There’s no way around it: program management skills are a must for any IAM leaders, lest they wish to preside over a chaotic, disorganized mess. IAM initiatives often involve complex, interconnected systems and processes – and most of all, people. Without a firm grasp of program management, leaders risk delays, overruns and a final implementation that’s more like a Frankenstein’s monster than a well-running solution. So, if you want to avoid a career-defining disaster, brush up on your program management skills.
Risks of IAM program failure
Most project managers will know the stats for program delivery success. Here’s a hint: they’re not great. And unfortunately, this is not a recent trend. As Gartner noted back in 2015, “Despite more than 50 years of history and countless methodologies, advice and books, IT projects keep failing.”
Fast-forward to Gartner’s 2023 IAM Summit, where a key takeaway was that “By 2026, 70% of identity-first security strategies will fail unless organizations adopt context-based access policies that are continuous and consistent.”
This identity-led approach is now driving the charge toward what Gartner highlights as “Identity-First Business,” where multiple departments have a say – and a stake – in IAM outcomes. These include hardened security postures and risk mitigation to faster access to digital assets and streamlined provisioning and deprovisioning. At the heart of this movement are Gartner’s 3 C’s of identity-first security:
- Consistency: Identities often change over time, especially in larger enterprises with more complex hierarchies and decentralized operations. This calls for a consistent approach to managing identity in the environment, whether that’s ensuring MFA is applied to all employees from hire to exit or connecting entities to applications and endpoints.
- Context-aware: The second principle is about establishing how different identities are being used contextually, from accessing information to granting privileges. Admin needs to establish whether the devices being used are trusted or suspicious by assessing user behaviors and biometrics, and whether ownership and permissions are necessary, appropriate and secure.
- Continuous: For project managers at the start of program management, the third principle is likely to take more time to deliver. It relies on organizational maturity around IAM so that risk and trust are assessed and embedded continuously. There’s no tangible result, and it’s more about recognizing that change is a continuous constant for IAM.
IAM program managers may already have strong knowledge of delivering identity to the enterprise. The 3 C’s provide a reference point to combine their technical expertise and apply it to successful program delivery. Together, they offer a way to avoid some of the dangers that can appear on the path to successful IAM implementation. How many of the below do you recognize?
Wasted investment
There is always risk with new software that isn’t fit-for-purpose. This could cause interoperability issues, gaps in compliance or difficulties when trying to scale and future-proof investments. Instead, the focus must be on delivering an identity fabric, where architecture is integrated rather than simply standing as a collection of standalone tools bolted together. Otherwise, gaps appear, leaving the attack surface vulnerable.
Potentially insecure states
Without a unified solution, or too many third parties, there’s reduced visibility into the environment. Add in the fact that 98% of organizations are affiliated with a third party that’s experienced a breach, and the result is an attack surface with potentially insecure access points. Without regular auditing of elevated accounts with higher permissions, it becomes harder to enforce PoLP and Zero Trust, especially if manual user effort is involved. At a time when Forrester predicts “90% of data breaches will include a human element,” high IAM solution usability must be factored alongside high security.
Compliance violations
Lack of visibility is also an issue when it comes to audits. Trackable and traceable records are essential, especially for the likes of HIPAA’s Audit Log requirements. These must show the identities of who accessed a network, when they accessed it and what actions they took.
Separation of duties is another area where IAM plays a business-critical role in supporting compliance. For the Sarbanes-Oxley Act, at least two individuals are required to be responsible for key tasks and processes, as are regular identity rights and permissions audits.
Components of successful IAM program management
Naturally, as more stakeholders become involved, the program becomes more complex. While there’s no substitute for experience, newly promoted IAM professionals can look toward tried-and-tested frameworks for delivering program success across identification, authentication and authorization.
