Every identity professional knows this story: the IAM team is the guardian of security, yet often the last in line when it comes to funding. Budgets are locked to “security outcomes,” and anything that strays into “customer experience” or “digital enablement” is out of scope. You’re expected to protect millions of customer accounts, deliver seamless experiences, and stay ahead of threats—while working with a budget focused solely on security. That’s exactly the challenge we face when trying to evolve our Customer Identity and Access Management (CIAM) platform.

The IAM Team Context and Funding Challenges

In most enterprises, the IAM team’s funding comes from the security bucket. Consequently, budget allocations are directed toward risk mitigation, compliance, and protection, rather than initiatives focused on improving customer experience or encouraging innovation. When your team might see an opportunity to deliver a capability like User managed access (as an example), there’s often no clear financial pathway.  The result? Good ideas stall, and security alone becomes the narrow lens for investment.

Platforms and Historical Practices

Our journey began with a heavily customised, on-premises CIAM platform. Every upgrade was a major event. Adding new features, like 2FA or social login, involved coordination between multiple teams and—inevitably—long delays. The platform renewal cycle was budgeted based on the current needs, not customer needs. 

Efforts to speed up feature rollouts or enhance the customer journey were consistently blocked by numerous dependencies between teams. Even when the value was clear, the process felt like a lost battle. The IAM team’s own funding couldn’t stretch to cover the broader investments required, and other business units had their own priorities.

Challenging the Status Quo

Faced with mounting frustration, our team decided to challenge the historical approach. Instead of waiting for the next renewal cycle or hoping for a change in budget structure, we asked a simple question: “Why are we still doing things this way?” That question, as it turned out, was the spark we needed.

We proposed a small-scale proof of concept (PoC). Using modern CIAM tools, we demonstrated how quickly using out of the box capabilities (OOTB) we could enable modern features, like passwordless login and adaptive authentication, without massive infrastructure changes—just enough to show what was possible. The first step was to present it to the end-to-end architects for initial feedback. It is important to acknowledge and be upfront that with OOTB capabilities, you do loose the control over customisation. With their blessings, we moved onto the next step.

Discovering Broader Value

While we understood that the capability is feasible and can be rolled out, we still lacked the business value. Any business will make an investment when there is something in return. It is hard to quantify the reduction in hours to deliver a capability since it is tied to full time employee (FTE) reduction and every team in organisation is stretched. We started interacting with Fraud and found some savings but that would have not accounted for making the business case. 

While we were interacting with various sections of the business, we met with our frontline support lead (Consumer Channels team) and they had customers calling in with longer wait times to verify themselves. They mentioned that – it is something which was presented to the leadership and are planning to build a custom solution. 

A detailed meeting gave us the following problem statement:

It takes anywhere from one to four minutes to verify a customer when they call our support centre. Every call. Reducing this to 90 seconds or less through automation prior to the call connecting with our team could result in a $900k p.a. saving in the call centre alone.

Building the Business Case

That particular statement carried multiple implications. What followed were a series of meetings to unpack and understand the real problem. Newer start-ups might not have these problems but when you work in a telco where mergers and acquisitions and brand change happened historically, you could develop solutions in siloes just not because you don’t want to collaborate, because – you just did not know. 

What started as a journey to reduce development cycle became a full-fledged program which touches, consumer channels, digital experience, fraud reduction and of course improving the security posture. A project where security also becomes a valuable customer experience.

Lessons Learned

Looking back, several lessons stand out. First, it’s vital to challenge historical practices—even those that seem set in stone. Second, a well-run PoC can be the conversation starter as it makes the concept real. It break down silos and create new alliances. Third, Don’t be fixated on the PoC and the problem statement you started off. Success comes from speaking the language of the business, not just security. By being open to broader problems and looking for opportunities to deliver value, IAM teams can drive lasting change—even when they don’t hold the purse strings.

Most importantly, collaboration is the key. No team succeeds in isolation. By involving other departments, sharing ownership of outcomes, and being transparent about challenges, it’s possible to turn CIAM from a cost centre into a business enabler.

