IGA Adoption Practices and Challenges: Part 2 – Sponsorship and Adoption
Failure to secure the proper involvement of executive sponsors and user adoption in every area impacted by IGA are chief reasons implementation projects struggle. IGA touches every aspect of an organization and continues to affect operations as internal users join, move, or leave the organization while increasing numbers of external users are given access to protected information assets. When one examines the complex system integration needs of an IGA tool it is easy to see the cascade effect on systems that support these user movements. IGA integrations need to be complete and fully operational to enable the automation advantages of IGA and achieve return on investment expected by executive sponsors.
Here are key points in this area, and how we advise addressing them:
IAM is often a new term for many executives; it may include many acronyms only the organization’s information security staff understands. A successful IAM program starts with education all the way up the hierarchy translated into business benefits and improved user experience and efficiency. To remove obstacles and secure buy-in from multiple departments, leadership must understand and support the IAM strategy and projects that support it. This education is an ongoing activity and is imperative for any successful project.
Integral Partners has experience in educating executives as part of our advisory services. In a recent client engagement, for example, the Integral Partners consultants developed a board-level presentation and coached the Information Security leaders on how to present the information to their upper management. Terms-and-use cases were written from a technology perspective, but with a strong business driver behind every “why” in IAM. Executives received the business enablement approach well and grasped why IAM is important, why they were investing, and what benefits it would bring.
The classical project management definition of a stakeholder is anyone on whom the project makes an impact. This is a broad net, including many groups that are often left out of the discussions. This is a mistake that often leads to delays or stoppages down the line, when a group suddenly realizes the impact of the change and protests that the tool be modified so that it works for them. Excluding these groups may speed up the beginning of an IAM project, but it slows down or derails the project later. Do the work ahead of time to get full stakeholder representation in gathering requirements, testing, and approval.
Stakeholder management is fundamental for project success. At a recent client site, Integral Partners worked with a project sponsor that had significant resistance from an executive who did not see the value of the IGA tool. The initial reaction was to push ahead with the project, as the executive did not have the authority to directly stop the work. After doing an assessment on the stakeholder’s organizational reach, we showed that the project could continue, but the executive’s persuasion and authority was enough to create obstacles that would slow implementation. We convinced the partner to allow us to include this executive in our stakeholder list. Through interviews and discussions, we identified the executive’s concerns and worked to resolve them. He became one of the projects biggest champions and helped significantly with the deployment.
Communication and training
IGA tools represent a big change for all users, not just IT. Users rely upon applications and systems to do every aspect of their jobs. IGA changes how they request and get that access. It also changes how managers review and approve the access. It is important to identify training and communication needs right at the beginning of the IGA project and plan for them from scheduling and budget perspectives.
Companies have vastly different training and communications campaigns for introducing new technologies. Top-down organizations often simply communicate the change via e-mail, and the rest of the organization is expected to comply. Others require a bottom-up approach, working to get training and information to every user, answer questions, conduct booth-style events in common areas, post signs introducing the tool, and employ several other means to get the message out. Integral Partners has been involved with all types and has developed communication strategies for every part of the spectrum.
Retirement of legacy IAM systems
IGA tools often replace manual processes or sometimes automated processes as well. Inertia can keep users and managers from changing to the new tool. Support staff may continue to support old tools to make customers happy. Existing systems are often seen as “good enough.” If executives are not involved in requiring change, users don’t see the reason to adopt new systems. Also, if training is not in place to show the users how to use the new tool, they will be even more reluctant to embrace the change. Ensuring that both sponsorship support and training are in the project plan will do a lot to encourage users to adopt the new systems. Integral Partners recommends as a best practice that retirement of old tools be part of the project plan, shutting down old methods and converting to the new IGA system.