity Security framework led to “shadow Identity” practices across various business units, with unintegrated, redundant systems and customisation that contributed to significant technical debt. Key systems such as the service desk ticketing system and enterprise directory had become de facto Identity Security solutions, yet lacked the capabilities to provide robust identity governance
• Uncontrolled Access and Manual Workflows: Identity Lifecycle Management processes, such as user provisioning and de-provisioning, were highly manual, creating inefficiencies and serious security risks. The absence of automation resulted in a window of more than 10 days for access deactivation, exposing the organisation to potential access abuses. For example, a departing user’s remote network login account could remain active for many days after they had left the organisation
• Lack of Governance and Executive Sponsorship: There was minimal governance around the Identity Security programme, with no executive sponsorship and ad-hoc management. This lack of governance structure hindered long-term planning and created gaps in accountability. Changes made to critical systems were often undocumented and at the discretion of individual administrators, further increasing the risk profile.
• Audit-Driven, Reactive Approach: The Identity Security programme’s focus was primarily driven by responding to audit findings rather than establishing a proactive, strategic approach to Identity Security. The project had pivoted repeatedly to address new audit remarks, which undermined the development of a viable and coherent Identity Security strategy.
• Process Inefficiencies and Orphan Accounts: Numerous orphan accounts, including thousands of uncorrelated or active but unused accounts in Active Directory, posed a major security risk. These orphan accounts included privileged and admin accounts which had not been properly deactivated, creating a high-risk environment vulnerable to unauthorised access.
• Limited Communication and Stakeholder Engagement: The organisation lacked a clear communication strategy to inform and educate business stakeholders about the importance of Identity Security. This gap in engagement left the programme isolated, hindering the development of a culture that values Identity Security across the organisation.

The Full Story

Our client, a global investment management organisation, needed a scalable Identity Security approach. Our extensive industry expertise and experience in transformative Identity Security solutions positioned us as their trusted partner.

The engagement required a holistic approach that extended beyond technology to incorporate organisational culture, operational workflows, and stakeholder engagement. Over five months, our team conducted an in-depth assessment across multiple streams, including Technology, Operations, Governance, and Culture.

Parallel Assessments: We deployed a parallel approach, enabling a granular understanding of complex interdependencies across various systems, processes, and stakeholders:

• Technology: Analysed redundancies and gaps in Identity Security-related platforms, focusing on the limitations imposed by current customisations and ‘shadow’ Identity Security systems.
• Operations: Evaluated workflow efficiency, lifecycle management processes, and access provisioning to identify points of vulnerability and automation opportunities.
• Governance: Defined a governance model that included executive sponsorship, properly managed change control, and structured oversight for Identity Security.
• People and Culture: Engaged stakeholders through workshops and interviews to build alignment and generate buy-in, addressing cultural gaps that had hindered programme success.

Our agile, iterative methodology allowed us to engage with global stakeholders, including senior business users and application owners, capturing valuable insights that informed our strategy recommendations. This thorough assessment allowed us to understand the organisation’s culture and processes, and to recommend solutions that were not only technically sound but also operationally feasible.

Deliverables

1. Maturity Assessment: We delivered a comprehensive maturity assessment, offering an unfiltered, candid view of the client’s Identity Security posture. This assessment highlighted critical areas requiring immediate attention and established a foundation for a strategic roadmap that aligned with organisational goals.
2. Strategic Roadmap: We developed a phased, three-horizon roadmap:

• • 1-Year Horizon: Focused on stabilising the current environment by addressing technical debt, instituting best practice policies, and establishing strong governance.
  • 3-Year Horizon: Emphasised advanced Identity Security capabilities, process automation, and an improved user experience, enhancing compliance and efficiency.
  • 5-Year Horizon: Realised a fully mature, adaptive Identity Security framework aligned with business strategy and capable of adapting to future regulatory and technological changes.

Results

1. Enhanced Understanding of Identity Security Realities: The leadership team gained a clear understanding of their Identity Security maturity level and the urgency required for remediation. The assessment provided an unambiguous view of the organisation’s position, allowing them to prioritise actions that would yield the greatest impact.
2. Strategic Roadmap Alignment: The 5-year roadmap provided a structured approach for phased implementation, allowing the organisation to achieve strategic alignment between Identity Security initiatives and business objectives.
3. Leadership Confidence: The engagement fostered a shift in mindset among senior leadership, instilling confidence and a sense of ownership for advancing Identity Security. This transformation empowered leaders to champion the programme and navigate complex organisational changes.
4. Future-Proofing: Our recommendations addressed current gaps and laid a foundation for the client to remain adaptable to regulatory changes and technological advancements. The roadmap enabled the organisation to position Identity Security as a business enabler, safeguarding operations and enhancing resilience.

Conclusion

Our partnership with the client marked a pivotal step toward their goal of achieving Identity Security maturity. The collaborative effort not only clarified the strategic direction but also inspired ownership and accountability among the leadership team. Through a detailed analysis, engagement with key stakeholders, and a clearly defined strategic path, our client is now better equipped to secure their operations, clients, and assets.

This case study exemplifies the transformative power of expert guidance paired with a committed client, transforming security vulnerabilities into strategic opportunities for sustainable, long-term success.