Identity Professionals often struggle to identify and obtain funding for improvements they believe are critical to the business. To help make better connections to funding, this article publishes initial results from our (still open) survey on organizations’ top IAM drivers. It also recommends good practices for identifying your organization’s top drivers for IAM and closing the gap to funding.
Figure 1: Top IAM Funding Drivers Survey Results
The chart above shows the initial results from a survey we’ve promoted on our blog , LinkedIn, Twitter, and via ID Pro as well as IAM User Groups in the U.S. Our respondents are primarily worldwide identity or security professionals from multiple industries responding on behalf of their employers or clients. For more information on these results, a detailed recap will be posted here . Note that survey is still open  and you’re welcome to add your response. Our goal is to eventually get enough responses to be able to slice and dice by region, industry, and other parameters.
In some ways the survey results aren’t surprising. Few respondents identified drivers we hadn’t already put on the menu. However, they ranked them a bit differently than we had expected (as shown in the mind map below).
Figure 2: Survey Results (Top 1-5) we Expected to See
Although Compliance was the top driver from the survey, respondents were primarily concerned with its audit-focused sub-category. We expected privacy-focused compliance would rank higher with the May 25 EU GDPR deadline looming when we initially ran the survey – especially considering anecdotal evidence that many organizations aren’t fully ready for GDPR. We also expected more uptake for “reduce costs.”
Good Practices and The Key to Funding
Security Architects Partners believes the reason for our funding struggles is that IAM programs are cross-functional in nature. HR, Legal, Security, Compliance, Marketing, Finance, and diverse business units (BUs) all have a stake in IAM, but none of them really own it. One of our favorite books – Crucial Conversations  – cites research that “80% of the projects that require cross-functional cooperation cost far more than expected, produce less than hoped for, and run significantly over budget.” No wonder they’re hard to fund in the first place!
Although one can sometimes simplify IAM projects to reduce stakeholder inter-dependencies, organizations must embrace cross-functional engagement to make IAM work overall.
Tip: Don’t treat getting IAM funding as a one-and-done chore you’d rather avoid; instead IAM leaders should work to form and sustain stakeholder relationships using soft skills at facilitation and dialoguing (aka crucial conversations).
Manage the IAM Funding and Delivery Cycle
We recommend weaving the endless quest for funding into an ongoing IAM program for stakeholder engagement. Manage the four interlocking, iterative steps shown in Figure 3. Note that each step may seem easy enough, but IAM leaders must learn the good practices and the pitfalls.
Identify and Claim Your Funding Drivers
Begin with a set of strawman funding drivers you think are applicable to your organization by refining those on the mind map in ways that make sense for your organization or industry. For example, we just finished an IAM Strategy and Roadmap project for a well-known engineering services company. Their top driver is “brand protection” followed by “reaping revenue from customer-facing applications.” These drivers do map to compliance and user experience, but it is best to coin distinctive names for them that your stakeholders will relate to.
Pitfall: You may start with a good list of drivers but consider it a living document. Don’t get pigeon-holed by failing to look far and wide for new drivers, and new perspectives on drivers.
Connect with Stakeholders
The obvious IAM stakeholders include security, compliance, enterprise architecture (EA), HR, legal, privacy office, badging, marketing, and finance. But there are more. To find them, leverage staff’s institutional knowledge of who’s who and consider circulating surveys to find known IAM needs in BUs. Once you identify the stakeholders, connect with them through one-on-one outreach, focus groups, and other awareness and communication efforts. You need to make each stakeholder see their operational, compliance, and business-enabling IAM needs and ways that your proposed roadmap can fulfill them. Until each stakeholder has helped you refine your funding drivers further, you may not have really connected with them.
Pitfall: Some organizations have been hollowed out by outsourcing, cloud-sourcing, offshoring, and high levels of staff turnover, downsizing, and retirements. Institutional knowledge may be limited. Morale and/or trust in IT may be low. This can make it difficult to locate all the stakeholders, or to get good survey responses. But don’t give up! EA, Finance, and Security colleagues can help by providing IT- and BU-level budgets and strategic plans. These and other artifacts – such as application identity repository content or even activity logs – can provide vital clues as to where excessive costs of IAM silos, IAM-less business processes, and other pain points or unmet needs exist. Where there’s an IAM pain, there’s a potential stakeholder. Just ask around until you find the project, application, or artifact owner you think may be in pain.
Building the Business Case
If you’ve refined your funding drivers and connected with stakeholders, the business case won’t be hard to build. The idea is to lay the groundwork early in the funding and delivery cycle. Then formalize information from your discovery efforts as follows:
- Identify prioritized gaps, issues, and solution requirements
- Quantify current process costs and resources
- Specify program goals
- Quantify or justify benefits
- Develop a financial model that suits your stakeholder and sponsor budgeting styles
- Identity investment costs, including net opex and capex increases or reductions
- Quantify any risks reduced
- Include any other tangible (i.e., revenue increase) or intangible business benefits
Pitfall: Trying to get funding for the common good by passing the hat can be a hard sell – except to those stakeholders that realize an immediate tactical benefit. Don’t ask all your stakeholders to sacrifice, do ask them to support you as the business case goes to up the chain to C-level approvers that will, hopefully, become project sponsors. The more stakeholders behind the business case, the better the credibility.
Tip: We recommend using Factor Analysis of Information Risk (FAIR) to quantify risk reduction. FAIR can help you build scenarios to quantify both the worst case and annualized costs of not having the right controls, and also identify systemic controls that help with multiple risk scenarios. We try to use FAIR, at least at a high level, in all our business case development or architecture improvement engagements to help clients prioritize and organize roadmap activities.
Tip: Even if you don’t get all the required funding at first, keep your eye on the following long-term goal: Institutionalize the funding and delivery life cycle by establishing a truly cross-functional identity governance structure.
Well-defined business drivers, a good business case, and strong stakeholder communications are the keys to implementing the IAM capabilities your organization most needs, and to make sure stakeholders have your back. At this point, you can focus on delivery: Implementing value through a solid roadmap, well-executed projects, and some early wins.
Hand in hand with every business case, implicitly or explicitly, make the Big Case for identity governance. Even if the organization already has an IAM Steering Committee, be sure it stays relevant. Maintain buy-in, attendance, interest, and awareness. There lies the long-term future of IAM funding and the whole IAM program.
As with so many things in life, institutionalizing the identity funding and delivery cycle is about the journey as much as the destination. By following the strategies in this White Paper, you should be able to land the funding needed.
In the process you will have brought together existing stakeholders and discovered new ones. You will have refined the funding drivers and played them back to the stakeholders. You will have created a cross-functional team to help articulate the business case and sell the program to executive sponsors. You will have engaged the sponsors and stakeholders in an IAM Steering Committee to provide ongoing identity governance.
References and Links
- Patterson, Kerry, et al. Crucial Conversations: Tools for Talking When Stakes Are High. 2nd ed., McGraw-Hill, 2012.
About the Author
Dan Blum is a Principal Consultant with Security Architects Partners, a consultancy specializing in identity management, security, and risk management. He supports global companies with identity/security/risk assessments, architectures, roadmaps, workshops, solution evaluations, and more. He also provides business development, research, and high-quality content for security software and service providers. He has broad industry exposure as a Senior Analyst at KuppingerCole (current), former Gartner/Burton Group VP, and involvement with multiple security and identity associations and standards groups over the years.