Earl Perkins

Many Gartner analysts (including myself) just returned from our U.S. Symposium event in Orlando, Florida this week. As this was my first Symposium as a Gartner analyst, it was both a new experience and an old one. It was new in the sense of scale and audience type, it was old in the sense that I have participated in many other Gartner summit events and Symposium had similar characteristics in terms of logistics and content.

It was a privilege being there– the depth and variety of customers and vendors was much more extensive than in specific security and identity management events that I normally attend. But the context such variety provided gave me some new perspectives on the identity concerns of clients more than ever. Below is a comment or two about those perspectives:

1- IAM is still relatively new to the big scheme of “infrastructure management”, and it’s multi-faceted solutions (some for infrastructure, some for business management) demand more rigor than we afford it today. Have you ever experienced the problem with memory when you try to think of the correct answer, but an incorrect answer “gets in the way”, i.e. you keep thinking of that same word or phrase you know is wrong, but can’t clear it to get to the correct answer? The thinking about IAM is like that today– we have essentially an answer for what it is as perhaps a set of utilities for IT administration, or a set of reports for compliance needs, when it has grown past that. The youth of IAM prevents us from exercising a solution’s full potential, and is something we must correct. The wrong answer must be cleared out the way to make room for the correct one;

2- There should be NO discussion about “IT and the business”– IT IS the business, is part of the business, has always been part of the business, and should act like they’re part of it. This is why we consistently see IAM treated as some kind of plumbing first for IT administrators and others to get their IT job done and/or to make the IT job easier for IT—– NO! First, it’s more than that, and second, we consistently cede a valuable seat at the table of business decision-making when we perceive IAM’s value as merely that of a utility. Certainly, I’m the first to say that we as IAM professionals must know our place in IT and in IT security, but by the same token we have gradually reached a level of recognition as a contributor to accountability in the enterprise– knowing who can do what and how, and being held accountable for those actions (i.e. accesses). IT is the business– and IAM is not just IT.

3- Simple is hard. The means by which we in IAM can summarize this value of the discipline to those who want problems solved for them still eludes us. The 3×5 card, the elevator pitch, the 2 minute value statement– we bury decisionmakers, stakeholders and budget holders in PowerPoint minutiae, and as my college John Pescatore says, describe the problem very well without providing an answer to it. While describing the problem can sometimes be hard,  describing answers to it that are effective can be harder. When IAM professionals get that one shot to justify their budget requests and do so on behalf of the business, they have to be succinct, to the point, and —- well, be the business people we know we are and can be. Talk like it. And bring some answers, not some problem statements.

There are a lot of other perspectives, and they will no doubt make up some future comments in future blogs on lessons learned at Symposium. Many of these were not new lessons, but hearing them from countless customers who face them on a day-to-day basis brings focus to your purpose as an analyst.  It’s not enough to try to be a ‘prophet’– you also have to be a good problem solver, and/or recognize solutions when you see them and spread the word.

2 Comments »

Category: Uncategorized     Tags:

Share