I facilitated an analyst-user roundtable during the just-completed European Gartner IAM Summit in London on the topic of “Selling IAM to the Business”. Analyst-user roundtables are great opportunities for conference delegates who are interested in a specific subject to network amid discussion. Since the topic is one about which I am passionate, I couldn’t help being too much like an analyst in this discussion — so I ended up talking more than I should have. For that, I offer my apologies to the participants in an otherwise compelling discussion.
Some participants focused initially on how their IAM programs are attempting to demonstrate value based on automation. This prompted some participants to say that they also saw value in IAM contributions to compliance and ultimately security and risk management. At that point I felt that I had to talk about a slide on IAM drivers and benefits that shows up frequently in our IAM presentations.
This led to an extended discussion of various ways that IAM can contribute direct business value to organizations. I shared some examples of how organizations have been able to derive direct business value from their IAM programs and how aligning IAM program objectives with an organization’s strategic priorities can help to increase the power of IAM business cases. I referenced a couple research notes that were published in 2014 on how to approach such alignment: “Build an Effective Business Case for IAM” (subscription required) and “Market Your IAM Program for Sustained Investment” (subscription required).
This got me thinking about how IGA products have evolved over the years toward providing greater value. At first, provisioning products (one type of predecessor to IGA) focused almost exclusively on automation. Identity and access governance (IAG) products (another predecessor to IGA) entered the scene when regulatory compliance became more of an imperative — and after provisioning products were found to be lacking in that regard. I have made the argument that when provisioning and IAG functionality were merged into unified IGA products, security became the true destiny of IGA.
I’m not suggesting here that IGA is not capable of supporting business enablement through delivery of direct business value. Some business cases have successfully demonstrated how deploying IGA products can indeed accomplish this. However, business enablement with IGA is more like the icing on the cake in a business case rather than the main driver for investing in the technology.
Can we expect another transformation of IGA to the point where it can be assumed to deliver direct business value? I don’t believe such a shift is inevitable, but I can’t rule out the possibility. This will certainly be a thread of inquiry in my speculation on the future of IGA.
Read Complimentary Relevant Research
Managing Risk and Security at the Speed of Digital Business
Digital business challenges the basic principles of information risk and security management. Risk and security leaders must understand...
View Relevant Webinars
Ransomware Protection: Facts and Myths
Solutions for preventing, detecting and recovering from ransomware have strengths and weaknesses. What are the true facts, and what myths...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.