Why Every Company Needs an IAM Roadmap

March 5, 2019

What Motivates Companies to Invest in IAM

Why do companies choose to invest in Identity and Access Management (IAM)? Just as people typically visit a doctor only when they’re sick or hurt, most companies initially seek to invest in IAM because they have a problem to solve. They’re worried about a security threat, they don’t know how to manage imminent risks, or their current approaches are at a failure point.

But patients also seek advice from doctors about how to maintain and improve their health over the long-term, and companies do the same. When security professionals — whether it’s a CISO, VP of Compliance, Director of Operations, Chief Security Architect, or Manager of Security — want to invest in an IAM solution, they’re often motivated by both opportunity and risk: companies have an inherent interest both in reducing failures and improving processes. Because investing in IAM doesn’t just mitigate risk; it can also create efficiencies, improve productivity, and increase employee satisfaction.

Unfortunately, many leaders with security roles lack knowledge or experience in IAM, and therefore don’t appreciate its importance to their overall information security strategy. External breaches may seem like bigger threats than internal ones, so often it’s not until companies have an audit finding or other incident that they are motivated to take IAM more seriously.

What Makes an IAM Investment Worthwhile

When leaders think about making an investment of any kind, they want to imagine that the return on that investment will appear in tangible, up-and-to-the-right kind of way. Measuring the costs and benefits of IAM isn’t so straightforward: with IAM, for example, the ROI increases when the risk decreases. But there are numerous tangible benefits to implementing IAM solutions, too: here are some that can directly impact a company’s bottom line.

  • Enhanced risk mitigation. Avoiding expensive, reputation-damaging breaches is one of the most important functions of any identity governance solution.
  • Improved audit compliance. Preparing for and complying with audits can be automated with IAM tools and processes, reducing the chances of fines or failures.
  • A single source of truth. An identity governance and administration (IGA) system provides a single, consistent, scalable way to view and manage identities across the company.
  • Improved productivity. Simplifying certifications, integrating IAM systems, and streamlining processes helps eliminate waste and complexity — saving time and resources.
  • Increased employee engagement. Broad-scope IAM solutions enhance collaboration and introduce best practices for improving the quality of work with less manual effort.
  • Reduction of insider threats. Eliminating unnecessary employee or contractor access to sensitive data, through identity monitoring and management, reduces the potential for malicious or negligent acts.
  • Improved ROI on existing cyber security investments. Identity-based ecosystems integrating IGA, PAM, SIEM, and other tools create more comprehensive, efficient security architectures that improve the overall value of aligned investments.

As Companies Evolve, Their IAM Needs Evolve, Too

Companies with a developing level of IAM maturity may be thinking, “we need to do better than this.” They often find themselves taking a triage approach to security, identity, and access issues, dealing with issues as they arise rather than having a holistic strategy. In some cases, these companies have addressed a particular business or technical problem by implementing a particular tool, only to discover another problem has popped up elsewhere. Often the problems that need fixing are obvious, but without a strategy and roadmap these companies don’t know how to go about addressing them.

Companies at this stage are ready to define a more holistic solution for their identity problems, one that integrates their tools and provides a clear strategy. Having already educated themselves about the IAM issues they face, and with some experience in implementing IAM solutions, they are positioned to execute changes that yield broader benefits to the business.

Companies with tooling already in place may discover that they need to mature and integrate those tools. Perhaps they installed an access management system but don’t have a team to manage it. They may see that they’re missing out on features or customizations that could make them more productive. Or they acknowledge opportunities for valuable data analysis, if only they could better share data between their applications.

No matter where companies find themselves in the IAM lifecycle, it can be helpful to ask themselves these questions:

  • Where is our company in its understanding of access management and identity governance, and where do we need to be?
  • Who are the non-IT stakeholders in our company, who will be impacted by identity initiatives, and do they know the importance and benefits of being involved?
  • Do we truly understand the drivers and challenges of our current environment and feel comfortable that our strategy addresses them?
  • Do we fully understand the compliance requirements of the environment, and do we manage these in a centralized way?
  • Is our strategy inclusive of non-IT needs, including users and managers?
  • Have we developed a roadmap for implementing IAM processes, technologies, and cultural adoption, and is it working for us?
  • Are we executing against our strategy, or have our requirements changed and we need to adjust?

In The End…

Every company should have an IAM strategy, an understanding of the right tools for their requirements, and a roadmap for implementation. Companies with strategies, roadmaps, and a phased delivery approach can accelerate their project outcomes, better manage scope, secure long-term executive and stakeholder support, and reduce costs up to 20 percent. But every company has different needs and priorities, and as companies evolve their needs, their priorities evolve, too.

Over time, companies should invest in fine-tuning their IAM strategy. They’ll want to get up to speed on a trending technology or how to respond to an emerging threat. Those with adequate technology in place often want to know how to improve the “people” aspects of IAM: implementing processes based on best practices, ensuring adoption, and increasing cross-departmental collaboration. Sometimes a company experiences rapid growth (either organically or through acquisitions), and suddenly has more identity management challenges than it has the infrastructure to handle. Or there could be a significant change — new leadership, or new compliance regulations — that motivates a company to realize it still has gaps to fill.

The case to invest in an IAM strategy is clear and compelling.  All companies can benefit from an assessment of their unique state, where they are today and a detailed map for the way forward. When they know their options for managing risk, complexity, costs, and compliance, companies can align their strategy with broader business goals and develop a realistic plan for implementing it.