Conclusion: Encouragement for the Journey

For IAM leaders and architects facing similar challenges, know this: you don’t need to control the budget to control your destiny. Start with curiosity, challenge the status quo, and focus on broader business value. Build relationships, share success, and invite others to the table. CIAM success is a team sport—and with the right approach, you can lead the change your enterprise needs.

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Author Bio:

Abhi Bandopadhyay: I manage the outcomes for identity and access management across various workstreams, including workforce, customer and IoT identities in Spark NZ. My primary responsibility is to enable business to understand the complexities of digital identity and make informed decisions

My core competencies are IAM strategy, leadership, security, and delivery. I am responsible for defining the IAM vision and roadmap for Spark NZ, I also champion the principles of modern IAM, security by design, and zero trust mindset, and empower internal teams to leverage the platform for their needs. My mission is to enable Spark NZ to provide secure and seamless digital experiences for its customers and employees.

The post Driving CIAM Success Without Funding Control appeared first on IDPro.

If you have been working in the IAM space for a while it is quite interesting to see how some trends are born, gather momentum, and break through to the mainstream, while other trends fizzle out at some point in their lifecycle. 

Back in 2015 one strong emerging trend was social registration and login. The basic concept was to make it easier for potential customers to sign up for your product by leveraging the fact that the customers already had provided key info to their social network of choice. Instead of typing the same info into your interface the customer could simply share the already provided information. The customer could also leverage their social network to facilitate the login through social logins which meant that they did not have to remember a separate password. The most important social data providers varied in different markets but Google, Facebook, and Twitter were important in most European markets.

In 2015, many enterprises bought entire CIAM platforms whose core functionality was social registration and social login. The conventional CIAM players struggled to incorporate social features in their products to compete with the newer platforms and there were even projects where social logins were built as custom additions to conventional CIAM platforms by professional services teams.

A few years later, the lure of social login and registration was significantly diminished. Consumers are less interested in sharing information between different platforms and in many markets, such as in Germany, the business may feel that sharing information with the American FAANGS may have dangerous privacy implications.

Meanwhile, there has been a budding movement for self sovereign data where the individual consumer has control of their own data in some form of a data wallet on their smartphone. The consumer makes the choice of what data they want to share with whom through consent flows.

This movement did not really take off due to the simple chicken and egg challenge that in order to make it attractive for providers to support the setup you needed a significant consumer population, and in order to make it attractive for consumers to bother with installing and populating the wallet you needed a significant service catalogue. 

In some markets there were digital identity solutions that were successful i.e. the BankID solution in Sweden and Norway and the DigID solution in the Netherlands. These solutions managed to create a significant penetration into the consumer market and achieve critical mass amongst the service providers.

Over the last couple of years the self sovereign identity movement has morphed into the decentralized identity approach and has gotten support from a number of important regional and global players. One example of an important regional player is Datakeeper from Rabobank in the Netherlands and the strongest global proponent is probably Microsoft. The European Union is also a strong proponent of an interoperable European Digital ID.

Over the next year we will see if the decentralized approach manages to reach critical mass in any significant markets and become an interesting proposition for consumers, and therefore a must have integration for service providers and CIAM vendors.

Martin Sandren

Domain Architect IAM, AholdDelhaize

Martin Sandren is a security architect and delivery lead with over twenty years of experience of various information security related roles. Primarily focused on security architecture and digital identity including global scale customer, privileged and employee IAM systems using Microsoft Azure Active Directory, Sailpoint, Saviynt, Forgerock, IBM and Oracle security stacks.

Experience includes architect, onshore and offshore team lead as well as individual developer. Wide international experience gained through having lived and worked in Sweden, Germany, UK, USA and the Netherlands. Martin is a frequent speaker at international conferences such as Consumer Identity World, MyData and European Identity and Cloud Conference.

In my role as IAM engineering manager I lead our global team of IAM engineers and BAs who continuously strives to provide quality IAM services to our 750 000 associates in 20+ opcos.

