Get Your IAM Project Back on the Fast Track by Considering Business Agility

• Solve today’s (and tomorrow’s) security threat • Deliver business value by driving enhanced agility How to position your IAM request so it gets funded I know what you’re thinking at this point: ‘Sure, Bill, I understand what you are saying. Rather than beg for IAM solutions as a security-only play, I should update my request with how this investment will make the business better. But that’s easier said than done.’ IAM can improve agility by putting access decisions in the hands of the business. To be sure, there is no one way to ensure a successful request. But I can provide you with several examples of how others have positioned their IAM projects to ensure new, additional or continued funding. IAM improves productivity by providing easing the delegation of access. In most companies, the rank and file employees might schedule their own travel and complete their own expense reports, while management get an executive assistant (EA) who acts on their behalf. But what if the EA to the vice president is out sick the day that the VP needs to change 3 flights while traveling in the Far East? How fast can your IT department provide a different EA with the access required to perform the last-minute travel change on behalf of the primary EA? More to the point, what happens if that timeframe isn’t fast enough and the VP gets stuck overseas and misses his or her child’s baseball game? Likely, the VP arrives back at HQ and chews out the VP of IT. In this situation, what’s the value of being able to reassign or delegate access rights? Pretty vital. But in reality this is just a provisioning and access control function of an IAM solution. Scenarios like this should help you to recast IAM as an enabler of business agility — in this case, by keeping VPs traveling, but more broadly by keeping the company productive. to the pension management application? In other words, the line-of-business (LOB) people do not have to fill out some form on a random SharePoint site that gets sent to IT who forwards it to IT management where it sits because someone is in a meeting, and so on. Rather, the LOB manager can authorize access immediately for the right group of reps, and it’s all logged and audited. The business gets reps on the phone faster, sales increase and the business is … wait for it … more agile. Other options There are many other opportunities for an IAM solution to make the business more agile. For instance: • Provide a gearbox manufacturer’s design partner with access to the company’s chassis design details through federation and the partner’s own self-service application, thus streamlining business. • Enable single sign-on (SSO) to the new cloud-based lead-nurturing app the CMO purchased without telling IT. • Give a ship’s captain access to SAP on his iPad so he can update the delayed arrival time into dock when he’s in the middle of the Atlantic. • Give the $3,000-per-day consultant root access to every machine she needs within five minutes of her arrival at work, thereby minimizing billable delays. IAM improves agility by putting access decisions in the hands of the business. Has something like this ever happened to you? Marketing, in its never-ending quest to generate interest and additional business, launches a new campaign. In this case, the goal of the campaign is to drive additional pension contributions, which are handled by your pension management application. And lo and behold, the campaign works like a charm — except that marketing failed to forecast that success, and now the call center is inundated with requests. Customer calls are going unanswered because you don’t have enough reps with access to the pension application to help out. What if the business, without the help of IT, could enable access for an additional set of resources IAM enables mobile and cloud initiatives by mitigating security concerns. Still not convinced? Let’s look at two of the most overused tech buzzwords of the last five years: cloud and BYOx (where x = device, identity, whatever). Undoubtedly, your IT management team is wrestling with how to best deal with these phenomena. Perhaps you have remote sales people who want their email (which contains sensitive attachments) on their personal iPhones. Or maybe a VP received a new tablet as a birthday gift and wants to use it to access the financial system. On the cloud front, maybe you are dealing with “shadow IT” — various departments are procuring their own IT solutions like Campfire for project management or some cloudbased marketing automation system. Or maybe it’s as simple as employees storing confidential material on Box so they can work on it from home on their personal computers. Whatever the situation, when confronted with these obvious security gaps, the business people almost always sing a familiar refrain, “I need this so I can be more productive and we can remain competitive.” And then mayhem ensues. Again, it doesn’t have to be that way. If we look at the IAM investment as a way to enable the business, it can go a long way to mitigating these security gaps. For example, when employees use their own devices for company work (BYOD), IT typically focuses on the “remote wipe” capabilities. But you also need to think about the importance of accurately and tightly controlling access. Perhaps this tale sounds familiar: An employee is hired to job A and accordingly is given access to applications A1 and A2 and to database A3. Then that employee transfers to job B and is given access to B1, B2 and B3 — but his access to A1, A2 and A3 is not rescinded. Now this employee is able to access resources he should no longer use. Eventually this employee travels and his mobile phone is stolen. Simply by cracking the phone’s fourcharacter security code, the thieves will have access to A1, A2, A3, B1, B2 and B3. Essentially, because this organization had poor access control, the risk of BYOD doubles (or triples, or worse). You can help build your case for IAM funding by showing how having good access control — one hallmark of an IAM project — enables BYOx while at the same time eliminating 50 percent or more of the risk of the BYOx project. You can help build your case for IAM funding by showing how having good access control — one hallmark of an IAM project — enables BYOx while at the same time eliminating 50 percent or more of the risk of the BYOx project. Advice from Forrester Research Forrester Research’s report, “Use Commercial IAM Solutions To Achieve More Than 100% ROI Over Manual Processes,” lays out additional advice for making a case for project dollars for your IAM project: 2 You can only garner executive and business support with quantifiable costs and benefits. Much like a business plan for a startup, IAM requires a plan and cost benefit analysis to justify spending for a project and garner executive support. Using a spreadsheet to quantify the benefits and costs will force discipline and give you quantified results — readily usable in a presentation to senior stakeholders when asking for an (increased) IAM budget. To build your business case for IAM you must show: • How much the company is currently spending on manual processes. • How you stack up compared with other companies. • How leaving security functions decentralized undermines security. Andras Cser with Stephanie Balaouras and Jennie Duong, “Use Commercial IAM Solutions To Achieve More Than 100% ROI Over Manual Processes,” Forrester Research, December 4, 2014. 2 4
Please complete the form to gain access to this content