Securing the Digital World

Yin and Yang: Two Views on IAM - IT-Based and Business-Driven

Oct 18, 2017 | by Stephen Mowll, Chris Williams |

Point: Approach identity projects as you would any IT-based enterprise service.
Chris Williams, Advisory Solutions Architect, RSA Identity

Identity and access management (IAM) projects are among the most visible IT initiatives that enterprises undertake, because they affect the entire organization. However, many organizations continue to view these projects primarily through the lens of technical capabilities, without an equal focus on business service levels (or at least a focus that looks beyond just the user interface and the return on investment).

If we look at a project, such as a business-enabling ERP, we see the initial strategy definition will always include a series of before-and-after comparisons that heavily leverage critical success factors, key performance indicators and empirical measure effectiveness statistics. The organization can rally behind these and, thus, jointly agree on prioritized business deliverables and a balanced and achievable set of objectives. IT teams can apply that same type of approach to identity projects by following a simple set of best practices paving the way for a successful implementation.

Know your IAM benefactors.
Are your biggest benefactors in the C-suite, or are they departmental leaders? Is the IAM project focused on daily operations, cost management or gap mitigation? Is it the first formal IAM project, or is it a second or even third IAM undertaking? The point is to understand why the project is important and to whom—and to hold judgments and reservations until you’ve completely examined your organization’s IAM history.

Get the right support.
Start with a current review of the organizational structure and identify all key leaders and business owners. Take a simple draft of your plan to each one and actively solicit their input. Communicate with them often, deliberately and regularly. This will help you build confidence and allies simultaneously. (Remember, renegade “behind-the-scenes” IAM projects rarely end well.)

Play the game to win.
If you can demonstrate a complete understanding of the organization, the culture, current requirements and historical activities, you can convert your strongest adversaries into your most vocal supporters. It may seem obvious, but sometimes we just have to remind each other that we all want to achieve the same goals and benefits.

Counterpoint: Don’t limit your view of the IAM end-state to technology.
Steven Mowll, Product Manager, RSA Identity Governance & Lifecycle

I concur that it’s important to make IAM in service to the business. However, if a company has a technology-centric view of IAM, it is going to define how they think of the service. Let’s see how it plays out in the context of four steps I’ve heard Chris suggest for paving the path to a successful implementation.

Step 1: Begin with the end in mind.
A program roadmap gives stakeholders the confidence to get started. A roadmap with a technology-focused end state looks to integrate all applications and automate all provisioning; one with a business-focused end state is more concerned with provisioning all the technology assets and access users need as they join, move and leave the business.  The business-focused end state opens up the scope of what you need to include to make end users happy and productive.

Step 2: Quantify the program.
A technology-focused end state seeks to reduce the cost and effort of provisioning access; a business-focused end state looks to reduce the time and effort of users finding, receiving and managing their access. The key is to think about and quantify the whole end-to-end program. For example, there may be situations where improving the end-user request experience will be of more benefit than reducing the cost of provisioning.

Step 3: Validate the solution.
Thinking about the problem in a business-driven way enables you to think differently about what you need in the solution. It also allows you to think differently about what you need around any solution in your service to be successful.

Step 4: Quickly deliver value.
The right solution will give you quick wins for your business stakeholders, building momentum for your IAM program. When you’re after quick wins, don’t forget to make sure you also have ways to measure success in the long term. Being a service to your business suggests that as you reach 100% success in any one area, you look ahead to the next area you can improve.

When you define IAM as a service to the business, it’s easier to set expectations for the projectand for the business to see the benefits of what you’re proposing.