by Greg Smith
Are you taking full advantage of all that your IDPro membership has to offer? One of the best resources we have is our Slack space, where we all have easy access to each other to discuss any topics or problems we face in our daily jobs. There are many channels of identity related conversations available, from working from home (#wfh) to available #gigs to #certification. There’s a generally humorous #random channel, and even a #pit-boss channel for all things barbecue and smoked meat. Who knew?
Just last month, there was a very good conversation in the #general channel on the value proposition for Identity & Access Management. The initial question was (of course) “Why is it so hard in 2021 to push Identity and Access Management initiatives within the enterprise?” The ensuing discussion among the 10 of us who participated was enlightening. In general, we found that unless we actually work at an identity company, our leadership most certainly does not understand identity, or the value it can bring to the enterprise. Identity and security, and IT in general, are viewed as costs to be minimized. In order to free up investment dollars, we need to make a business case to our leadership and address their many misconceptions. It also doesn’t help our case that identity has always been invisible to our leaders – it’s just there in the background and works. All the non-IT decision makers ever encounter is a password prompt and periodic MFA ceremonies (which they often complain about). Oh, and access reviews. They really love those, right?
A significant piece of the solution is education. I saw this myself in my last job, where we had a months-long education campaign among senior IT and business leaders to get them on board with our own program. It behooves us as Identerati to not bore those leaders with dry, complex, identity-specific jargon. We need to adjust our entire pitch “to align with the listener’s comprehension ability” and experience. Being able to automate role assignments to reduce the need to request access, go through approvals, and conduct subsequent periodic reviews was a goal they liked, but to get HR to realize they had skin in the game in terms of providing meaningful attributes about people to enable automated assignments was a huge challenge. When we finally got through to them with real world examples, it was like watching a metaphorical light bulb flicker to life above their heads. We need to be sure our pitch also includes things our leaders are going to be interested in, such as passwordless authentication, better user experiences, and the business outcomes that will (positively) affect key objectives. Better customer experience; better customer (or employee) retention; reduced risk, for example. For an enterprise, anything that improves the first-day onboarding experience for new hires is a great enticement. Another strong selling point is illustrating how your IAM program can create consistency in aid of digital transformation. IAM is so much more than a compliance box to be checked. Once an organization’s process and control objectives are documented, IAM will likely be critical to meeting those objectives; and not meeting them can affect the organization’s reputation and bottom line.
In addition to educating those leaders who hold the purse strings, we also need to educate other key stakeholders within the organization. Specifically, our application owners and developers, whose priorities are focused on application features, performance and uptime, and user experience. Getting them aligned to use SSO is typically easier than having them adopt centrally managed roles and permissions, but either way, putting IAM into an application owner’s critical path as a potential point of failure is a tough sell. You need to be able to show them the advantages of adopting your IAM service to get them on board.
The other topic that came up was mandates to adopt IAM services and how that fits into the overall application lifecycle. For an existing application, a mandate to adopt is a tough sell because it means retrofitting the IAM integration into the app; there will be resistance. For apps that are earlier in their lifecycle, there’s greater latitude to integrate your IAM service into the design. The key thing is to get to app owners as early as possible, starting now.
To wrap up, the recurring theme throughout was that it’s really about selling your IAM program to everyone, whether it’s the IT leadership, the finance department, HR, app owners, or end users. And to be good at selling, you have to position it as something people will want. That means you really need to make an effort to understand your stakeholders and what is valuable to them!
By the way, make sure you check out the Body of Knowledge for an upcoming article on the “Business Case for IAM”; in the meantime, you can find a link to the current draft article in the #bok channel of our Slack space.
My thanks to members Michael Jean-Jacques, Brian Simoni, Mark Russell, Ted Tanner, Marc Boorshtein, Ian Glazer, Lance Peterman, Matt Topper, and André Koot for the engaging discussion on Slack. Additional thanks to Jon Lehtinen, James Dodds, and Andi Hindle for their invaluable assistance in crafting this article.
Chair, IDPro Editorial
Greg Smith has been implementing Identity & Access Management solutions for over 35 years. He holds BSEG and MSBA degrees from Bucknell University, where he also began his professional career before moving into the Pharmaceutical industry in 1996. After a 25 year career there, he recently retired from Johnson & Johnson, where he led the engineering team for J&J’s single sign-on, risk based authentication, multi-factor authentication, access governance, directory synchronization and virtualization, provisioning automation, and PKI services. He has spoken at Identiverse® and other industry events on numerous occasions. He was recently CIDPRO™ certified, and is also a founding member of IDPro, where he currently chairs the editorial committee.