Identity and Access Management Framework Book

When I am helping salespeople (oily tho’ they may be) pitch identity, security, and access management to customers, I am typically in front of people who are one step below C-level. Eventually I will end up speaking with a CSO or CISO, at the invitation of my contacts, but for at least the first couple of passes, I’m just shy of the top. And that’s fine. Typically an understanding of relevant technology is inversely proportional to one’s pay grade. So I work with the guys who actually understand how things work, and how those things will help them DO their work. In other words, they comprehend how technology enables their business processes.

 But when they need the cash to make their dreams come true, and build an IAM system their kids can be proud of, they still have to go to upper management with hats in hand and beg for money. While you try to select components based on ability to satisfy your use cases, your boss might think a “use case” is something made out of leather and which holds your important papers. Therefore you use simpler terms that business people can get:

• Efficiency
• Savings
• Security
• Audit support
• Compliance
• Fraud prevention
• Risk reduction
• Free beer

Even when my customer champions want to present to upper management by themselves, I will more often than not help them build that business case. It’s a good assumption that salespeople can help you sell to your own bosses. So my teams will often help assemble the package that will loosen the grip on budget and allow the dollars to trickle down. This package translates technical function into business value. It includes the hot buttons

• Requirements
• Risks
• Return on investment

One little note here: there's hard ROI, as in actual dollars saved, and there's soft ROI, such as improved user experience, security, improved practices. If somebody tells you they can calculate an actual hard ROI for IAM, smack them in the head.

As part of the ammunition here, you gather qualitative, quantitative, and anecdotal evidence from within your organization to help you make that case. “Here’s how much time the help desk spends resetting passwords. Here’s how long it takes us to enable to newly-hired user. Here’s how long it takes us to deprovision a terminated user. Here’s how long it takes us to certify user access to a given resource. Here’s how long it takes us to generate reports to support our audits.” And so on.

In my upcoming book 

http://www.amazon.com/Designing-Framework-Identity-Management-Osborne/dp/0071741372

I don’t just cover technology. I cover in gross detail how to assemble this information and ultimately build that business case. Whether you build or buy, or build AND buy, you need budget, as well as official time and resources to put together and deploy an IAM framework. Without the business justification, there IS no opportunity to implement the tech.

I do identity and access for a living. But all those IT guys out there working for insurance companies, healthcare providers, manufacturers, telecoms, they’re doing it only because it supports their businesses. So they need the support of the business guys, meaning they have to talk the business talk, so they can get the business to pay the bills.