We write often about the concept of “roles” in identity & access management (IAM), but one thing we haven’t written enough about is your own role in the IAM organization, i.e. the roles, responsibilities, skillsets and prerequisites for effectively exploiting an IAM program within an enterprise. It’s really a shame, since knowing who can make the most effective use of IAM products and processes (and how) is more instrumental in validating IAM value for the enterprise than any product feature available or report you can produce. Vendors and customers alike are often missing an opportunity both in the planning and implementation of a formal IAM program when they don’t know who is best able to use the capabilities delivered by that program.
At the current Gartner Security Summit, the presentation given on IAM organization did generate some questions and discussions regarding individual experiences. Most validated the relative immaturity of their existing IAM organizations, while some expressed scepticism that some proposed mature IAM organization models could ever be realized. There were further comments about organizational differences across vertical industries and company size, as well as the need to prepare IAM teams for the advent of service-delivered IAM and the implications for those teams in managing the hybrid environment. Some of the innovative companies present were already tackling this issue.
I think the general consensus that arose from the discussions was the political nature of IAM organizations. While there were aspects of the technology that might guide or direct organizational decisions, this was utlimately not about the IAM technology as much as it was about the processes that IAM proposes to automate or enhance, and the decisions that had be made within the human network to ensure its effectiveness. Without an enetrprise consensus on accountability and responsibility, it would matter little about organization charts, skills training or responsbility matrices implemented. This makes determining your role in IAM alone an ‘interesting’ journey, but it’s great training to deal with where IAM results matter– in the enterprise itself, rather than just the IT department.