Every organization has a formalized process to determine how money should be invested in specific areas, like Identity and Access Management. Integral Partners is often involved in these discussions with clients, to assist in ensuring that the right level of investment is made allowing for maturity and introduced capabilities the organization needs.
What is the right level of investment? What tools should we buy? What modules in those tools are needed?
These are common questions we hear, and our tailored response is based upon years of successful IAM projects and an understanding of the IAM space that is deep and broad.
Our team is often asked to review IAM at a company. Often, we find years of non or misguided investment in IAM. This is often accompanied by executive leadership scratching their heads as they try to determine what value they received for the money they’ve spent. This makes the path to an approved IAM strategy and plan more difficult as you must educate stakeholders to get buy in for an IAM Program.
This can present challenges that companies new to IAM can understandably struggle to answer. How do you ensure you are asking for the right funding level, and how do you show that you have a plan on how it will be spent and what the company can expect in return? Also, can you show that the ask is for the right tools at the right time? How can you show that you have done your due diligence and are a proper steward of the investment you are asking for?
In short, how can you show that you are not wasting money and that the investment will lead to returns?
Integral Partners has some points to consider:
Start with a Road Map
IAM is a Program, not a Project. Because of that, you need to think longer-term. We recommend that you develop a road map covering the next 2-3 years that shows what will be deployed and when.
Add detail to the supporting projects in the roadmap and show how those individual parts support the larger program. This will help you get leadership to buy in. It will also help ensure you are spending money when and where it’s needed, and that the program is a guided effort to introduce new tools and processes at the appropriate time.
Ultimately, your road map will be a story that shows the deployment of tools to tackle challenges and support your business needs.
IP EXPERIENCE: Integral Partners recently completed an Advisory engagement with a client that was struggling to get funding for IAM. We worked with them to create a narrative showing how specific road map items addressed their IAM concerns and introduced effective controls. We were then able to help socialize it, get buy-in, and based on that the program was funded.
IAM is a Program, not a Project. Approach your roadmap with that in mind and you will get where you need to go.
Understanding ROI – Risk Reduction vs Productivity
Companies often justify IAM because of theoretical savings from reduced headcount (via automation) and quicker onboarding of users (quicker time to productive access). While you certainly can expect users to be productive sooner with the right tools, is headcount reduction the most important metric?
While you may reduce headcount for more trivial tasks that can be automated, keep in mind that you often need additional headcount to manage IAM, so cost savings via automation can be misleading.
The other ROI area that might be more important (but harder to illustrate) is risk reduction. Identity and access represent the ultimate perimeter for an organization, as users connect from various devices and create opportunities for bad actors. IAM tools put technical and administrative controls in place to reduce risk and keep an organization safer. The cost savings here can be astronomical but hard to quantify.
There are industry standard guidelines to quantify risk. By combining those guidelines with your own experience, you can craft a story that shows real risk being reduced as your roadmap is implemented. Ensure your figures are defendable and practical, but they represent real opportunities to move the needle on risk at your company.
IP EXPERIENCE: On one recent project, Integral Partners was able to show our client the true business capabilities an effective IAM program could provide. That redirected the discussion away from simply efficiency via automation and focused on what was important to the security of their business. We were able to address identified enterprise risk with access and recommend tools and process to address these risks. This was a much more effective marketing tool than simply a reduction in headcount.
Spend Wisely: Make sure the Solutions (and all the extras) fit your Requirements
There is a broad set of tools available in the IAM market. We pride ourselves in being experts on the leading solutions, but tool agnostic. This means we approach every project unbiased and make recommendations that fit your specific needs.
We’re often brought in to help a company with their IAM program that has already purchased a tool. In many cases, the purchase does not actually fit an organization’s requirements, or it includes unneeded modules and functionality that wastes money and introduces unneeded complexity.
IP EXPERIENCE: A recent client of ours in the finance space was about ready to purchase an IGA solution. Unbeknownst to them, the tool they had chosen did not support a critical requirement that was unique:
Allowing clients to have delegated authority to administer their specific users in the tool for apps they share externally.
The IGA tool they chose did not support this functionality, but in the confusion of the initial negotiations, that requirement was missed. During the subsequent Advisory engagement, Integral Partners was able to identify the use case and work with vendors to pick a new solution that fit their requirements.
Had they made the investment without our advisory engagement, they would have eventually realized that it was not going to work, wasting millions.
Knowing what to buy, and what capabilities are worth deploying, can save you significant money (and headache).
Understand the Ecosystem – Plan for Integrations
One of the areas we’ve provided the most benefit to our customers is helping them understand the IAM ecosystem. Over the last few years in particular, IAM tools have grown to integrate well with each other. Understanding the tools themselves, and how they can effectively work together (or can’t), will have a huge impact on the immediate and future success of your program.
You can streamline process, apply policy more accurately, and reduce risk when these technologies are communicating and managing IAM holistically.
Your road map should show these integrations and support why they’ve been chosen. Specific KPIs tied to that integration should be developed and tracked to show maximum utilization of the money you invested in them.
“Lean on Me” – Partner with experts and leverage their experience
IAM tools are complicated and difficult to implement well. Even global enterprises often don’t have sufficient in-house resources to tackle an IAM program on their own.
Working with a professional services team that’s exclusively focused on IAM has many benefits:
- They can help you choose the right tools and integrations
- They can help turn your project into a program
- They’ll know the major pitfalls and how to avoid them
- A fresh set of experienced eyes can identify gaps and threats you don’t see
- They can help future-proof your program
- They can help train your team and help you develop the in-house IAM support you need
- They can provide “IAM Directors” so you can focus on your business while they help protect it
I’ll end with my pitch for Integral Partners. We have over 20 years of experience in Identity and Access management. It’s what we do it’s all we do.
We can work with you to develop an IAM road map and help get it approved. That plan will have recommended and vetted product vendors, as well as the correct order of operations to maximize return.
I head the Advisory practice here at Integral. We offer a 15 minute advisory call to help you make sense of where you are with IAM and how we might help.
Just click here to schedule a time for us to chat. Me or someone from my team would be happy to help.
Jason Ellis
Jason is the director of the Advisory, Privileged Access, and Access Enforcements practices at Integral Partners. With more than 20 years’ experience in IT and Cyber Security, Jason has developed a strong relationship with clients, helping to advise them on strategy to improve their IAM posture.
Comments are closed.