Introduction: Setting the Scene
Every identity professional knows this story: the IAM team is the guardian of security, yet often the last in line when it comes to funding. Budgets are locked to “security outcomes,” and anything that strays into “customer experience” or “digital enablement” is out of scope. You’re expected to protect millions of customer accounts, deliver seamless experiences, and stay ahead of threats—while working with a budget focused solely on security. That’s exactly the challenge we face when trying to evolve our Customer Identity and Access Management (CIAM) platform.
The IAM Team Context and Funding Challenges
In most enterprises, the IAM team’s funding comes from the security bucket. Consequently, budget allocations are directed toward risk mitigation, compliance, and protection, rather than initiatives focused on improving customer experience or encouraging innovation. When your team might see an opportunity to deliver a capability like User managed access (as an example), there’s often no clear financial pathway. The result? Good ideas stall, and security alone becomes the narrow lens for investment.
Platforms and Historical Practices
Our journey began with a heavily customised, on-premises CIAM platform. Every upgrade was a major event. Adding new features, like 2FA or social login, involved coordination between multiple teams and—inevitably—long delays. The platform renewal cycle was budgeted based on the current needs, not customer needs.
Efforts to speed up feature rollouts or enhance the customer journey were consistently blocked by numerous dependencies between teams. Even when the value was clear, the process felt like a lost battle. The IAM team’s own funding couldn’t stretch to cover the broader investments required, and other business units had their own priorities.
Challenging the Status Quo
Faced with mounting frustration, our team decided to challenge the historical approach. Instead of waiting for the next renewal cycle or hoping for a change in budget structure, we asked a simple question: “Why are we still doing things this way?” That question, as it turned out, was the spark we needed.
We proposed a small-scale proof of concept (PoC). Using modern CIAM tools, we demonstrated how quickly using out of the box capabilities (OOTB) we could enable modern features, like passwordless login and adaptive authentication, without massive infrastructure changes—just enough to show what was possible. The first step was to present it to the end-to-end architects for initial feedback. It is important to acknowledge and be upfront that with OOTB capabilities, you do loose the control over customisation. With their blessings, we moved onto the next step.
Discovering Broader Value
While we understood that the capability is feasible and can be rolled out, we still lacked the business value. Any business will make an investment when there is something in return. It is hard to quantify the reduction in hours to deliver a capability since it is tied to full time employee (FTE) reduction and every team in organisation is stretched. We started interacting with Fraud and found some savings but that would have not accounted for making the business case.
While we were interacting with various sections of the business, we met with our frontline support lead (Consumer Channels team) and they had customers calling in with longer wait times to verify themselves. They mentioned that – it is something which was presented to the leadership and are planning to build a custom solution.
A detailed meeting gave us the following problem statement:
It takes anywhere from one to four minutes to verify a customer when they call our support centre. Every call. Reducing this to 90 seconds or less through automation prior to the call connecting with our team could result in a $900k p.a. saving in the call centre alone.
Building the Business Case
That particular statement carried multiple implications. What followed were a series of meetings to unpack and understand the real problem. Newer start-ups might not have these problems but when you work in a telco where mergers and acquisitions and brand change happened historically, you could develop solutions in siloes just not because you don’t want to collaborate, because – you just did not know.
What started as a journey to reduce development cycle became a full-fledged program which touches, consumer channels, digital experience, fraud reduction and of course improving the security posture. A project where security also becomes a valuable customer experience.
Lessons Learned
Looking back, several lessons stand out. First, it’s vital to challenge historical practices—even those that seem set in stone. Second, a well-run PoC can be the conversation starter as it makes the concept real. It break down silos and create new alliances. Third, Don’t be fixated on the PoC and the problem statement you started off. Success comes from speaking the language of the business, not just security. By being open to broader problems and looking for opportunities to deliver value, IAM teams can drive lasting change—even when they don’t hold the purse strings.
Most importantly, collaboration is the key. No team succeeds in isolation. By involving other departments, sharing ownership of outcomes, and being transparent about challenges, it’s possible to turn CIAM from a cost centre into a business enabler.
Conclusion: Encouragement for the Journey
For IAM leaders and architects facing similar challenges, know this: you don’t need to control the budget to control your destiny. Start with curiosity, challenge the status quo, and focus on broader business value. Build relationships, share success, and invite others to the table. CIAM success is a team sport—and with the right approach, you can lead the change your enterprise needs.
Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.
Author Bio:
I manage the outcomes for identity and access management across various workstreams, including workforce, customer and IoT identities in Spark NZ. My primary responsibility is to enable business to understand the complexities of digital identity and make informed decisions
My core competencies are IAM strategy, leadership, security, and delivery. I am responsible for defining the IAM vision and roadmap for Spark NZ, I also champion the principles of modern IAM, security by design, and zero trust mindset, and empower internal teams to leverage the platform for their needs. My mission is to enable Spark NZ to provide secure and seamless digital experiences for its customers and employees.
