IAM Roadmapping: Why, When and KPIs to Measure
Highlights of Simeio’s May 13th “Ask Me Anything Coffee Talk Series”
Last Wednesday, Simeio held its latest “Ask Me Anything Coffee Talk Series”. The topic was “IAM Roadmapping.” The session hosts were Batool Aliakbar, Director of Delivery at Simeio Solutions, and Neda Pitt, VP of Information Security at Cisco. Here are some highlights from the Q&A.
Why and when, does an organization need an IAM roadmap?
The answer depends on the key initiatives and goals of the organization. The key drivers, or pain-points, tend to be online services, adding a new service or product, conflating disparate data from employees and customers, providing distributed access to various systems, and responding to an audit finding. An IAM roadmap provides a blueprint for technology implementation and processes. It helps move the organization from their point of pain to the desired objective they want to achieve.
Beyond the reactive need from a problem, IAM is a basis for enabling a strong, strategic security posture. Without IAM controls, security risks become too great and leave organizations vulnerable. This puts an organization, its stakeholders, and customers in jeopardy. It’s always better to plan and roadmap a solution than to react to a problem under pressure, and when time is not on your side.
What are some of the KPIs that are important to measure in IAM?
Key performance indicators (KPIs) are critical for justifying IAM, gaining budget approvals, and showing the realized value of the investment. We typically set KPIs based on the organization’s IAM maturity level. Applied KPI areas can include managed authorizations, single sign-on, and multi-factor authentication.
KPIs apply metrics to determine the benefit of each function. Did the function streamline the process, and how effective and efficient is that process to the organization? For access and identification, how many identities are being managed? Are they managed effectively? Are they audited, and passing audits on a regular basis? How are orphaned accounts and privileged accounts managed? Are you streamlining their management processes and reducing risk by having those accounts managed by IAM? How does that compare to the management and risks without IAM?
After determining the organization’s objectives and roadmap strategy, we can put KPIs into three categories. #1. Security risk – How have automated provisioning and managing of privileged accounts reduced the associated risk factors and supporting metrics? #2. Application and business efficiency – Are users getting the right access to their applications from day one, or waiting weeks? #3. Adoption and user experience – Is the process of getting an application too cumbersome, complicated and annoying? Or is it simple, quick, and easy?
Should a roadmap be constrained by an existing budget, or highlight risk that will be eliminated, and use it to justify the budget?
The answer depends on your appetite for your own risk, as you highlight the organization’s risk. We prefer to conduct an assessment of where the organization is today. Where are the gaps, what are the risk factors, and what is the potential risk reduction and associated cost savings with the IAM solution? Then compare that with the identified gaps, potential risk impact, and cost to the organization without it. Put that data up against what the roadmap dictates and recommends to close those gaps to reduce risk. Another advantage of a roadmap, is the ability to spread the IAM costs out over years.
An approach that helps senior executives and board members to really understand potential risks, and how IAM can mitigate them, will go a long way in helping you ensure budget approval. Also, with this background and understanding, the budget can be fine-tuned, if necessary.
We just scratched the surface of this 30-minute Coffee Talk. There are other compelling questions, including, “Should the IAM roadmap be aligned with other IT initiatives?”, “Should there be multiple roadmaps, for short, medium and long-term?”, and “When creating an IAM roadmap, who is the audience?”
If you want to learn more, you can watch this, and other on-demand Coffee Talk sessions at https://www.brighttalk.com/channel/17142.
We hope you can join our next Coffee Talk where you can chat with IAM experts, ask questions and gain insights into how you can lower operational costs, and achieve greater security and privacy using IAM. Click here to sign-up.