A couple of weeks ago, we started talking about cybersecurity spending and how we, as security professionals, need to rethink prioritizing those budgets to match the cyber threat landscape. One key takeaway: identity and access management (IAM) is chronically underfunded compared to other, more glamorous security initiatives.
Today, we want to arm IAM leaders in their efforts to challenge the traditional approach to budgeting and provide a framework for justifying IAM program costs to boards, executive leadership teams (ELT) and other decision makers.
The business value of IAM
Traditionally, IAM investment has been justified by emphasizing operational efficiency. Maybe because IAM has historically been closely tied to internal IT support, costs are often measured on a per-ticket or per-call basis, with operational efficiency initiatives aimed at reducing helpdesk calls. We did this for the last 20 years of IAM, and very often we still do.
However, business is changing. The post-ransomware, post-pandemic, post-office (no pun intended) world demands a better way to justify IAM investment. It’s time to focus on the tangible business value that IAM brings to your organization.
Normally, when discussing IAM, we would start listing the amazing ways it helps drive business agility, lowers costs in many ways and enhances employee productivity. But for this blog, we’re focusing on the mindset rather than the benefits. The key mindset shift is to allow the business side to dictate the terms. Every organization has priority business goals for the quarter, the year and the foreseeable future – and every initiative, including IAM investment, needs to align with those goals. The first step is to understand these business initiatives – whether they focus on risk reduction, KPI growth or digital transformation – so that IAM investment aligns with the corporate-wide mandate.
Depending on the organization’s high-priority initiatives, we need to align the IAM program to them. This might mean a shift in priorities for your own IAM priorities by bringing forward certain elements while crossing out some less relevant items. Often, it’s just a matter of changing the language and correctly mapping IAM benefits to business initiatives.
Some mappings are straightforward: digital transformation is almost certainly a focus area for most organizations, usually owned by a C-level decision maker like the CTO, CIO or CMO. As an IAM leader, reach out and explain how IAM investment is a pre-requisite, a dependency of the digital transformation and can help that initiative at every step of the way. Again, keeping it general, the goal is to find the business imperative and align the IAM program with it.
Alignments between IAM and business priorities
Reaching out to the relevant decision makers and forming alliances is the next step. Building good rapport is always a best practice, but when it comes to justifying IAM investment, proactively reaching out and providing detailed explanations of the proposed program can turn a C-level executive into an advocate of the IAM program. Everyone is measured on something; find a way to help others reach their goals by supporting your initiative.
There are some great examples where IAM programs naturally align with business priorities. A marketing effort led by the CMO can get support from a CIAM investment that brings all customer identities under the IAM program, offering a holistic view of the user to the marketing department – an invaluable competitive edge in e-commerce or retail. Similarly, a healthcare provider focused on de-risking operations would likely be keen on strengthening its cybersecurity posture, and IAM can offer incredible returns on security investment. By providing a customized message that maps IAM benefits to business outcomes, you simply reinforce these natural alignments.
In every mature business, initiatives are measured against benchmarks of success. KPIs (or key risk indicators in risk management) are the language of that mapping. Show decision makers how IAM results directly influence those KPIs. For example, in a CIAM use case, better UX could lead to easier customer onboarding, less churn and higher spending per visit – all key metrics for a CMO. Similarly, achieving cybersecurity certifications usually requires significant IAM investment in privileged access management (PAM) or access management (AM), while qualifying for cyber insurance (a CFO initiative) might require MFA. It is important to remember that your KPI is not their KPI. While your IAM project might be measured on time-to-value, roll-out speed or adoption metrics, these metrics may not be meaningful or valuable to other members of the organization.
Board-level or ELT-level initiatives typically fall into one of three categories.
- Risk-based initiatives focus on business continuity, resilience, and protecting user and corporate data. Access management, PAM, log management (for recognizing and containing breaches) map easily to these initiatives.
- Quality-based initiatives focus on business processes, employee productivity, efficiency and cost reduction. Automatization and user lifecycle management map easily, as do SSO-based license trimming (like behavior-driven governance).
- Growth-focused initiatives, be it revenue/profit growth, headcount growth, or growth through acquisition, also have important IAM pre-requisites, either on UX, automatization or just facilitating an efficient merger.
Make a permanent shift in mentality
In the end, this shift in approach to justifying IAM program spending shouldn’t be a one-off for budget debates. There are long-term benefits to shifting the mindset of the IAM team to think alongside business needs, business initiatives and proactively aligning the program with the corporate-wide mandates. This doesn’t come naturally to every technologist, but it’s part of the career arc of any IAM leader in waiting.
