Who owns customer identity?

When I’m talking with prospective clients, I like to ask: which department owns customer identity? Everyone immediately looks towards a different team. While every team touches customer identity at some point, the teams that own it differ from organization to organization.

customer identity ownership

From my experience, customer identity often doesn’t have a single owner because it’s critical across the business. This lack of clear ownership, however, makes it hard for organizations to get consensus.

When organizations focus on their own employees, however, this isn’t the case. Have you ever wondered why workforce identity and access management (IAM) feels straightforward while customer identity and access management (CIAM) feels like the Wild West?

Workforce identity and customer identity are distinct

Sure, both deal with logins and access control. However, workforce identity and customer identity serve different goals and have a different number of stakeholders, ultimately leading to massive differences. While the mechanisms are common, workforce identity and customer identity are distinct in two major areas: their importance to the business and their ownership.

Workforce identity is much more structured. Ideally, companies handle their employees logging in securely without adding too much friction. This is in part possible because companies have much more control.

Even with remote work, employees are, at the end of the day, beholden to the organization. Some friction is ultimately acceptable—it’s not like employees are going to quit because access control is incorrect, or the authentication process is cumbersome. There are problems in workforce identity, to be sure, but they’re not make-or-break problems because there is an expectation that stakeholders will be compliant.

With customer identity, this is certainly not the case. Friction and security have equal footing in customer identity. Your business undoubtedly has many competitors. If you add too much friction to your processes (asking for MFA every time, laborious account recovery processes, etc.), your customers will switch. If you don’t add enough security and suffer a breach, your customers will switch.

Different teams care about customer identity at different stages

Workforce identity is typically owned by some combination of the IT team and the security team.

Customer identity, on the other hand, is ever present during the customer’s journey with your product or service. From the first time they hear about you, to when they register, to when they hopefully come back and log in again, to when they convert from a free to a paid user, to when they renew as a customer, customer identity is important at all phases. As a result, all business teams have a claim to customer identity.

Let’s look at a typical customer journey.

Let’s say there is a prospective buyer for your product. They subscribe to your blog or download your whitepaper before they even sign up. Their identity is already important. The marketing team wants to know if the email they provided is legitimate or fake. The sales team wants to know if this is a bot account or someone they should try to speak with. Validating their identity is important even at this stage.

If they then want to sign up or request a demo, the customer identity also becomes important for the product team and the sales team, as they need to know that you are who you say you are. Implementation wise, it’s important for the engineering teams and for the IT teams to enable the mechanisms that make the identity validation happen.

At the point the customer has a login, security becomes important. The security team and the product team can sometimes be at odds: Collect more data or less data? Bother the user more or bother the user less? These are opposing forces coming from different departments with different priorities.

For logins, a company must often decide whether multi-factor authentication (MFA) is required, and if so, when? What authentication methods should be used? The product team does not want to add too much friction while the security team does not want to leave any gaps, but they must reach a consensus.

Once the user is trying a free version of the product or has become a paying customer, identity becomes important from multiple perspectives. The customer support team wants to validate their identity and know that they are who they say they are. In addition, the customer support team also wants to know about the customer’s entire journey. Who are they as a customer? How have they experienced the product or service so far? What other things have they done with the product or service? Have they already looked at the company’s documentation? Are there any other users on their team?

The specifics change depending on the company and their product or service, but the more visibility a customer support team has for a particular user’s identity, the better they will be able to serve them. They’ll be able to give them more personalized customer support, more targeted recommendations, and so on.

Customer identity needs to be a business priority

In most regulated industries, there is a case to be made to have MFA for every customer at every step because it is required by compliance and/or it is a security best practice. There is also a case to be made that asking every customer to do MFA every time will hurt the onboarding process and reduce the conversion rate.

Onboarding users securely but still seamlessly is a constant conflict in many types of businesses, from retail, insurance, to fintech.

If your business is running into issues like this, here are two tips for implementing effective customer identity management:

1. Figure out your business’ priorities that will drive you to consensus and ownership. If you are from a regulated industry, MFA becomes important. Make it a risk-based MFA, however, to reduce undue friction. If your business offers a D2C or B2C product or service, seamless onboarding is your number one priority. If user friction is the primary reason for your CIAM initiative, the product team or engineering team should take the lead and bring other teams along. If MFA is the main use case, the CISO should lead the discussions and then bring other teams along.

2. Phases are your friend. If testing or piloting is possible, do so. Experimentation is very valuable in a CIAM context. Whether you are moving to a new CIAM solution, trying a new auth method, or changing your onboarding process in any other way, run a pilot or an A/B test first. Starting small, measuring the results, and taking longer-term decisions accordingly is a healthy cycle to follow when it comes to customer identity processes.

Traditionally, the customer identity’s budget was owned by engineering, IT, or security. Nowadays, regardless of which team is the owner, all relevant teams (marketing, product, customer success, engineering, the IT team, the security team, etc.) should be a part of either the decision-making process or reviewing the journey on a periodic basis.

Customer identity should be a top priority business-wide. It’s simply too core to a business’ success to be handled by just one team.

Don't miss