Hello, everyone. Welcome to our exclusive virtual event series ID:30. Today we have 30 minutes of blazing insights to help you successfully navigate the unique challenges of managing identities.
We get it. Identity and access management can be hard. There are so many moving parts, so many areas to address, and so many possible solutions that it's difficult to know where to start. In this session, Steven Sills, the director for Global IAM at Arthur J. Gallagher, we'll share insights, secret sauce, and lessons learned as the company's several projects evolved into a successful IAM program. Steven will be joined by One Identity's Kelly Hardy. Kelly has been in the technology industry for more than 20 years and has deep expertise in developing go to market messages for security IAM and compliance related topics. Welcome.
Thanks, Michelle, for that wonderful introduction, and welcome everyone to the session today. Please use the chat function to ask any questions, and we'll answer those, time permitting, at the end of the session. And thank you, Steve, so much for being here today.
Thanks for having me.
And can you tell us a little bit about AJ Gallagher and what's been your biggest IAM challenge?
Sure, so we are the world's fourth largest insurance broker. We have over 35,000 employees globally in 49 countries. Our three largest challenges were, on average, we grow through acquisition. So we were before COVID closing on an acquisition approximately every four days. So integrating these companies into our organization, into the IAM solution is challenging. Second, it was that we did not have the full support of our divisional leadership. And third, having a very small team in which to get a global initiative like this launched.
So based on those challenges, how would you define success for your IAM program?
I define success through the usability of the tools. So to give you an idea, we have over 35,000 items in our IT store that are requestable. We also do about 1.2 million automated resort vacations every year. And we also have about three, probably 350,000 requests that run through the IAM solution on an annual basis as well. So I think those along with your numbers that go to the service desk for assistance, which ours are low, are all indicators of how successful your program is.
That's amazing. I know as we were preparing for the session you sent over several secrets to your success. The first was create resources and make them readily available. Can you tell us what you meant by that and how it led to success?
Absolutely. So this is our second generation IAM solution that we launched in 2013. Our first solution was launched in 2010. So you can see there was a very short window before we moved as the first product could not scale with our growth. But learning from that and going big bang or trying to go big bang, we learned that we're going to have to provide the end users with the tools necessary to use this system.
And so we created a SharePoint center of excellence where we have job aids, videos, quick how to one pagers so that people can print them and have them at their side and at the ready. So having all of that documentation ready to go really helped with getting the users acclimated to the system and their usability of it.
I'm sure that took a lot of time, but it sounds like it was definitely worth it.
It was, but I think it was the fun part of the project. We were able to create animated videos, which no one in the IT group had ever done before, to lead up to our launch. And so we did teasers three weeks out. We also used our internet sites to prepare the users for what's coming.
And then also, most of our buildings have video monitors. And so throughout the buildings, we would have one pagers and slides of what's coming so that everybody was in the know. This was one project when we moved to the second gen that everyone knew about. There was no one who could say, we didn't know this was happening.
That's great one of the second things that you said was taking baby steps was a great idea. Can you give us a little bit more detail on that?
Yeah, absolutely. So the IAM system is probably the second most used system across an organization behind the HR system. And so when you've got this kind of reach, you've got to make sure that your users are, as I mentioned, prepared. And so really to do a big bang, you're setting yourselves up for failure, I believe, because that happened to us.
So in the second rollout what we decided to do is break it up by division. And we then left a week between each of the launches to handle any issues and whatnot. And so in doing that phase rollout, yes, it took six months as opposed to, OK, let's just get this deployed in a month. But when there was 0 fallout and noise from that process, it's a workable solution.
Yeah, definitely the extra time probably allowed you to figure out what happened during the first launch and change that for each of those successful additional launches.
Absolutely.
Another secret is to listen to the business and value their needs. How did you do that?
That is really key as well, because, and it's been stated before, printed out there, and I find the statement to be interesting, is that an IAM project is really a business project and not an IT project. And people would say, well, that's kind of strange, but yeah, there's IT behind it, but you've got the front end of the business using the tool. They have to go in and request the entitlements. They have to do re-certifications. They have to understand the speak within the tool.
And so what we did was each of our divisions is organized very differently, some by functional areas, some by branches, regions. And so we created working groups for each of these divisions that gave them a say in how their IT store looks. So when you log into our IT store, it is by division. But once you click that icon, each division looks entirely different.
And that is key to their comfort level of using the tool and understanding what the entitlements are in a very clear and concise description. So their requirements were the who, what, when, why, where. Who should have this access? Why would you need this access? And so when we said, OK, every description is going to have to contain these elements, they were able to utilize the system with very little assistance.
That's great. It sounds like you took user acceptance and user interface into a great deal of concern.
Absolutely.
Next was one of my favorites. Communicate, communicate, communicate. How did you make that a reality?
Again, kind of going back to creating the videos. We also had internal magazines that are distributed and we had two page layouts. We had the internet stories. We had table tents in the cafeterias and so forth. So again, I don't think you can overcommunicate.
And I think I've been in the IT world for 30 years, and I think IT is always guilty of not communicating enough. They just take it for granted that they know this. Everybody should know this. And so subsequently, I think you just cannot communicate enough. And I think partnering with your marcoms teams is essential to you helping you get through that.