Martin Sandren is a board member of the IdNext foundation, founder of the Digital Identity Amsterdam meetup and active within IDPro.

Learn more and sign up at: https://www.meetup.com/Amsterdam-Digital-Identity-Meetup-Group/

The post CIAM and decentralized identities appeared first on IDPro.

The conference this year will have a particular focus on Trust, which the Oxford English Dictionary primarily defines as a “Firm belief in the reliability, truth, or ability of someone or something; confidence or faith in a person or thing, or in an attribute of a person or thing.”

Questions of trust lie at the very foundation of our identity systems.  We trust standards bodies to develop protocols that will be useful, practical and secure.  We trust developers and vendors to build products, solutions and services that will implement those standards in performant, scalable and extensible ways.  We trust providers to deliver robust services that we and our customers can rely on.   We trust executives to listen and to support and fund the crucial work that we do.  And, of course, we develop and implement mitigations in case our trust is misplaced.

But trust is broader than this; and trust goes both ways.  As consumers and as citizens, we would like to trust that organisations won’t collect information they don’t need; that they will handle that data safely and properly; that they will keep pace with rapidly evolving best-practices in identity, security and privacy.  A world in which that trust is not assured is an uncomfortable world at best; and many people today live, work or interact in circumstances which are not inherently trustworthy. 

The OED has a secondary definition of Trust.  “To take on (also upon) trust (formerly also †to take up in (also upon) trust  †to receive in trust and variants): to believe or accept a statement, story, etc., without seeking verification or evidence for it.” (Emphasis added).  

Over the past 24 months, we’ve seen an explosion in digital identity assurance and verification programs.  Mobile drivers’ licenses, COVID and other healthcare passes and certificates, digital boarding cards, facial recognition for age verification and in-store check-out… the list is long, and it is growing.  As a result, we’re also seeing an explosion of interest in governance and interoperability within and between use-cases and sectors: trust frameworks, attribute mapping and matching, account linking and more besides.

These advances hold great promise to make our lives more efficient and connected; to reduce friction, and fraud, and risk.  But a balance is needed, too.  Trust is a fragile thing—hard to gain, easy to lose, difficult to rebuild.  Organisations and institutions must take care not to overstep the bounds of our trust, lest they lose our engagement and, in the end, our support.

Trust is an important topic, but it’s certainly not the only issue of note in the industry!  The topic focus each year for Identiverse infuses but does not dictate the agenda and the event.  New and emerging standards and architectures; deployment stories and leading practices; identity for connected devices; new approaches to privacy, security, devops, engineering; sector-specific identity practices in healthcare, manufacturing, government, education, financial services and more; and specific identity-related disciplines like CIAM, auth’n, auth’z, self-sovereign, IGA…. That list barely scratches the surface: and your proposals on these and many other topics will inform and contribute to the agenda.

This year’s content committee and I look forward to seeing your proposals; and I trust that we’ll be able to get together in person in Denver in June.

Andrew Hindle

Independent Consultant, Board Member IDPro

Andrew is an independent consultant specialising in digital identity, cyber security and privacy. He is a founding member, and Chair of the Board, of IDPro; he participates as a voting member of the User Managed Access Working Group at Kantara; and he is an active member of the Open Identity Foundation (OIDF).  Since 2015, he has been Content Chair for Identiverse®. Andrew has over 20 years experience in the software industry in a range of technical sales, pre-sales, product marketing and business development roles. He maintains CIPP/E, CIPM and CIPT privacy certifications with the IAPP; a CIDPRO certification from IDPro; and holds a BA in Oriental Studies (Japanese) from Oxford University and an advanced professional diploma in corporate governance. Outside of the world of identity, Andrew is Chair of Trustees for his local scouting group, rides regularly with a local road cycling group, and plays keyboard, guitar and bassoon (not at the same time) with more enthusiasm than skill, and for an audience of one. Andrew is based in the UK.

The post Identiverse® 2022 appeared first on IDPro.