Earl PerkinsWe write often about the concept of “roles” in identity & access management (IAM), but one thing we haven’t written enough about is your own role in the IAM organization, i.e. the roles, responsibilities, skillsets and prerequisites for effectively exploiting an IAM program within an enterprise. It’s really a shame, since knowing who can make the most effective use of IAM products and processes (and how) is more instrumental in validating IAM value for the enterprise than any product feature available or report you can produce. Vendors and customers alike are often missing an opportunity both in the planning and implementation of a formal IAM program when they don’t know who is best able to use the capabilities delivered by that program.
At the current Gartner Security Summit, the presentation given on IAM organization did generate some questions and discussions regarding individual experiences. Most validated the relative immaturity of their existing IAM organizations, while some expressed scepticism that some proposed mature IAM organization models could ever be realized. There were further comments about organizational differences across vertical industries and company size, as well as the need to prepare IAM teams for the advent of service-delivered IAM and the implications for those teams in managing the hybrid environment. Some of the innovative companies present were already tackling this issue.
I think the general consensus that arose from the discussions was the political nature of IAM organizations. While there were aspects of the technology that might guide or direct organizational decisions, this was utlimately not about the IAM technology as much as it was about the processes that IAM proposes to automate or enhance, and the decisions that had be made within the human network to ensure its effectiveness. Without an enetrprise consensus on accountability and responsibility, it would matter little about organization charts, skills training or responsbility matrices implemented. This makes determining your role in IAM alone an ‘interesting’ journey, but it’s great training to deal with where IAM results matter– in the enterprise itself, rather than just the IT department.
Category: Uncategorized Tags: IAM maturity, IAM organization, IAM responsibilities, IAM skills, IAM training
1 response so far ↓
1 Robert Craig July 1, 2009 at 1:27 pm
Earl,
You’re absolutely correct that consensus is essential when it comes to making the most of IAM deployments. We have long felt that for an IAM initiative, like any other strategic initiative, to be successful, due consideration must be given to the intricacies of dealing with the social and political environment. You can have the best technology available, but if you don’t have the right people tasked with oversight, and decision makers and users can’t work together, it won’t be nearly as effective. Having said that, I don’t think there’s any argument that, in today’s legal and regulatory environment, large organizations with thousands of employees must have advanced IAM technology and strategies in place in order to keep up with the flood of daily access changes.