Digital identity is what we need to face the threat landscape, but how do we get started?
Now that you’ve had a chance to learn about digital identity, what it is, how it works, and what it can do for businesses, you may have some questions about how to get started.
What would it take to make digital identity part of your digital transformation effort? What does it require from an organizational standpoint? What are the challenges you are likely to face?
Any digital identity initiative is predicated on clarity about your objective, and aligning the people, processes and technologies you need to make it happen. To give you a roadmap for making that happen, let’s break this down into five steps:
- Step 1: Assess Your Current Readiness
- Step 2: Define and Align Around Your Objective(s)
- Step 3: Identify the Right Implementation Approach
- Step 4: Assess and Select a Partner
- Step 5: Plan for Long-Term Continuous Refinement
Let’s look at each of these steps more closely.
Step 1: Assess Your Current Readiness
To assess your readiness for the threat landscape you face in a post-breach world, let’s start by identifying where your organization currently falls on the Digital Identity Maturity Model you read about in Chapter 8.
Are you just now exploring risk-based authentication through digital identity? Are you already proactively evaluating user behaviors to ferret out additional fraud that may be hitting the business? Or, are you somewhere further along on the continuum?
To help identify where you fall on the Maturity Model, define the state of your current anti-fraud capabilities and resources. Staffing levels in the fraud department should be reviewed. Is the department perceived as too large or too small? Are work activities ripe for improvement? Implemented properly, digital identity should minimize manual reviews. The number of false negatives (fraudsters who slip by undetected) and false positives (customers wrongly tagged as suspicious) will likely fall. Required skill sets would shift to forensic analysis and the digital identity solution you select should have tools to assist with this.
Another consideration: How does information flow across the fraud department? What are the key workflows to be automated or re-engineered altogether? This should eventually cover everything from customer onboarding, to logins and payments, if applicable. Who on the leadership team is aligned with the need for transformation and how much educating is necessary? Answering these questions can help you get an accurate read of your current readiness.
Authentication is central to the ability of these businesses to effectively secure access to consumer-facing digital channels and the systems that underpin their operations.
-Javelin Strategy and Research
Once you’ve identified where you currently stand on the Maturity Model, factor in some additional considerations that will guide you as you move forward:
- What is the environment in which you operate today, and what future events should you take into account? What geographies do you operate in? What is the regulatory environment in each of these geographies? For instance, banks and payment processors in many regions have system-wide open banking and payments initiatives in the works. These are driven by mandates such as the revised payment services directive (PSD2) in Europe, and the New Payments Platform in Australia. This will be important in assessing the approaches to implementing digital identity, since these initiatives require support for risk-based authentication and strong customer authentication.
- What is the threat landscape for your organization, and the attacker ecosystem? As you’ve discovered in this guide, cybercrime is increasingly sophisticated and globally organized. It takes a network to fight these networked schemes. Is that something you’re ready for? Define trends you face and your requirements for meeting them.
- To what extent do your current systems meet the challenges digital identity is meant to solve? For that matter, what is your definition of digital identity? Does it map to the definition in this guide? What do you think it means across your industry vertical? How about across industries?
- Who owns the customer experience (or even just the data related to it)? Is it your organization or a third party, as can be the case in geographies and industries undergoing open banking and digital payments transformations?
Answering the questions above will help you establish your current readiness so that you can clearly define necessary objectives.
Step 2: Define and Align Around Your Objective(s)
Now it’s time to define your objective:
- What does success look like to your organization? Who are the stakeholders, decision makers and budget owners you need to define your strategic objective(s) and how will success be measured? Think about this across the entire customer journey, from account creations to logins to payments, and include any associated parts of your business and the geographies in which it operates.
- What is an acceptable risk level or fraud prevention level for your organization? Zero fraud, 7 percent, or maybe 5 percent and lower? Maybe it varies across product lines or price points? The more stringent the requirement, the more potential for friction, and vice versa. This is about defining the proper threshold for maximum benefit to your organization, customers and users. Define this threshold at each specific user touchpoint and every possible scenario. The more specific you can get, the better.
- Beyond defining your objective(s) for risk-based authentication, are there other dimensions to digital identity that can help you meet additional business needs, such as an enhanced user experience? What about increased customer acquisition, retention and top-line revenue? Perhaps the freedom to prioritize internal resources to more strategic initiatives versus manual fraud reviews?
Define all of these as specifically as possible in conjunction with all associated stakeholders, decision makers and budget owners to arrive at a clear set of strategic objectives. From there, you can start to determine the best possible approach to implementing a plan to meet them.
