AllGet Your IAM Project Back on the Fast Track by Considering Business Agility
Get Your IAM Project Back on the Fast Track by Considering Business Agility
•
Solve today’s (and
tomorrow’s) security threat
•
Deliver business value by
driving enhanced agility
How to position your IAM
request so it gets funded
I know what you’re thinking
at this point: ‘Sure, Bill, I
understand what you are saying.
Rather than beg for IAM solutions
as a security-only play, I should
update my request with how
this investment will make the
business better. But that’s easier
said than done.’
IAM can improve
agility by putting
access decisions
in the hands of
the business.
To be sure, there is no one way to
ensure a successful request. But
I can provide you with several
examples of how others have
positioned their IAM projects
to ensure new, additional or
continued funding.
IAM improves productivity
by providing easing the
delegation of access.
In most companies, the rank and
file employees might schedule
their own travel and complete
their own expense reports, while
management get an executive
assistant (EA) who acts on their
behalf. But what if the EA to the
vice president is out sick the
day that the VP needs to change
3
flights while traveling in the
Far East? How fast can your IT
department provide a different
EA with the access required to
perform the last-minute travel
change on behalf of the primary
EA? More to the point, what
happens if that timeframe isn’t
fast enough and the VP gets stuck
overseas and misses his or her
child’s baseball game? Likely, the
VP arrives back at HQ and chews
out the VP of IT.
In this situation, what’s the
value of being able to reassign
or delegate access rights? Pretty
vital. But in reality this is just a
provisioning and access control
function of an IAM solution.
Scenarios like this should help
you to recast IAM as an enabler
of business agility — in this case,
by keeping VPs traveling, but
more broadly by keeping the
company productive.
to the pension management
application? In other words, the
line-of-business (LOB) people
do not have to fill out some
form on a random SharePoint
site that gets sent to IT who
forwards it to IT management
where it sits because someone is
in a meeting, and so on. Rather,
the LOB manager can authorize
access immediately for the right
group of reps, and it’s all logged
and audited. The business gets
reps on the phone faster, sales
increase and the business is …
wait for it … more agile.
Other options
There are many other
opportunities for an IAM solution
to make the business more agile.
For instance:
•
Provide a gearbox
manufacturer’s design partner
with access to the company’s
chassis design details through
federation and the partner’s
own self-service application,
thus streamlining business.
•
Enable single sign-on (SSO)
to the new cloud-based
lead-nurturing app the CMO
purchased without telling IT.
•
Give a ship’s captain access
to SAP on his iPad so he can
update the delayed arrival
time into dock when he’s in
the middle of the Atlantic.
•
Give the $3,000-per-day
consultant root access to
every machine she needs
within five minutes of her
arrival at work, thereby
minimizing billable delays.
IAM improves agility by
putting access decisions in the
hands of the business.
Has something like this ever
happened to you? Marketing,
in its never-ending quest to
generate interest and additional
business, launches a new
campaign. In this case, the
goal of the campaign is to drive
additional pension contributions,
which are handled by your
pension management application.
And lo and behold, the campaign
works like a charm — except
that marketing failed to forecast
that success, and now the call
center is inundated with requests.
Customer calls are going
unanswered because you don’t
have enough reps with access
to the pension application to
help out.
What if the business, without the
help of IT, could enable access
for an additional set of resources
IAM enables mobile and
cloud initiatives by mitigating
security concerns.
Still not convinced? Let’s look at
two of the most overused tech
buzzwords of the last five years:
cloud and BYOx (where x =
device, identity, whatever).
Undoubtedly, your IT
management team is wrestling
with how to best deal with these
phenomena. Perhaps you have
remote sales people who want
their email (which contains
sensitive attachments) on their
personal iPhones. Or maybe a
VP received a new tablet as a
birthday gift and wants to use it
to access the financial system.
On the cloud front, maybe
you are dealing with “shadow
IT” — various departments
are procuring their own IT
solutions like Campfire for project
management or some cloudbased marketing automation
system. Or maybe it’s as simple
as employees storing confidential
material on Box so they can
work on it from home on their
personal computers.
Whatever the situation, when
confronted with these obvious
security gaps, the business
people almost always sing a
familiar refrain, “I need this so I
can be more productive and we
can remain competitive.”
And then mayhem ensues.
Again, it doesn’t have to be
that way. If we look at the IAM
investment as a way to enable
the business, it can go a long
way to mitigating these security
gaps. For example, when
employees use their own devices
for company work (BYOD), IT
typically focuses on the “remote
wipe” capabilities. But you
also need to think about the
importance of accurately and
tightly controlling access.
Perhaps this tale sounds familiar:
An employee is hired to job A
and accordingly is given access
to applications A1 and A2 and to
database A3. Then that employee
transfers to job B and is given
access to B1, B2 and B3 — but
his access to A1, A2 and A3 is
not rescinded. Now this employee
is able to access resources he
should no longer use. Eventually
this employee travels and his
mobile phone is stolen. Simply
by cracking the phone’s fourcharacter security code, the
thieves will have access to A1, A2,
A3, B1, B2 and B3. Essentially,
because this organization had
poor access control, the risk
of BYOD doubles (or triples,
or worse).
You can help
build your case
for IAM funding
by showing how
having good
access control —
one hallmark of
an IAM project
— enables BYOx
while at the same
time eliminating
50 percent or
more of the
risk of the BYOx
project.
You can help build your case
for IAM funding by showing
how having good access control
— one hallmark of an IAM
project — enables BYOx while
at the same time eliminating 50
percent or more of the risk of
the BYOx project.
Advice from
Forrester Research
Forrester Research’s report, “Use
Commercial IAM Solutions To
Achieve More Than 100% ROI
Over Manual Processes,” lays out
additional advice for making a
case for project dollars for your
IAM project:
2
You can only garner executive
and business support with
quantifiable costs and benefits.
Much like a business plan for a
startup, IAM requires a plan and
cost benefit analysis to justify
spending for a project and garner
executive support.
Using a spreadsheet to quantify
the benefits and costs will
force discipline and give you
quantified results — readily
usable in a presentation to senior
stakeholders when asking for an
(increased) IAM budget. To build
your business case for IAM you
must show:
•
How much the company
is currently spending on
manual processes.
•
How you stack up compared
with other companies.
•
How leaving security
functions decentralized
undermines security.
Andras Cser with Stephanie Balaouras and Jennie Duong, “Use Commercial IAM Solutions To Achieve More Than 100% ROI Over
Manual Processes,” Forrester Research, December 4, 2014.
2
4
Please complete the form to gain access to this content
