Does your IAM program need an Identity Refresh?

Bill Dixon of Integral Partners discusses how an Identity Refresh engagement helps ensure an existing Identity program stays agile, addresses new trends, maximizes current and new tools, and adjusts to changes in the way companies do business.

Things change fast – in business and that world that influences it (2020 anyone?).  Companies need a way to ensure their Identity and Access Management program stays agile and evolves to address new technologies, opportunities, and internal business process changes.

Integral Partners “Identity Refresh” leans on their 20+ years of experience with IAM to help companies to do just that.

Bill Dixon, VP of Client Services at Integral Partners, discusses why the Identity Refresh advisory engagement was created, who it’s aimed at, and his experience with it on real-world projects.

Q: Hi Bill. Can you tell me about the genesis of the Identity Refresh offering?  

A: Advisory Services are an important part of what we do. Our long history with IAM gives us a unique perspective. Many of our customers rely on that history to help evaluate their needs and provide recommendations regarding the tools and processes that will make up their IAM program.

When we provide an IAM roadmap, it’s usually a 2-3 year plan (this varies depending on client needs).  Over those years, internal and external changes that affect the roadmap are inevitable.  Whether it’s reorganization within the business that leads to process changes, corporate structure changes like acquisitions, or outside influences like we’ve seen in 2020.

The IAM ecosystem is also quick to change and evolve.  This presents an opportunity to adopt new workflows, capitalize on new features, and identify new technologies that can help.

Because of these changes, our customers will often ask us to give their program a fresh look. They want help validating that the original recommendations are still accurate.  Do they need an updated strategy and roadmap based on change?

Another reality is that roadmap implementation doesn’t always go as planned. I recently worked with a client whose original roadmap included PAM, IGA and Access Enforcement recommendations.  Over the last year they were able to tackle IGA, but had fallen behind on the implementation of Access Enforcement and PAM. They asked us to help determine what had caused them to fall behind and what process changes could help get them back on track.

So as we began seeing more of these requests, we decided to formalize the Identity Refresh offering.  Since then, the demand has increased rapidly.

Q:  Why do you think that is?  Why the increased demand?

A: The difficulties that 2020 has placed on businesses are obviously a big factor. The dramatic increase in remote workforces has been challenging. It’s put a special strain on Identity and Access Management programs and made companies more aware of the importance of keeping their IAM program agile and effective.

Cost is also a big factor.  Budgets are receiving increased scrutiny.  Haphazard processes not only waste a lot of time and effort, but the resulting security issues can put a business at real risk.

Part of an Identity Refresh engagement involves evaluating their current technologies vs the new demands that change may have brought.

New tools and features can provide cost reductions, so that’s another area where we provide value. We also make sure that the company is maximizing their previous purchases.  It’s not uncommon to find their current tools have evolved and can now address new gaps, but they’re unaware of these changes and are missing out on a big opportunity to improve security and automation.

Q: Beyond a “refresh” for Integral Partner clients, where else have you seen interest?

A: A common request comes from companies who have taken on creating an IAM roadmap themselves. They’ve used internal resources but underestimated the level of expertise and breadth of knowledge they’d need.

Another common scenario is where a company has hired outside consultants that don’t fully understand the IAM ecosystem.

When done correctly, Identity and Access Management is a program, not a project.

A lot of companies claim to have IAM experience, but they really only have siloed experience with one area of Identity.  They might have experience with privileged access or another single domain within the IAM ecosystem.  Because of that, they approach solving the problem as a project, not understanding that it’s about building a complete program.

There’s a lot to understand within IAM.  Relying on resources that only have experience with one area of Identity can result in incomplete programs that cause gaps and security vulnerabilities.

That’s where the expertise of one of our Advisors can really help. They’re focused on all aspects of IAM. They’re experts in the leading tools and have experience in many different verticals.  That perspective allows them to provide a complete solution that’s tailored to fit the unique needs of each company they advise.

Q: Any specific areas within IAM that you’ve seen drive the need for a refresh?

A: Customer Identity Access Management is a good example. Two or three years ago, CIAM planning and implementation was owned by Marketing.  That’s the team we would engage with during a project.

However, over the last few years the focus of CIAM has shifted. It now falls under security – not marketing.  So many CISOs now have to figure out how their Customer Identity and Access Management program fits into their overarching IAM program.

We’ve done many engagements with companies that already have an IAM roadmap, but now need help incorporating CIAM into their program.

Q: How can a company determine if they’re ready for an “Identity Refresh?”

A: Beyond my earlier examples, another very common scenario I see where IAM hasn’t received the proper focus. One of the larger consulting firms may have provided an “overarching security assessment” and IAM was just a small piece of it.

Those types of projects often only scratch the surface. They don’t tend to be robust or tailored enough.

They’re also often missing actionable next steps. That’s a complaint we hear all the time.  Whether the initial engagement was provided by the “Big Four” or a smaller consulting firm, the client is left feeling that they don’t really understand what the next steps are…

“What are the actionable next steps?  Can we solve the gaps identified with our existing technologies, or do we need to find other tools? As automation is improved, how can we best reallocate in-house expertise to strengthen our IAM program?” A lot of competitors don’t provide these answers.

Nothing is worse than spending the time, money and effort on an IAM assessment and being left with a pretty report with no actionable recommendations or roadmap to success.

Big changes in the way a company does business is also the perfect time for a refresh. Whether they’re caused by external influences like COVID and the associated increase in remote workforces, or internal influences like mergers, acquisitions or process changes.

Q: Finally, do you provide a template that these engagements follow?

A: We do have a proven methodology that is the foundation of an Identity Refresh, but this isn’t cookie cutter engagement.

Every company is unique – in the way they do business and the way they approach security. An Identity Refresh is always tailored to the business needs of the client.  If there are potential gaps that they want addressed, we make sure to focus on them.

We make sure to address your workflow, architecture, regulations, budget, tools and unique needs so that you come away with a tailored approach that fits your business. You’ll know what’s working, what opportunities for improvement exist, and what steps you can take to make them.

We pride ourselves on being experts in IAM who are easy to work with, transparent, flexible, collaborative and excellent communicators.  Those principles help make our Identity Refresh engagements successful.

You can learn more about offering here:  Identity Refresh Advisory Engagement