Identity and access management (IAM) is part of a world where the only constant is change. Whether from emerging technologies and new cyber threats, or unpredictable human behaviors and shifting business priorities – cybersecurity is in a state of permanent flux.
These developments have caused many cybersecurity teams to harden their defenses with methods such as identity-based and passwordless authentication. Yet without a standardized approach to implementation, IAM program management can be risky, especially for enterprises with newer program leaders. We’re in an era where program management has a 60%+ failure rate.
IAM program leaders, particularly those with less experience, sometimes need support to recognize and mitigate threatening pitfalls.
Common pitfalls in IAM programs
The good news is that many risk factors have already been identified. Some may appear at the start of the process, and others may occur after progress has been made. Whether you’re planning or already underway with a program, awareness of the actions is the first step to IAM program risk management mitigation.
Ownership and accountability
IAM benefits extend across the business. That’s why ownership and accountability are needed on all sides. This will involve in-depth discussions to assign responsibility, perhaps with a core team for day-to-day management, and an extended team for regular check-ins and sponsor updates. These regular meetings should happen before the program starts to uncover any potential problem areas and identify drivers that can help accelerate delivery.
This way, involvement and investment exist from the start. Decision-makers are reminded that they have a stake in the IAM program’s success and are more likely to cascade information and progress updates to colleagues and partners. After all, successful IAM programs bring cross-departmental benefits – from enabling greater agility and real-time access for Operations and BI to building compliant and secure protocols for HR and Governance. Reports, therefore, should be written in plain English and with minimal jargon, focusing on outcomes and KPIs that are easily understood by non-technical strategists.
IAM program leaders will also need to nurture stakeholder management, with discussions around resources likely to involve compromises and the balance of different priorities. The goal should be to reach consensus in a way that keeps momentum high and motivation strong.
This helps IAM program leaders when it comes to one the biggest success factors in transformation – behavioral and cultural shifts. Teams need to know that their leaders are fully invested in the program, and that relevant colleagues are clear on the all-important question of “Why we’re doing this.” While a decision-maker’s communication can provide some answers, IAM program managers also know that money talks. And budget is another potential pitfall to navigate.
Insufficient budget
The costs of a data breach are well-known – at least, from a regulatory perspective. HIPAA fines reportedly range from $141 to $2million+ per violation. With GDPR, it’s up to €20 million or 4% of annual turnover. Loss of business continuity can cost even more. But cybersecurity leaders also face the challenge of asking for budget to prevent breaches and other incidents. In this use case, it’s difficult to measure the ROI. But, it’s also difficult to put a price on protecting corporate reputation, as 66% of US consumers say they would no longer trust a company that suffers a data breach.
However, IAM has multiple metrics that can help with securing sufficient budget, such as the amount of time saved by allowing employees to self-serve through a centralized IAM portal, rather than managing requests manually. The productivity gained from automating processes reduces risk of human error, and governance is boosted by centralizing access policy updates.
Scope creep is a constant risk, so lack of funding can soon magnify and accelerate problems, especially when iterations are required further down the road. Program management is a specialty that must come with senior authority: programs won’t succeed if they’re driven by employees who still have their regular jobs and duties. Budgets should allow for full-time program management, with the ability to bring in outside expertise when needed to fulfill parts of the mandate and roadmap.
Unclear mandate and roadmap
There’s no room for compromise with this pitfall. Buy-in has to come from the top to ensure a clear mandate. There are no set-it-and-forget-it components, just an ongoing commitment to IAM across multiple functions and departments. The roadmap must factor in wider influences, such as the growth in entities, integration points and applications that require connections to the business ecosystem. Additionally, it needs to consider the rise in new IAM innovations like biometrics and machine learning, and how best to harness these.
Maintaining the right pace is business-critical – too many delays can mean the business gets overtaken by new technologies or may have to readjust based on new regulations. But moving too fast can also lead to unforeseen bumps in the program path.
A Requirements Traceability Matrix (RTM) is an effective tool for making sure requirements are established and certifications are met throughout the program lifecycle. These are mapped to deliverables, allowing the program to maintain clear accountability and communication. This also allows program managers to quickly see the impact on risks and scope whenever there are changes to the planned mandate or customizations to the projected IAM solution.
Customization: One size doesn’t fit all
There’s a fine balance to customizing IAM tools so that they meet organizational needs. Too much customization will slow down the project and will make the tools unwieldy. Troubleshooting, upgrading or replacing non-standard setups, or trying to integrate non-standard add-ons can all become a headache.
Prepackaged vendor solutions might not map exactly to a stakeholder’s needs, but sometimes the most complex architectures may have to stay as is rather than being lifted and shifted. In program management, there’s always an element of “choose your battles.” It’s a similar approach when deciding on how much to customize chosen solutions. First, assess what happens to a customization if you need to upgrade – can it adapt or will it break?
Another balancing act is between loose and tight technology alliances. Picking a partner for system integration and going with recommended and supported solutions is a successful recipe for some. For others, building their own IAM toolset from best-of-breed units works better. Accurately assessing the risks and benefits of both approaches and matching them to the risk tolerance of the organization is critical.
Over-ambitious objectives
The project planning phase is where big ideas are set out, and where motivation and optimism are highest. At this stage, the difference between strategy and execution can also be the difference between program success and failure.
The key is to involve hands-on people who understand when and where a theoretically sound IAM plan might struggle to be put into practice. IAM is an ongoing process with multiple iterations – there is no single project start and end date. So, starting with the quick wins can help take some of the pressure off.
IAM program managers should focus on identifying some tasks, perhaps automating some simple processes, with relatively low risk or low investment needed. When these are delivered successfully, ideally within six months, trust and confidence grows within the team and it becomes easier to gain buy-in for the bigger projects.
When it comes to plans that will take longer than six months, try to deconstruct them into smaller phases and sprints. Keep in mind that you can’t manage something if you can’t measure it, so breaking things down into more manageable parts will allow for greater control, more predictability and more granular reporting.
Delivering IAM programs this way, with interlinked projects rather than one monolithic process, also ensures teams can stay agile and reduces the risks of blockers from interdependencies. It gives program managers the best possible chance of delivering programs on schedule and on budget.
Beyond pitfalls and toward IAM program management success
IAM program management is a distinct discipline that will always carry risks given its alignment with wider cybersecurity practices. Meanwhile, the pace of emerging cyberattacks requires organizations to adapt continuously. But IAM is often a laggard when it comes to modernization. In fact, inadequate IAM has been highlighted by OWASP as one of the top 10 CI/CD security risks.
IAM program leaders can get things moving in the right direction by establishing a group of owners with the seniority to kick-start and promote change as well as with the authority to approve sufficient budgets. Gaining approvals for spending relies on a clear mandate and roadmap, with the ability to react and change course at short notice, if needed. Across the wider business, the end users must have their experiences improved and their expectations managed, which relates to how much customization takes place. Too much customization risks undermining the IAM program. Getting the balance right means setting realistic goals and objectives.
Identities in the enterprise will continue to grow in volume and complexity as more non-humans require access to systems. While automation can help solve the rising workloads, from reviews to provisioning, the need for human expertise to deliver programs will remain. Putting in sound program management practices can help mitigate the pitfalls highlighted above.