Step 3: Identify the Right Implementation Approach
Now that you have a clear read on your objective(s), it’s important to understand and assess your digital identity initiative from a budgetary standpoint. Are there limitations you must keep in mind? Specifically:
- What are you looking for—something proprietary/on premises? Something hosted in the cloud? Or more of a hybrid approach? How sensitive are certain user attributes that you collect today, or plan to in the future? What are the privacy considerations? What’s the ROI if you were to pass that data out to a partner to get more meaningful information back? Would it offset the risk of not passing that data out and continuing to suffer fraud loss year after year? Consider this both in terms of a technological partner and possible participation in the kind of digital identity network you’ve read about in this guide.
- Build or Buy? Is this something you are capable of building on your own? Or are you open to cloud-based, SaaS solutions and partners? There will always be changes and challenges you cannot foresee. Budgets will change. Point solutions and ad-hoc fixes always have limitations. Is there a partner you can outsource to, whose core business model and capabilities are focused exclusively on digital identity? Someone who can guide you and help you solve for today’s omni-channel landscape—and who can scale to meet your needs over time?
You may know of a partner right off the bat. But even if that’s the case, you’ll want to conduct thorough due diligence to make sure you make the best choice for your organization.
Step 4: Assess and Select a Partner
With the answers to all the questions established from steps 1 through 3, you may want to develop a written request for proposal (RFP).
An RFP should be considered mandatory when a request involves technical expertise outside of your organization’s core competencies or specialized capabilities. You also want to determine whether the solution exists today, or whether it’s something that must be developed from an existing solution or from scratch.
You’ll also want to establish an RFP process. Who will receive the RFP? Are you selecting prospective vendors, or are you posting your RFP in channels that solicit such proposals blind? Who will be vetting proposals, and how? Are there steps involved—a date for submission from possible partners, the opportunity for candidate firms to ask questions as they prepare their proposals. If so, what is it? Will the submission of proposals be followed by a presentation by the top three contenders? Who will decide on the final selection, and how?
To win support of businesses, authentication solutions must prove their effectiveness in both keeping bad actors out and ensuring a positive security perception for good ones.
-Javelin Strategy and Research
Once you have determined the complete set of questions that your internal teams recognize must be answered, it’s time to develop your RFP. In truth, these documents differ widely from organization to organization. But here are some elements that should be considered for a project involving a digital identity initiative:
- What are your general requirements? You’ll want to list out what you and all stakeholders have worked out in steps 1 through 3 in order to give participating vendor firms a clear understanding of what you’re looking for. Then, you’ll want these firms to document how they meet those requirements, including:
- What evidence of capabilities and success rates from previous engagements can they provide?
- Are you looking for a smaller firm, or one with a global footprint?
- How does each vendor explain how their solution compares to others in the market?
- What is the vendor’s solution architecture and controls for ensuring data privacy and security?
- What compliance with regulatory requirements does the vendor have in place for each of your current and forthcoming geographies? For instance, if applicable to your organization, how does the vendor’s solution meet PSD2 requirements in Europe? Can the vendor pass a security audit?
- What hardware and software components are required to support the candidate’s solution?
- What are the intellectual property rights (IPR) related to the vendor’s solution? What part of this IPR is owned by the vendor, and what is or will be owned by third parties? What licenses would this entail?
- What is the vendor’s development roadmap, and how does it ensure future-proofing the solution?
- What are the staffing needs and technology stack that will be required to put the solution in place and keep it running well?
Next, list out your business requirements:
- Break down each element the solution should address, down to each user touchpoint and associated processes.
- How does each vendor’s solution address it?
You’ll also want to break down your reporting requirements. What reporting capabilities do you require? Why? And for whom? You’ll want to establish what capabilities the vendor possesses to meet them.
- What reporting capabilities are included in the vendor’s solution?
- Which will need to be added to suit your requirements?
- What are the solutions’ ad-hoc, or custom, on-the-fly reporting capabilities?
Lastly, while a formal estimate will come with a final statement of work, you’ll want to get a general read on pricing.
- What is the estimated preliminary budget range for a digital identity solution like the one the one you’ve outlined?
- What’s the vendor’s overall pricing approach?
- Are there licensing options? If so, what are they?
Step 5: Plan for Long-Term Continuous Refinement
Either in conjunction with the RFP process or as a part of it, you’ll want to establish the need for continuously assessing and refining your digital identity solution to meet the ever-evolving needs of your organization. Should these reviews be held:
- Which stakeholders should be a part of those reviews?
With decisions made on these factors, you should have the pieces in place to get started on your digital identity initiative.