March 20, 2018

IAM implementation is not about IT!

Maria Nordgren

VP, Sales, Security Services, Tieto

Historically, Identity and Access Management (IAM) has been viewed as a necessary evil. Driven by requirements of compliance and managed by the IT organization, the IAM system is too often viewed as an inhibitor, rather than enabler of progress. But it does not have to be this way.

A recent report by KuppingerCole and One Identity, titled “The road to IAM success”, looks into what makes a successful IAM program. And not only successful in terms of traditional IT metrics, but successful in the eyes of the business stakeholders as well.

Rather unsurprisingly, then, the first recommendation of the report talks about knowing the relevant stakeholders and involving them early. Or, as my colleague Timo Ahomäki observes in the report: “IAM programs tend to fail when you are too focused on solving IT problems and too late in bringing in other stakeholders”. These stakeholders include not only the business owners and end-users, but also auditors in cases where compliance is a major driver for IAM.

With a broad participation of stakeholders comes another recommendation in the report - setting the right expectations. While driving for a few quick wins to prove value is always a good idea in any sizeable program, enterprise-wide IAM programs are made of much more than individual success stories. One common mistake is to lose sight of the big picture, while concentrating on the short-term use-case driven targets. Says Martin Kuppinger, the author of the report: “I want to highlight three aspects which are key success factors: Processes, blueprint and KPIs”.

At the end of the day, the success or failure of an IAM roll-out is measured not on how well it meets a set of technical requirements, but rather on how well the result serves everyday business processes of the organization. This includes everyone from auditors, through HR and IT to the eventual end-users. In the words of Wolfgang Zwerch of Munich Re: “Without good processes and clearly defined responsibilities, your IAM program will fail”. Program KPIs, therefore, should take into account the needs of all the critical stakeholders.

The question of KPIs and responsibilities easily leads to a discussion of organization: Should IAM be a separate organization, rather than a part of compliance or IT? The answer, it would appear, depends on the phase of the IAM program. During the design and implementation phase, running organization-wide virtual teams ensures stakeholder participation and avoids a too much IT-centric approach. After go-live, however, a separate organization may well be the best way to maintain focus and accountability.

Echoing many of the interviewed specialists, Martin Kuppinger also emphasizes the importance of communication in all phases of the program: “In large and geographically dispersed organizations, having a dedicated communications person or even team counts amongst the key success factors. Communication is about educating both the business and IT about the changes, the rationale behind changes, and the benefits to the organization and the individuals”.

The report concludes with five key points to consider in a successful IAM implementation program:

  1. Get stakeholder buy-in, and then measure and communicate your wins and improvements.
  2. Define projects of reasonable size within the program and understand the problem areas – knowing the business requirements will help you set the right expectations.
  3. Define the flow of data between the IAM and the wider business, from HR to the target systems, and agree on responsibilities with the owners of all systems around IAM.
  4. Define the organization for both the IAM program and full adoption, as well as for when the project transitions into full adoption.
  5. Understand the future IAM trends and take them into account when planning your IAM program – and update your program planning on a regular basis.

With the world, and the domain of IAM changing very fast, it may well be the last point that decides the success or failure of your IAM implementation. Building for the requirements of yesterday may well prohibit fulfilling the requirements of tomorrow. Or, as John Milburn of One Identity puts it in his foreword: “We believe that IAM is a journey, not a destination”.

Download the KuppingerCole report “The journey to IAM success” here.

Stay up-to-date

Get all the latest blogs sent you now!