Across the security industry, experts are encouraging businesses to abandon piecemeal IT systems and data-defense efforts in favor of overarching risk management strategies.

According to some customers, consultants, and vendors, the strategy is starting to prove particularly helpful in addressing issues of identity management and access control.

Long identified by industry analysts as an area where businesses often end up "chasing rainbows" and getting involved in never-ending projects, experts contend that by adopting a risk-based model to drive identity management, customers' goals are actually being realized.

"When developing our architecture, it became very clear that one of the processes that was important to tackle before starting to change things in one region or business unit was to do risk assessment and integrate all the subjects related to access control," said Paulo Martins, enterprise identity and access manager at financial services giant ABN AMRO.

In 2006, the banking company made a decision to rework its identity infrastructure as part of an effort to make access control an even more central focus of its enterprise security strategy.

Rather than simply looking for a new technology to improve its standing, ABN AMRO found that by getting a fix on the areas of its business where controlling access to sensitive data was most crucial -- and then assessing the varying levels of efficacy within its existing operations -- it found a way to move its project forward faster and with a greater sense of direction.

"As companies get larger and the numbers of applications increase, and they grow through mergers and acquisitions, they find that they have different levels of maturity related to identity and access," said Martins. "We built our strategy considering all of these things. The first year was dedicated to process and access control reviews; the second year involved implementation of those processes and use of risk analysis for critical applications."

Among the most valuable topics that ABN AMRO was led to consider as part of its process, he said, was where it made sense to automate identity-based control for its applications and where it did not.

By gauging the number of users and criticality of the data involved in each area of its business, the company was able to set its priorities and get controls in place where the risk of information loss was most widespread or severe, said Martins.