The Business Case for Upgrading Your IAM

September 24, 2019

Is it fall budget planning season at your company? Many organizations are thinking now about their 2020 spend, and what percent of their budgets they’ll allocate to security and Identity and Access Management (IAM). If that sounds like you, here are some surprising statistics to keep in mind:

Though IAM currently constitutes just 8.5 percent of most security budgets, more than two-thirds of data breaches are caused by insiders exploiting an identity access vulnerability or by human error—including improper access and misuse of employee credentials.

This shouldn’t be a surprise. In fact, security threats over the last decade have fallen into predictable, repeating patterns. So why do so many organizations fail to act on this knowledge by beefing up their IAM systems and putting preventative processes in place?

Many companies know they have work to do but aren’t sure where to start, what to spend, or how to prioritize. If you’re not sure whether to push for IAM upgrades in your next budget, here are some signs you should act on.

You Have Onerous Manual Processes

If your company is still doing access certifications and identity governance out of spreadsheets and email exchanges, it’s time to look at other options. Manual processes open the door to mistakes, abuse of privileges, outdated information, and audit findings —not to mention the waste of valuable employee time and productivity.

You Had an Audit Finding

An audit finding—whether it’s self-reported or, more critically, discovered by your external auditor—is a red flag that your system needs mitigation. Realizing that former employees still have access, that an inappropriate individual was given credentials, or that user access flagged by a certifier for revocation was never removed are warnings of flaws in your IAM processes. Furthermore, it’s not enough to only secure your sensitive applications: the whole stack must be compliant. Maintaining proper regulatory compliance  can be onerous and time-consuming, so if access governance processes and related regulatory controls are not centrally managed, streamlined, and automated, it can be easy to overlook critical steps—leading to audit findings that carry heavy penalties. Boards and executive leaders know that compliance isn’t optional, and are generally supportive of IAM budget spends to ensure regulatory compliance.

Your Productivity and Morale Are Tanking

For the many companies that don’t have an official IAM system per se—and rely on manual, homegrown scripts and processes—access management can be a huge drain on employees’ time and talent. People who were hired to work on strategic projects get bogged down with provisioning requests, or can’t get anything done while they’re waiting for approvals. Likewise, dealing with problematic legacy systems whose technology is outdated and whose vendor support has expired creates a burden for already frustrated employees. These painful inefficiencies aren’t just discouraging: they can lead to more expensive problems, like productivity loss and turnover.

You’re Feeling Competitive Pressure

Every company is working hard to accelerate innovation, boost sales, and increase productivity, and technology is an important tool for staying competitive. But the need for new technology typically outstrips a company’s available resources. Companies end up weighing every opportunity for investment against multiple competing demands. When organizations are overwhelmed with putting out immediate fires, it often means they don’t have the resources available to work on longer-term initiatives—some of which would prevent those fires from happening in the first place. For example, IAM processes allow for automation and efficiencies that can free up people and money to put towards strategic new investments in technology. In addition, every new opportunity for technology at an organization will have an IAM requirement that is better and more cost-effective to manage when strong IAM processes are in place to support it. Simply put, it’s easier to stand up a new technology when IAM processes are mature enough to easily support that new technology, and more investment dollars will be available when IAM processes are being done efficiently. Mature, well-governed IAM processes don’t just make your existing technology more secure: they can unleash better performance.

How to Know What to Do

Some companies have been so busy putting out fires that they haven’t had a chance to envision a safer future, and need a roadmap for how to get there. Many companies know they need to improve their IAM, but they aren’t sure how to prioritize the work or aren’t familiar with the available solution options. Some organizations want to expand the use of their current systems and get more out of them, but need help figuring out where to work with the IAM vendor and where to do development in-house. Companies that are ready to implement a new IAM solution sometimes struggle to build an RFP that fulfills their vision. And sometimes companies have extremely limited budgets and don’t know how to prioritize the most essential work.

In all of these scenarios, IAM Advisory Services can provide answers—strategy and roadmaps, current-state assessments, vendor recommendations and RFP feedback, or quick-hit advice—that help companies make better budgeting decisions.

Ready to Budget? Make the Business Case

Let’s say you’re ready to execute a risk mitigation strategy, need to improve your current approaches, or have legacy systems that need replacing. As you make your budget plans, here are some factors to consider.

The business case for a traditional IT project often focuses on ROI: buying technology to improve efficiency, increase productivity, or reduce headcount to produce hard, measurable cost savings. Many enterprises even use spreadsheets and complicated modeling to optimize cost-benefit analysis. But experienced executives know these numbers often aren’t believable: in reality, most estimates are overly optimistic and fail to account for a project’s actual costs or quantify its true returns.

IAM projects are primarily driven by risk, rather than ROI. Boards of directors have been quick to recognize the value of IAM because they see the high risk associated with IAM failures. Though failed audits can result in significant financial penalties, a data breach—and the subsequent hit to a company’s brand—can do expensive and irreparable damage. Board members understand that identity and access governance isn’t optional, it’s simply a cost of doing business.

Some organizations worry they won’t be able to justify the costs of upgrading from manual processes to an automated IAM system, or upgrading from a legacy IAM product to a more modern, efficient one. But executives who understand IAM’s impact on the business see the value of centralized functions: reduced risk, more efficient systems, and more productive employees. The cost savings embedded in IAM solutions isn’t associated with reducing headcount: it’s about automating the busy work of access requests, provisioning, and identity governance, so that companies can redeploy their talent to work on higher-level projects that advance business goals.

Tips for Budget Planning

Whether your organization knows what it needs or still needs to figure it out, following are some tips for allocating your budget and prioritizing the most IAM important work.

  • Schedule time to sit down and evaluate your IAM needs: whiteboard it out so you can compare priorities and see impact across departments.
  • Ask internally what needs are, then compare urgency and impact and re-evaluate your priorities.
  • Estimate the effort of each need along with its costs.
  • Apply the numbers (most of you already know your budget range) and draw the line.
  • If you’re shopping for solutions, ensure you have an RFP designed to meet your needs.
  • Evaluate proposals and recommendations according to your timeline (they should be phased) and your budget (they should include estimates.)
  • Know where you’re going: make sure you have a roadmap with concrete, ordered goals and context for maturing your strategy.

Plan Confidently

Are you bumping up against IAM risks, but you don’t know what to do about them? Have you defined your budget, but you’re not sure how to allocate it? Are you wondering how to use your existing resources more effectively?

No matter where you are in your planning process, Integral Partners can help. We have deep experience in providing clients with a range of budget-related services—from strategy/roadmap services and executive presentations to RFP assistance and technical implementations. We enjoy working through the planning process with you, and clients consistently tell us that our input adds the critical value they need. If you want to do successful IAM projects in 2020, let us help you get what you need to do IAM right.