SailPoint talked to Jason Corbishley, CISO, Police Digital Service; and Kurt Frary, Deputy Director of
Information Management & Technology / CTO Norfolk County Council, about what identity
management means to them.
Identity is at the heart of access controls. As more and more people choose to work from home,
public sector organisations have had to adopt a smarter and more resourceful look at how they
protect their critical IT infrastructures.
Local government and the police force are on the front line of protecting sensitive data from cyber
threats and risk of breach. Today, security perimeters no longer exist. The IT department needs to
look at security in-depth to keep their organisations secure.
Kurt Frary, Deputy Director of Information Management & Technology / CTO Norfolk County Council
says: “We took a hard look at identity, mainly due to the pandemic. The core of that was how do we
enable people to work remotely but also identifying who they are to enable them to work online.”
Jason Corbishley, CISO, Police Digital Service says, “Identity access management is not something
new, but we have not previously achieved its total implementation. We need a common blueprint
approach. We have at least 43 separate organisations in the policing authorities who are looking for
a baseline blueprint for access and identity control.
Jason continues: “How do we provision identity at the centre of the police forces? We need to
manage the identity of joiners and leavers to the service and create that footprint for the lifetime of
their tenure. We need a balance between transformation and enablement.”
“The basis of identity for any organisation is knowing who is accessing data, at what time, and for
what purpose. Huge infrastructure projects are a thing of the past. We need to enable an identity
service where we can put trust in the identity of the end-user. That applies to whether it is guest
access or from within their organisation,” says Kurt.
Jason says: “Culturally this is a change – we are still on a journey. We can really show investment as
a return and by SailPoint is embedding that into its identity solutions.”
Simplicity at the core
For any system to be successful, it needs to be simple to use. Lots of services are now available
online. “A single sign-on is important,” says Kurt. “You have to enable people to do their jobs. We’re
trying to automate the simple processes. The low-value stuff, such as joiners, leavers etc., is timeconsuming but relatively simple. If you can free people’s time to focus on other things, then it helps
“We chose SailPoint because their technology works for our organisation,” says Kurt. “We put all our
eggs in one basket and said, ‘let’s go with it’. The future is here now.”
From a policing perspective, the focus is very heavily on process and governance. The tools that are
used for management become important in the role of information asset development. “The ability
to undertake role-based certification campaigns starts to give confidence to the whole piece. It
opens up the use of data assets and applications,” says Jason.
Jason continues: “Suddenly, we have the functionality and capability to understand control. But we
can make the change, if necessary, to who has access to what, at any given time.
“It is a cultural change journey. Technology is the easier change piece to implement. The harder bit is
for the users and owners of information to understand the new capability and how we can exploit it
to deliver business and service benefits.
“How can we use it to deliver more and better policing services to the citizens of England, Wales,
and the UK?”
Legacy at an End
For Kurt, the battle has been to convince public sector staff to adopt the new system. “We have had
to adopt role-based access control to make sure we have access to the right information at the right
time. We have also had to build confidence in the user base that we have the tools that will do that
“After shifting from a legacy system, it is always a journey to convince people that we can do the job.
Once you have done it a few times and it works, then it builds that confidence in people. SailPoint
has helped us tremendously to get over that hurdle,” said Kurt.
For both Jason and Kurt, the vital part of the process was the planning stage. If there was one core
lesson, says Jason, it is to define the process upfront. At the outset, organisations need to define the
key joiner and leaver processes, the roles that need to exist and set the ground rules for provisioning
and governance. That includes who is going to approve access to specific role-based groups and the
level of corporate assets that can be accessed from each one.
“It’s important to ask, ‘what do we mean by access
the ground rules for the organisation. Spending time upfront to define the process before we start
implementation will reap rewards down the line,” Jason says.
Kurt says: “Identity governance is a business tool. It needs resourcing properly. If you set the
governance rules around it, then you also need to ensure that you resource it, otherwise it just
But for both parties, whether local government or policing, then identity is the key to strategic
transformation. It needs planning, and it needs resourcing. But involving the business and SailPoint
from the start at every stage of the process can ensure a smooth transition from legacy systems to
the new forms of identity control for the remote working era