In the first of this two-part series, Cicchitto covered the ten stages of IAM deployment. In the second part of the series, he provides advice on deciding the next steps in the process by outlining the four factors for considering an IAM investment, as well as obstacles to success and a long-term view on IAM.

By Nelson Cicchitto

Deciding on the Next Step

How can you tell if your organization really needs to move to the next phase of IAM? What factors will tell you which of the phases is the “ideal” one to aim for as part of your long-term security roadmap?

Fortunately, determining the benefits and ROI of moving through the funnel isn’t really all that complicated. In fact, it boils down to just four basic factors, or questions, that can be used to evaluate a planned deployment. If it rates well on even one of the factors, it may be a good move if that particular factor happens to be a high priority for the organization. But if it does well on three or four, then the considered deployment is probably long overdue.

The four factors for considering an IAM investment are:

• Cost savings. Does the organization save money by implementing the new solution? Certainly in the case of Wescom Credit Union, there was a savings in terms of reduced help desk calls and an implied savings in preventing a security breach, which could have proved costly.

  A second company, Circles, a provider of loyalty management programs, implemented password management to reduce the number of help desk calls from employees who had lost or forgotten their passwords. In the first year, they estimate that the savings achieved amounted to $4,100 and, at the end of year three, close to $26,000, primarily in staff time.

  To determine if there is a cost savings to be had, evaluate the major costs associated with your current way of handling IAM and how much those might be reduced through automation, deducting any yearly maintenance costs or license fees that the new software will incur.

• Increase in security. Does the solution provide better protection for the network or the enterprise? One measure of that is whether it provides extra accountability and audit trails for system access and authorization.
  
  
• Compliance. Does the solution help your organization meet new security requirements, such as by archiving records or logging details of all user activity on the system in case of a future investigation?
  
  
  
• Efficiency gains. This overlaps somewhat with cost savings, although not all efficiency gains are easily translated into hard dollar savings. But any solution that automates a formerly manual activity is likely to be increasing efficiency and, at the same time, reducing the chance of human error.

  As already noted, each IAM technology phase will likely have different factors driving its adoption. At Circles, for instance, Ian Roche, technical operations analyst, says that the company plans to implement single sign-on and, eventually, user provisioning and de-provisioning.

  The single sign-on is needed, says Roche, to improve employee efficiency and to improve security. .

  “We have a number of different applications that require users to log in with unique user names and passwords. They’re not going to remember them all, so they may be inclined to tape them to their monitors or write them on their desk – not good security practices,’ notes Roche.

  The user provisioning and de-provisioning, however, would mainly improve the efficiency of the IT department. As Roche explains, “It take a lot f time to set up user accounts, delete user accounts, and do all of those sorts of things in a timely manner. We tell the business we need two weeks to provision a new user now, to be on the safe side.”

  Obstacles to Success

  #1. Lack of Management Buy-in

  This is the number one reason that all IT projects fail. The problem many IT managers and project leads have, of course, is figuring out how to get executive buy-in and how to know when you’ve really got it. Getting management buy-in entails proving to upper executives that the IT project you propose will either A,) save the company money like automate process to avoid outsourcing or B) make the company money like facilitate integration of an acquired firm’s billing system . If it doesn’t somehow link to either of those two options, then their enthusiasm is bound to be weak. While IT people often have a hard time proving a return on things like better security, there are nonetheless many hard and soft-dollar returns. As already noted in this article, the cost of a security breach can be huge, and likewise a fine for non-compliance with a government regulation can be expensive and detrimental to the company’s public image. There are also easy-to-show efficiency gains and cost savings from reduced staff time, maintenance, lower bills from outsourcers, etc. Just get out your calculator and start looking.

  The second problem is how to know you’ve really got buy-in, and not just a smile and a pat on the head. Years ago, I was charged with deploying a new application for a large petroleum company. Most of the users were highly paid experts who were not interested in changing their work habits. Thanks to strong support from upper management – in the form of a company-wide email as well as a printed letter from the top boss – they adopted the new application with a minimum of complaints. Achieving management buy-in means getting printed letters and emails directly from the top executive explaining the new implementation and why it is good for the company. Anything less than that and you don’t have management support -- and you won’t have the support of end users either.

  #2. User Adoption. This is the second most common obstacle, and one that is closely linked to lack of management buy in. The first rule in getting users to adopt a new IAM implementation is to make it clear that the boss’ boss’ boss is mandating it for the good of the company. They need to understand that it’s not your pet project; IT is simply carrying out the boss’ orders. The second is to use either a carrot, or a stick, or both to encourage compliance. For example, you might tie enrollment into the password management program to a work-from-home program. Employees who enroll can work remotely. Those that don’t, can’t. Or, like Wescom Credit Union, you might simply tell the helpdesk to turn away users who call for help resetting their passwords and to tell them to reset their own passwords from their desktop.

  “The hardest part was getting users to use it and not call us,” says Linnie Gooch of Wescom. “We had to send memo after memo. And finally people started to realize that we won’t do it for them anymore.”

  In addition, he says, the password management application had been programmed to send an automated reminder email to all users every single day until they enrolled. The nag factor was a big element in achieving an eventual 100% enrollment.

  #3. Competing Departmental Needs. This is a political problem that will arise with just about every new IT implementation in an organization with more than a few dozen employees. Every department has its own mission and its own set of problems and, given that IT implementations inevitably touch every department, each will want to exercise control over the project. The key here is not to cede control, but to take the time to get input from every major stakeholder and device a plan that aims to satisfy the core needs of most groups. Ask each to develop a short list of fundamental requirements and see how many of those can be combined into a workable solution.

  #4. Scheduling Conflicts and Reorganizations. Inevitable, just when things are going along well, your top engineer gets sick, or has a family emergency. In these cases, you can’t change events but you can have a Plan B and Plan C ready for the loss of important team members. Good documentation and information-sharing between IT staff helps to ensure critical deployment information doesn’t reside only in one employee’s head.

  When it comes to re-organizations, there is even less that you can do to prevent the inevitable. However, assuming that you’ve gotten full management buy-in and this is still a priority, the mere fact of a reorganization shouldn’t derail the project. Continue to show how your IAM project will streamline or assist in the re-organization.

  The Long-Term View

  Regardless of whatever phase of IAM your organization happens to be at, the long-term strategy should be to regularly evaluate your security needs and decide how well the current IAM technologies are meeting those needs.

  Few organizations have completed the entire IAM funnel. But the ones that are successfully mitigating their security risks are those that know why they are at their current level, and under what circumstances they would consider investing in the next layer of IAM technology.

  Remember the IAM field is constantly being redefined. Even though IAM has been around for quite sometime new technologies are streamlining this aging industry. Keep an open mind and open eye even after you have settled on an existing solution that met your needs for today. New technologies will drive down your maintenance cost and streamline your processes even further. Most of today’s older IAM technology is revolutionary to deploy and disrupts your current business processes. The next generation of IAM technology allows your organization to evolve as the technology is deployed avoiding costly business disruption.

  Nelson Cicchitto is chairman & CEO Avatier Corporation. www.Avatier.com