These include:
- Agile project framework: Agile’s adaptability and sometimes Scrum-based, short-term sprints are well-suited to IAM’s shapeshifting landscape. For organizations looking to the 3 C’s of Gartner, the Agile approach also offers many synergies through its five pillars of Agile cybersecurity: continuous reassessment, iterative improvements (for consistency), transparency (to support context), flexibility and teamwork.
- Waterfall framework: For linear, step-by-step IAM projects, the Waterfall approach may be suitable for program managers. However, it relies on accurate analysis of existing processes, and on stakeholders knowing what they want at scoping stage.
- Project Management Professional (PMP): The PMP approach covers multiple ways of working, from Agile to more hybrid or predictive workflows (when the scope is clearly defined). For those delivering IAM projects in Europe, the PRINCE2 framework is more recognized.
After deciding on the right framework, there will still be many moving parts and a lengthy roadmap that will often change at short notice. So, start by putting in place some tried-and-tested components that are strong enough to withstand these changes.
Clarity of objectives and goals
With complete clarity comes the possibility of full granularity, allowing project managers to understand current capabilities when targeting AIM program outcomes. There needs to be full visibility of the environment, including any shadow IT in operation. A dedicated access management solution that offers multi-protocol support can help achieve this by securing legacy and modern applications – even in hybrid environments.
Stakeholder buy-in and management
It’s one thing to manage stakeholder expectations, but to achieve true change there must be support from the very top of the business. What’s more, this needs to be visible, such as through senior executive ambassador roles that are visible to all employees. Further visibility comes by decision-makers actively cascading program-related news and updates to the wider business.
In our previous blog, we already discussed stakeholder management as a critical piece in securing funding for your IAM program. This is obviously only the first step of creating a stable program. Keeping stakeholders in the loop by informing them of the recent advances, blockers, challenges and opportunities is key to success. Communicate early and often with your fellow decision makers.
To keep progress on track, program leaders must act as the bridge between the team and the stakeholders. In addition to providing regular program updates, it’s also important to manage expectations throughout the program lifecycle. The scope may change, there will be unforeseen challenges, and some employees are likely to move on or be seconded away from the project. Any of these shifts may mean adjusting expectations either in terms of delivery or timescale. What’s important is to make sure this is communicated when all the facts are established so that the roadmap stays dynamic and updated.
Program planning
IT leaders tasked with managing the program must be given full control. If delivery tasks are bolted onto their daily to-dos, it will soon lead to program failure. Actions get pushed back, scaled down or forgotten about. There also needs to be careful planning to avoid or minimize program interdependencies, where one part of the program can only progress after another is completed. Otherwise, there’s a risk of bottlenecks and lost momentum.
Change management
When it comes to IT-based program management, it’s not only about identifying the right solution. It’s also about making sure the right people are available to implement, adopt and use it. It takes a carefully planned change management approach that defines ownership, in similar language to that used when developing access policies, namely in selecting identities, users and entities that have control, and then offering the right support in terms of training and certifications.
Running IAM: A program, not a project
The IAM lifecycle has many phases, from the day a digital identity is created, to being assigned access and privileges, to exit. This mix makes it an ideal match for the project life cycle, spanning initiation and planning, to execution and monitoring, and ending with closure. For IAM professionals new to program management, finding alignment here can help reduce the risks that come from high-stakes programs.
Organizations are then more able to become identity-first and to adopt the 3 C’s to become consistent, context-ware and continuous in their approach to IAM. With these pillars in place, program managers are better equipped to avoid common pitfalls of wasted investments, potential insecure states and possible compliance violations. They can focus on delivering core components for success: clarity of objectives and goals across the business; visible and tangible stakeholder buy-in; authority to plan, execute and deliver; transparent and open communication; and a people-centric focus to deliver permanent behavioral change.
A successful IAM program delivery equips businesses to manage, control and safeguard their digital assets end-to-end while also providing the security transparency needed to meet governance requirements. With this foundation in place, IAM can be a source of agility, business enablement and competitive advantage.