If that doesn’t work its all about changing the context of the solution to a point where the ROI works. IDM as an enabler for Federated cloud based services (Outsourcing for the new age).

When both the customer and vendor understand the business need and the problem that IAM can solve / is solving, the justification simply follows along with benefits. For ex: sometimes customers may just need an User provisioning feature, and in return they get an entire IAM suite. Then the vendor is pressurised to explore the possibilities with the remaining features that are not required.

-ravi

Thanks for addressing a great topic — especially in the current economic climate when justification of any new expenditure faces significant resistance.

One of the challenges anyone trying to justify a major expenditure may face is explaining why the top audit findings as reported by Deloitte are in the access controls area, where billions have already been spent on IAM solutions. Are these solutions not effective in preventing audit findings, or is the problems that we haven’t spent enough billions on the problem? See my blog article http://www.cloud-compliance.com/blog/bid/27056/Top-IT-Audit-Findings for a discussion of why access audits remain a major challenge and pain point for many organizations.

- Robbie

P.S. Re: your point #1, IAM will remain not clearly defined if we attempt to use IAM and IdM interchangeably as one of the comments suggests.

Nice piece. It’s worth pointing out this lack of concrete ROI for IdM is not unique to IdM. It applies to most security products and many IT products in general.

In order to get a seat at the Big Boy Table, IdM and security professionals must be able to communicate and measure the values of IdM and security in terms that business understands. Can we make a CFO understand why IdM is a worthy investment? Every investment’s value to the business eventually boils down to profitability and risk reduction. Efficiency gain is a good start on profitability, but there are more that can be modeled and measured. Risk is the other big one that security folks never bothered to talk about beyond qualitatively. Talk about IdM’s value in terms of business risk reduction, then we get a seat at the table. Can IdM help to reduce the following risk (in quantitative terms)?
- Reduce / prevent loss of service
- Reduce / prevent loss of data and privacy
- Reduce audit failure and avoid remediation cost
- Reduce regulatory fines and contractual penalties
- Reduce damage to brand, reputation, customer trust
- Prevent lack of business agility (opportunity cost)

Ed King