IAM planners/architects can greatly benefit from predicting the impact of a prioritization decision on operational risk, before making the actual decision. Why? Because testing an IAM planning decision in a production environment is not cheap. Our review of more than 50 large IAM deployments between 2009 and 2015 found many suboptimal deployments of IAM solutions that is indicative of something not quite working. After some digging, we noticed many IAM decisions are based on arbitrary priorities that cause delays, budget overrun and unrealized expected outcomes. We found in many cases that the primary focus is on satisfying short-term compliance needs, driven by audit or regulatory findings, with less attention to the big picture.
We know that when you have some tactical objectives, you may not like the term “big picture.” But in IAM having the big picture in mind is the magic trick which makes or breaks the key initiatives (e.g. Identity Governance and Administration projects). Gartner has developed a practical starter risk model as the first step toward establishing a comprehensive and consistent operational risk model for IAM. The model’s primary goal is to assess and test key prioritization decisions. It has 100 weighted IAM controls across program disciplines and architectural components that are indicative of the operational risk; assuming these controls properly applied to important coverage areas (i.e. infrastructure and application domains/instances). The model mathematically calculates an aggregated IAM Key Risk Indicator (KRI) that is useful in executive discussions as well. However, the math part doesn’t need a rocket scientist. The model enables IAM teams to:
- Address IAM prioritization problems using scenario analysis,
- Review budget against operation risk impact,
- Discuss the issues with regulators and auditors,
- Effectively track progress, and
- Communicate values generated from risk reduction to business executives.
If you are interested in learning more about the model and try it, check-out our recent report and toolkit at: IAM Risk-Based Planning Model and Toolkit for Reducing Operational Risk. Gartner for Technical Professional subscription is required for access to the research report.
Category: architecture cybersecurity iam iam-strategy-and-roadmap risk-management
Tags: access architecture assessment control decision iam identity management model planning prioritization program risk
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.