2021 IAM Budgeting: 9 Tips to Help Ensure You’re Secure

October 6, 2020

As discussed in our recent blog post, “4 Weakness COVID has Exposed in Your IAM Program (and how to fix them), 2020 has forced many companies to reevaluate their identity and access management support.  The weaknesses COVID has brought to light, and the resulting stress it’s caused, has motivated many companies to address these issues in their 2021 budget.  

Tips for Planning Your IAM Budget

As you plan your IAM investment for next year and beyond, here are 9 tips to help ensure you plan appropriately and get what you request approved. 

Tip #1:

Focus the business case on the business risks related to compliance, security, efficiency, and productivity rather than being overly focused on financial ROI.  

Most often, we’ve found that as organizations spin up a well-run IAM Program, it comes with vast improvements in each of these areas, but rather than delivering hard cost savings in, for example, reduced IT headcount, it allows those highly skilled team members to focus on higher-value tasks.

Tip #2

Set realistic cost estimates based on the availability and skills of existing staff, the need for purchase of new IAM technologies, and the professional services assistance required.  

When done right, the cost of an IAM program is a fraction of much larger business application projects (like ERP implementations). But like an electric utility, it’s expected to be available 24×7 to quietly power the enablement of intelligent, timely, and seamless access to business applications and systems (see Okta’s article ‘How Identity and Access Management Quietly Powers Your Company’).

Tip #3:

Reference the increased needs that COVID has caused.

Review the 4 weaknesses we described in our previous blog and see if you identify on some level with one or more of those (if you’ve gotten this far then you probably have).  If these are pain points for your organization, each can be leveraged as justification for investment in an IAM program.

Tip #4:

Company size doesn’t matter.  There’s a right-sized solution for everyone. 

If you’re a small to mid-sized business that historically hasn’t been able to afford a full-blown IAM program, don’t dismiss the possibility out of hand.  There are more affordable, cloud-based IAM offerings available that can be sized and tailored appropriately to your needs.

Check out our IdentityNow SaaS Implementation Service Subscription offering as a great example of a flexible Cloud IGA solution:

Tip #5

Align PAM, IGA, and AME priorities with your organization’s larger initiatives like Zero Trust/CARTA, Consumer Experience, and Cloud-First.  

If your organization has strategic programs like these, your IAM Program plays a critical role in their success.  For example, Customer Identity and Access Management (CIAM) provides the fundamental user registration, password management, access delegation, and MFA capabilities that are key to any successful Consumer Experience improvement initiative.

Tip #6:

Take a holistic view and set realistic expectations.  An IAM Program is a multi-year commitment and must be funded sufficiently to ensure business agility and flexibility for the long term.  

Some organizations we’ve worked with started their IAM journey with the expectation that the purchase and deployment of a good Access Management (SSO), IGA or PAM tool would do the trick, but soon learned that there’s much more to it.  A holistic view of an IAM Program shows that, like with all important programs required to run an enterprise, the appropriate sponsorship, policies, business processes, people, skills, and technologies must work hand in hand to ensure business user adoption and promised business value.

Tip #7: 

If you already have an IAM strategy and roadmap, give it a thorough review to be sure it adequately represents priorities in the primary IAM domains listed below, and focus your budget planning around closing critical capability gaps.

  • Privileged Access Management (PAM) plans for ensuring all critical application privileged credentials are vaulted and secure including those used by remote workers
  • PAM goals are prioritized by risk and effort based on criticality of the system and data.  Obviously, not all applications’ data and business functions are created equal, so prioritize based on the business risk a system compromise would create.
  • Identity Governance and Administration (IGA) strategy addresses pandemic learnings related to workforce lifecycle management, centralized visibility, control of access, and governance processes to neutralize  insider threats and mitigate compliance-related risks
  • Access Management and Enforcement (AME) capabilities for remote workforce (B2E), B2B, and B2C are given proper consideration and priority to lock in secure authentication and authorization to business-critical applications.  This should include multi-factor authentication, single sign-on, and appropriate use of technologies such as OAuth to enable access delegation between organizations. 

Tip #8:

Positioning for mergers and acquisitions or going public. 

For organizations planning to grow in the coming years through mergers and acquisitions, include this as a strong business justification for investing in your IAM program.  Companies with strong IAM programs are much better positioned to integrate organizations into the ‘mother ship’ within aggressive timelines and budgets.

For organizations planning to go public or that are already public, investing in an IAM program is a must to comply with various government regulations public companies have to meet.  If your organization hasn’t already made the investment or is struggling to maintain funding and support, your business justification will include all things access governance, such as: Periodic Access Certifications, Workforce Lifecycle Automation (especially “Mover” and “Leaver” lifecycle events), Business Role Definition and Role-based Access Control, Access Request & Approval, Separation of Duty integration, and identity analytics/AI for enabling intelligent access provisioning and governance.

Tip #9:

Leverage your “Use it or Lose it” 2020 Budget on IAM

This is the time of year when underspent project funds may be available for reallocation to your IAM program.  If you’re in this situation, consider making the case to leverage some of those dollars for laying some groundwork for your 2021 IAM plans.  Depending on where you are in your IAM journey,  the priority may be to develop an IAM strategy and roadmap. Or any number of other foundational capabilities that every IAM program begins with, such as:

  • Identity data cleanup in authoritative source(s) (e.g. HR), such as hierarchical reporting relationships, location data, contact data, etc.
  • Integrating identity authoritative sources and Active Directory birthright account provisioning (on-prem and/or Azure) with an IGA system
  • Contingent workforce identity lifecycle management
  • User access review and certification for ERP and other business-critical applications
  • Gather information on privileged account usage so you can understand the scope of the population and can make plans to control and monitor privileged access with a PAM tool

IAM Budgeting Workshop

We hope  these tips are helpful, regardless of how far along you are on your 2021 IAM budget.  It’s not an easy process, especially if this is the first time your company has had to invest in IAM (or take it more seriously).  

If you’re not sure how best to proceed or would like feedback on your IAM budget, Integral Partners has the depth of experience to help you plan and build the business case.   

We offer free consultation to educate and give expert input to help get you started.  From there, we offer a wide range of services, including a Budgeting Workshop, where one of our IAM experts will help evaluate the current state of your program and propose solutions to fit your unique needs.    

Click here if you’d like to get more info on a consultation and workshop.