IAM Success Is About Expectations
There is a fine line between success and failure, and it is called “expectations.”
I learned a lot about selling while I was at CA. One of the lessons, we were constantly reminded of was that “we keep score in sales.” At CA we certainly did that. At the end of the year some of us would find ourselves on safari or on a Mediterranean cruise or sleeping above the water in Bora Bora while others were looking for a new job. We kept score and it mattered. A lot.
What we were not told is that winning or losing was a function of the opportunity in front of us. The opportunity invariably boiled down to one’s territory and one’s quota. If you had the right quota and the right territory your chances of a paid luxury vacation were significantly higher than if you were selling the wrong product to the wrong people while carrying an unrealistic quota. I often told younger salespeople that every year they needed to evaluate their territory and their quota and determine whether or not they should dust off their resume before bad things happened to them. There really was no getting around this. Quota and territory mattered.
Six plus years of consulting have taught me that IAM program owners are in a similar situation. Success is determined by expectations. Those expectations are not nearly as clear cut as a sales quota but the consequences are just as real. If an IAM program owner is asked to deliver fine grained Role Based Access Control to 150 applications, a new access request system for thousands of internal business users, improved certifications all while making the organization more secure their chances of failure are much higher than a program manager that has been asked to deliver reasonable results to the business.
The challenge that IAM program owners face is that oftentimes they feel compelled to define the value of an IAM program as being both broad and deep. Budgets might not be available if the value proposition is not perceived as being comprehensive. The truth is that identity professionals need to recognize that career cul-de-sacs are paved with unreasonable expectations and that they are the ones that must ensure that the projects that are funded are the ones that can be delivered.
So, what is reasonable for a medium/small enterprise that is planning to develop an Identity Governance and Administration program for the first time? Most are going to want to benefit from both IT optimization and enhanced security/governance. So, be reasonable. Define the first phase of a project as being birthright provisioning to at most ten critical applications. Define a few very basic roles that will allow for provisioning to those critical applications. Keep the processes for those that are transferring jobs simple and focus as much as possible on creating visibility around who has access to what across a broader set of applications. If you want to really mitigate risk, promote a first phase that focusses exclusively on governance. Governance poses a very quick time to value and it is hard to argue with the need to have visibility around who has access to what.
It’s also important to make sure everyone understands that deploying technology is not the answer to the identity challenge - an identity program is. IAM program owners seeking funding have to be upfront about what it will take to manage the program over time. Program owners are going to need resources and they are also going to need the support of the organization. IT professionals outside of the IAM team are going to get involved and are going to have to contribute. Business users are going to have to be trained and ideally some processes are going to be modified so that they are optimized prior to being automated.
It is quite possible that these simple objectives are not perceived to deliver enough value to justify the investment, but one is better off not embarking on a journey than to go on one ill prepared. The costs of a failed project is much higher than the dollars that will never be recovered. A team’s morale suffers, executives lose credibility, and some find themselves on LinkedIn looking for their next gig.
If you don’t know what the right expectations are find a skilled and trusted partner that can help you set those expectations. Do that before you look for products because a product won’t help if the expectations are not correctly set.
The moral of the story is not “buy my software” but to understand what you are getting yourself into and make sure that the game is stacked in your favor. Our mission at Clear Skye is to simplify IGA and security. Our approach might not be a fit for everyone but very few end up deploying all the functionality they thought they were going to when they started. If you are able to set expectations correctly then consider us as an alternative that delivers the functionality you need in the least amount of time giving you the most bang for your buck.
