The essential exercise of user account access reviews
Develop a regular cadence of reviewing your accounts to support your team and protect your data
As you scale your business, you inevitably start to add new team members, software solutions, and other resources to support your growth. Each time you add a new resource, you increase your operational debt. While this could seem daunting, it doesn't need to be. Establishing a regular approach to review who has access to your tools allows you to control your data, control your costs, and ensure that from a top level, everything is operating as it should. If you develop a system to reduce the operational debt left by unkempt tool management, this added layer of oversight brings cohesion, consistency, and peace of mind.
how DO you maintain a handle on your software usage without impeding progress and slowing down collaboration?
Create a culture of account access reviews to ensure clarity and visibility into your tools
Why This Works
Developing a system to monitor account access allows you to control your costs (i.e. no need to pay for a software license for a team member who has departed) while creating a systematic approach to onboarding and offboarding. In this new era of work that combines full-time, part-time, freelance, and fractional team members, you’ll be balancing workers who are engaged to varying degrees. It is important to ensure that you have a handle on the system – who has access to what tools, at what administrative level, and for what period. If an account owner departs, you can rest easy knowing that in this era of 2FA, you have clear visibility and oversight of access permissions, thereby reducing bottlenecks.
Why Do This Now
Just with everything else in startup land, it is significantly easier and more efficient to establish well-oiled processes early as opposed to needing to work backward. Complexity compounds. But that isn’t always easy. By taking a proactive approach today to develop a system to manage account access and permissions, you can streamline your operations while reducing unnecessary impediments and protecting your data. And once established, it will only take a few minutes a month.
how We Do: Building a tool auditing operating system
An ideal early-stage tool auditing system can be a lightweight set of sequential steps.
Establish a comprehensive review of tools in use and users of those tools.
Create a forward-facing tracking mechanism.
Detail every piece of software that your team utilizes and list every member of your team.
On a resource-by-resource basis, indicate which users (or teams) have access to each tool.
Ensure that everyone is in the loop, from senior leadership, managers, and individual contributors to maintain clear top-line visibility while encouraging collaboration and buy-in from all workers. While potentially burdensome at the start, moving forward this will be something that only needs to be checked on an occasional basis.
Tools 🛠️
Notion, Google Sheets, or Excel can be familiar and lightweight tools to get you started. There's little need to invest in software for this in the early days.
Make it easy on the eyes for database setup. A simple database detailing users in one column and tools across rows with an “X” or a specific color indicating that an individual does or does not have access is all that is needed.
Detail your process step-by-step wherever you maintain your SOPs so that you have a living, breathing SOP. Which team or type of team member should be added to each tool?
ChatGPT can help you get a grip on things, especially initially. Dump all of your tools into a prompt and ask for support untangling the web and identifying potential redundancies.
Rules (Process) 📝
Start with your tools. Review each tool to see who is on your “team” or who is using a license and cross-reference it with your org chart. Document it on your access chart.
As new team members are added, add them to the chart with access coded appropriately. As a team member departs, use this chart to quickly and easily determine where access needs to be removed.
Delegate who has admin or ownership control of each piece of software.
Establish protocols on edit access vs. view-only access for both internal and external users. You want to protect your data while ensuring that you avoid overly strict protocols that require repeated access requests that unnecessarily slow your team down and hinder collaboration.
Dig a bit deeper - ensure all user access is appropriately tied to your company policies. Can users be added to a tool with their personal email or should access flow through a company email? Take the time to reset everything to where you want it to be. Document accordingly for synergy moving forward.
While this isn't necessary for a user access audit, use this as an opportunity to add tool renewal dates, reminders for renewal dates, and pricing to your database.
Ensure that you consider security protocol best practices in your policies and approach.
People 🫶
Work cross-functionally to ensure that all tools are coded appropriately, including those that you had a free trial or have since offboarded.
Once you establish a process that works for you, delegate certain individuals to oversee the chart moving forward. This should involve team members that touch operations, people, and IT so you are covered. You should not fully remove yourself, though. You should plan to check in regularly as this can give you great visibility into your org.
Create a culture where team members report upward as new tools are added and they understand the importance of a strong culture of data security.
Empower your HR team members to leverage the access chart when adding or removing members from the team. This should be part of their workflow in the same manner as issuing or collecting a company laptop or key card.
Actually Actionable
Nice article. Now what?
We’ve taken the ideas above and created an action plan for you and your team.
Objective 1: Review all tools and software in use by your team
Task 1: Ask team leads to send you a list of all tools they use, who has access to each tool, and who is the owner or admin of each tool (1 Hour).
Meeting 2: Take all of this data and dump it into a spreadsheet. Ask everyone to review to ensure that nothing has been missed (1 Hour).
Objective 2: Establish an SOP that details how this chart will be managed, reviewed, updated, and consulted moving forward
Meeting 1: Meet with whoever has involvement with ops, people, and IT and task them with oversight of this data set. This should simply require updating when a team member is added or removed and then a monthly review to capture any changes (1 Hour).
Meeting 2: During an all-hands, introduce this new chart with a simple ask – notify the appropriate team members when tools or people are added or removed from the team (10 Minutes).
Objective 3: Review company data security policies
Task 1: Task your head of IT with reviewing and updating your data IT policies. Ensure that a policy regarding email usage (personal vs. company) is on the list, especially for contractors or freelance workers, and that your head of HR understands what is needed from an onboarding perspective. Task your IT team with supporting any team members who fall outside the policy and need assistance with migrating account access from a personal account to a work account (or vice versa) (1 Hour).
Before you go
We share a lot of insight on ways to support your startup while unlocking your team to be more efficient or more successful. While this may not be the most groundbreaking advice we have shared, it can be one of the most impactful practical activities - enhancing engagement and a positive culture with significant risk reduction, especially when adopted early. Working with your team early in your company’s lifecycle to establish strong policies and review timelines around user access and permissions can avoid headaches by reducing costs, protecting your data, and enhancing collaboration. This exercise is valuable for teams of all sizes, but one thing is consistent, there is no reason to wait. Whether you are a startup of two or twenty, adopting these policies ASAP will allow you to rest a bit easier at night and make future engagements with IT or info security hires significantly more streamlined. Not to mention, your team will appreciate it. Clear guidance on how/when/where to update software usage supports the whole organization and unlocks efficiency. Reducing bottlenecks, supporting your team, and protecting your data is always a win.
Writer: Scott
Interested in working with Scott through of All Trades to transform your internal operations? Email founder@weofalltrades.com for more on how to bring him in as an embedded operator in your startup.