Thursday 19 June 2014

Selling IAM to Business


One question which I usually ask during IAM hiring sessions is “How to sell IAM to business” or “How to convince your Executives for IAM solution”. The answer normally is a long silence or a muddled explanation, confused between security and cost savings, which I believe can never seize attention of top management.

It’s not too long ago, when Identity & Access Management (IAM) was considered a helping tool for control user administration, but thanks to its successful shift from an “IT-centric” technology to a “Business Enabler” technology, IAM projects today have more potential than ever to attract funding, even at a time when budget for most IT projects remain tight.

Following are some of the key reasons to get approval of an IAM project.

IAM improves critical processes & reduces operational costs
IAM consolidates and simplifies the enterprise architecture
IAM enhances security, risk management, privacy and compliance
IAM improves user experience and effectiveness.
IAM boosts business agility and profitability

Though all above points are valid reasons for an approval, but trust me, key focus of executives would be on Cost Savings :)

Following are two forms of cost savings that can be achieved by running an IAM initiative.

1. Reduced workload of staff
2. Productivity in terms of money

Now the question is, how and where to start these calculations? It’s always tricky to write an IAM business case, but here you go with a quick explanation.

Before you start actual calculations, collect some base numbers related to workforce i.e.

Number of users in organization
Number of work hours per annum per user
Hours per day
Number of Help Desk (Service Desk) Staff
Number of Security Administration Staff
Number of Access Provisioning/De-Provisioning Staff
Productivity of a typical business user (in terms of hours)

Next level is to collect operational data i.e.

Number of new hires each year
Number of retirements/resigns each year
Number of transfers/moves each year
Average time a new joiner waits to get accesses
Average time a mover waits to get accesses
Average time spent by requesters/authorizers to fill the ‘access form’ or order access
Productivity of a user waiting for access (in terms of percentage)
Number of ‘access denied’ incidents on service desk each year
Number of password reset requests on service desk each year
Time spent to resolve service desk incidents
Time spent on Password reset cases

Now cost savings can be calculated by considering reduced workload of following teams:

Reducing cost on Security Administration staff
Reducing cost on Service Desk staff
Reducing cost on Provisioning/De-Provisioning teams (In case of Automatic Integrations)

As we also have operational data in numbers i.e. typical business user’s productivity, time required to get access, productivity of new user while waiting access etc., we can easily calculate following cost savings.

Value of productivity increased due to the immediate access of new joiners
Value of productivity increased due to the immediate access of moved/transferred staff
Cost saved due to the time saved for requesters/authorizers
Cost saved due to reduced service desk incidents related to ‘Access Denied’
Cost saved due to Password reset requests for forgotten/locked passwords
Cost saved due to proper de-provisioning of user accounts (User Licensing cost)

There can be a lot more scenarios, depending upon the organizational use cases and project scope, but hope it would be a good start to get approval of an IAM project.