I thought a bit before writing this, but felt it was necessary to say some of these things due to the increase in inquiries about communicating the value of identity and access management. I suspect the increase is due to IAM moving more into mainstream adoption by mainstream customers rather than ‘pioneers’ that don’t often worry about such things as communicating value to a significant degree.
Communicating IAM value is often necessary to get buy-in into one or more IAM initiatives. There’s also the “getting the money” problem, which tends to be a ‘non-trivial event’ as my physics teacher used to say. Whatever reason you may have, this communication really has very little to do with technology at all. Here are some brutal truths you have to face when crafting a communications strategy for an IAM initiative:
1- You need help. You’ll need others with a stake in the initiative to provide input, an opportunity to discuss and describe the issues in specific forums in their areas, perhaps an opportunity to combine your communication efforts with their own initiatives. In any event, seek out those that may be significantly affected by your efforts and enlist their assistance wherever you can. And by the way– don’t even both trying to get an IAM initiative going without an executive champion. It seldom succeeds without one;
2- My ‘enemy’ is my friend. This is related to (1) above, but I’m thinking of a specific friend, and that’s the auditor. The great thing about IAM initiatives is that in most cases it directly benefits the work the auditors must do when called in for audits, particularly in the security area. If you provide them with an easier, more comprehensive and granular approach to who has access to what, you’ll get their attention and you’ll also get their support when the time comes to communicate who benefits to those parties who hold purse-strings or influence;
3- I care– but not that much. This means that while your efforts to communicate the value of IAM to others, you must not become emotionally invested in the delivery. Sure, I know that there may be some job security associated with these efforts, certainly there can or will be productivity improvements for you, but don’t get carried away with this. In the big scheme of things, just knowing that you raised the issue at an appropriate time and delivered it to key stakeholders and decisionmakers should be enough. Such an attitude allows you to be professional and pragmatic;
4- They aren’t thinking about you. Another brutal truth is that what seems like something crucial and absolutely necessary for you may just not be that important in the bigger scheme of the business. You’ll need to be prepared to make a case for tying IAM initiatives to strategic principles of the enterprise, to key policies and practices for getting the business done, and more importantly make the case to NON-technical people (e.g. business), but don’t take too long to do it. View most executives and business representatives as uniformly having attention deficit disorder (ADD) and tailor your pitch accordingly. They really don’t think about you that often, so get in and get out quickly;
5- You’re not that special. Remember the context of your IAM requirements with other enterprise requirements, and remember your role in this in the context of other roles you have. IAM is important and so are you– but not that important. If you keep a pragmatic view to what you’re attempting to accomplish, you’re more likely to get something rather than nothing. I suppose this is a polite way of telling you that you aren’t so special that other enterprise needs can’t supplant you as an IAM technology provider. In fact, you hope that you can create an environment where you gradually work yourself out of a job and move on to more “special” things.
It’s all about perspective.
2 responses so far ↓
1 Ed King // Aug 29, 2009 at 2:44 am
Earl,
#3 – #5 is just classic. Love it. IdM or security in general is only interesting to the business if it is relevant to the business. To really sell security projects, proof it either:
1. improves profitability or improves ability to achieve mission (for a non-profit)
2. reduce risk of non-operation (a.k.a. stop making profit or deliver against mission)
If it weren’t for improving profitability or avoid risk of being shut down, no business would give a hoot about security.
Ed
2 Access Certification CBT/video for non-IT folks « Identity Sander // Nov 19, 2009 at 4:28 pm
[...] Access Certification CBT/video for non-IT folks I’m always in catch up mode with my reading. I finally got to Ian Glazer’s “Access Certification and Entitlement Management” on a plane to California. If you are in the market for access certification, trying to understand how to construct and approach to managing entitlements or just want to understand the moving parts of access in any reasonably complex organization, then this is a must read. What got me thinking most was the tone of the paper. Essentially it boils down to the good advice to make sure you define boundaries for tasks well and get the people from the business who should own the information to become the owners by the end of the process. Ian also encourages you to use whatever resources you can, even if they make strange bedfellows. It reminded me very much (and I’m going to mix analyst firms here so forgive me) of Earl Perkin’s thoughts about making the auditor your friend and making sure you “care, but not too much”, which he communicated at the Gartner IAM Summit last week (and blogged about previously as well). [...]
Leave a Comment