The Right Way to Create an IAM Strategy and Roadmap
Recently we shared some reasons why every company needs an identity and access management (IAM) roadmap, and what motivates companies to seek help in developing their IAM plans. But what does this process entail, what are the results, and what’s distinctive about the way we do it? When companies decide to build a strategy and roadmap with Integral Partners, here’s a look at what they can expect.
Discovery Is the First Step
The first step in developing an IAM strategy and roadmap is to gain a thorough understanding of the customer’s current state. This step is critical because an accurate picture of an organization’s current state yields a more realistic strategy, helps the roadmap meet time and budget expectations, and results in successful buy-in and support down the road. Here are some of the ways we develop a deep understanding of our customers’ current environments, needs, and goals.
- Understand the How. To better prepare and develop context before we begin a project, we’ll ask to see specific artifacts and documents that help us understand how the organization currently functions. These may include any existing IAM policies and procedures, IAM architectural diagrams, relevant audit findings, and an overview of the network and server environments. We’ll also want to know the current technology inventory: what are the main applications and systems being used, and how they are set up and customized.
- Understand the Who. We’ll develop a demographic profile of the organization: how many users there are, where they’re located, and who gets access to what. We’ll want to look at org charts showing the structure of the organization, who approves access requests, which users are employees or non-employees, and how HR interacts with the existing IAM process — how hiring and firing (onboarding and offboarding) are handled, for example.
- Understand the Why. Understanding the drivers for an organization’s IAM project is crucial to the project’s success. It ensures that leaders are on the same page about their reasons for investing in IAM, sets clear expectations for the project’s outcomes, and helps champions justify the project internally. Organizations can better align their IAM projects with broader business goals when their motivations and challenges are clear to all involved.
As part of the discovery process we typically will conduct interviews with people across a range of departments. IAM affects nearly everyone in the organization — from executives to the office of the PMO, IT, Legal, and HR — and a solid roadmap incorporates the perspectives of both leaders with decision-making authority and support technicians fulfilling identity requests. We’ve found that engaging early on with stakeholders also helps to introduce visibility and support, which means more realistic strategy with better buy-in.
From Discovery to Deliverables
When the discovery process is complete, the next step is to conduct an analysis of what we’ve learned. This analysis becomes the set of deliverables each company needs to take the next step in its IAM journey. For some companies, this means a roadmap and a strategy. Others might need a competitive assessment, an IGA recommendation, or advice on the best way to handle role-based access. Here are some examples of the deliverables we can provide.
- Architecture. We develop a map that captures how IAM currently functions at the organization and represents all the systems, architecture, tools, users, and connectors. We ensure that this map accurately reflects the organization’s environment, processes, patterns, and challenges. Using this “big picture” of the organization’s current state, we work with project leaders to co-create an architecture that reflects the ideal state.
- Roadmap. From the delta between the current and the ideal state comes the roadmap. The roadmap details the actions companies need to take to get from A to B, and helps companies prioritize these actions and put them in the appropriate order.
- Tool Recommendations. Integral Partners will help customers score and recommend tool vendors. With a deep understanding of each customer’s requirements and extensive knowledge about the best tools for every situation, we can match the needs to the appropriate vendors. We also can provide guidance for customers wondering if an alternate tool from one they’re currently using might be a better fit.
- Process Improvement Recommendations. Customers often ask how they can improve their current way of doing things. As part of our analysis we will note where processes could be simplified, accelerated, or de-risked, and provide concrete recommendations the customer can enact.
Why Work with an IAM Advisor
In most organizations, leaders are heads down running the business and don’t have time to plan and manage a detailed IAM project: conducting a comprehensive evaluation and articulating a strategy and roadmap require bandwidth that most security employees don’t have. IAM advisors focus exclusively on the business of identity, with expertise in both strategy and implementation. While in-house employees are busy keeping the lights on, advisors can help companies focus, improve, and advance their IAM strategy with confidence.
Even the most seasoned CISO with fulltime responsibilities might struggle to keep a thumb on the pulse of the latest vendors, best practices,, and solutions. Advisors make it their business to abreast of effective approaches and new developments so we can bring better solutions to customers. Advisors know the tradeoffs of cloud vs. on-premises platforms, legacy integrations, and identity as a service (IDaaS). We know what other companies in healthcare, financial services, or retail are doing; what are the best practices for large, multinational firms; and who has tried (and failed) with a similar process, and why. We also can help organizations maximize value in vendor negotiations with insight around current market pricing.
When companies can’t move forward because of miscommunications, office politics, or a lack of transparency, IAM advisors can be a positive influence. As objective experts we often can ask questions a manager can’t. We can surface problems and potential dependencies, and open a dialogue that eases interdepartmental friction. Operating with this level of openness improves the success rate for projects, provides incentive for change and improvement, and yields ongoing communication benefits to organizations as they implement and operate their IAM systems.
A Tailored Approach Matters
Some IAM advisors choose to take a simple templated approach in their methodology and deliverables: Their discovery process may consist of a generic survey, and their deliverable is just the results of the survey — rather than a comprehensive analysis of the organization’s needs, business drivers, and next steps. Certain advisory firms may assign junior staffers to handle the legwork of the discovery process, and then hand off the results to senior staffers for analysis — which can overlook the business context and jeopardize the analysis accuracy. Other firms swarm advisory projects with staffers and billable hours that aren’t necessary, and can prove expensive for the customer.
Integral Partners customizes its methodology and deliverables because this is the best way to meet the needs of our customers. Our comprehensive discovery process is performed by the same expert advisors who do the analysis, deliver the strategy and roadmaps, and even implement future systems. Our team has been on both sides — as buyers and providers, in companies grappling with IAM problems and the companies fixing them — so we know how to design solutions that are both cost-effective and a good fit. Our goal is to help customers design successful solutions that are on-time and on-budget, and the best way to do this is by working with trust, transparency, and thoroughness.
Delivering a strategy and roadmap to customers is never the final step: it’s critical to identify next actions, so that organizations know how to keep their momentum moving forward. We will help customers identify a project leader and team, engage vendors, and continue building relationships with stakeholders. We will map out the steps companies need to take to stand up a program, from hiring and role definition to deployment and management. We will ensure that appropriate knowledge is transferred to those in operational roles, and provide guidelines for headcount onboarding, and education.
The advisory process often creates visibility, understanding, and excitement, which can generate the buy-in necessary to get a project completed. The interviews conducted during the discovery phase serve not just to share knowledge but to socialize the project, make stakeholders feel heard, and validate their contributions to the roadmap. To carry this momentum forward we craft the roadmap to front-load projects that show ROI quickly. This sets the tone for kicking off future projects in a way where companies feel confident, informed, and supported.