I love the use of all the different mediums. We're just so used to sometimes sending out that mass email with a very long, long list of things that no one reads. So it's really great to see that you guys were able to use all the different mediums to really get your message across.
Yes.
The next secret was to focus on enablement as much as you focus on the technology.
Yes, so this was another key area. We went to our HR leaders to get their buy in to require training for new hires. We did not get that support. And subsequently, we knew that we had to somehow engage our users through a training mechanism. And so from our center of excellence SharePoint site, we developed our own course catalog, very much like you would see in a college catalog of courses.
The times available, the descriptions, who should take this course. Then we had our calendar that was linked to that. So then that would send yourself an invite for your calendar, which was for live training. We also offered on demand. And so this was another area that was well received.
We also take a step, and I don't know a lot of companies that either allow this or do this, but we send a welcome from the IAM team to all new employees. So when they sit down day one, there is an email in their box that says, welcome to Gallagher. We want you to register with your self-service password reset tool. Here's a link to the center of excellence site. And here is a link to our training courses. And so in utilizing that communication, we've had a tremendous amount of success with people in their first week or two jumping onto that and understanding how to use the system.
That's such a great thing to hear. Oftentimes when we have new hires throughout the different organizations, you just kind of get lost into where's my computer and how do I get provisioned and what do I have? And you're really making it that first step is that you're hearing from your team right away and making them feel really welcome. It's great to hear that the IAM team is making that impact.
Yes.
One of the other challenges we've heard you talk about was-- or things we heard about was that you preemptively addressed the need for support. How did you do that?
So we have over six disparate service desks across the globe. They in no way tie into one another. And so we had to identify who the service delivery leaders were for each of these groups. And we created a package for them just as we had for our end users. Of course, these were more on a technical level to where the tier one service desks would be able to navigate the IAM system to help users.
One of the biggest questions we get is where is-- what is the status of my request? Where is it in the process? Is it a two level approval? Has the first level approved? Are we waiting on someone else? Things like that, when you give those desks those tools, you're satisfying those callers with one call or with one ticket and not sending them on to the IAM team specifically.
So they have their quick reference guides. They also have the ability to include a link in the service desk ticket for the help guides or just email them directly. And so they're inundated with calls all day long, but these calls tend to be shorter, because they were able to really jump in and identify the issue and get them resolved and on their way.
That's great. I mean, your first line of defense, that's really the people who your users are interacting with first. So to have them really prepared and ready to answer makes that wonderful for all of your users.
Yes.
Really interesting to me that nowhere and all these secrets to your success did you ever mention that you chose one technology over another and that was what made you successful. Can you talk a little bit about that?
Yes. I think you can spend a lot of money and a lot of effort deploying an IAM solution. But if you do not have the foundation which is are the building blocks of the communications, engaging your stakeholders, of really doing the communication, you could spend all the time and money in the world and it's not going to be successful if you don't have users who are utilizing it.
Again, we had a new CISO start this past January, and when he came in and saw our numbers of the re-certifications we do on a quarterly basis, the numbers of requests, the entitlements in our IT store, he was flabbergasted. And he had really nothing but great things to say, because IAM is typically one of the areas that he's always had to go in and fix. And he didn't have to do that in this situation. And I think it says a lot to the preparedness. And I, again, going back to IT people have a very technical perspective on things. But you have to put yourself in the shoes of the end user. And that is what's going to make your program successful.
Well, it must have felt really wonderful to finally be noticed for all the hard work that you did for this program, because it sounds like you guys did an excellent job in putting this out. And with that, I'd like to turn it over to everyone to listen to our ninja tip today.
Typically, [INAUDIBLE] we call a ninja tip. It's some exclusive insight that you only get if you attend the session. Well, as you probably realized, the past 25 minutes have been all about exclusive insight. So we could count this entire time as one big ninja tip. But let's spend a couple of minutes summarizing the key insights we've learned. So here's six secrets to identity and access management success from someone who's done it right.
Number one, create an IAM center of excellence or a centralized location where resources related to the program reside and are readily available to all constituents, employees, management, partners, and IT. Number two, take baby steps, and don't bite off more than you can chew. IAM success is a journey, not a destination. So approach this very large program as a series of discrete, achievable, and measurable milestones. Do a phased rollout, not a big bang.
Number three, treat your IAM program as a business program, not an IT project. Involve all aspects of your business from the very early design stages through rollout and into daily use. Create working groups and give them a platform to help make decisions on how the program will work, the user experience, and the required workloads of all parties. In other words, give them some skin in the game. Number four, communicate. Make sure that all stakeholders from IT to management to end users knows what's coming, why it's coming, and what's in it for them. This can tie in nicely with your IAM center of excellence we discussed earlier.
Number five, focus on enablement. Even the best technology is useless if people don't know how to use it, or even worse, are resistant to using it. So create a rich catalog of materials for end users, managers, or whomever. And create those materials in the format that is best for your audiences. Could be videos, on demand training, short just in time training, instructor led training, or whatever.
And number six, make sure that your internal support teams are up to speed and ready to help. As you roll out your IAM program, even if it's in baby steps, as we recommend, the best way to set yourself up for success is to equip those at the front lines to be responsive, quick, and thorough as they deal with the inevitable service desk issues that come up with any significant IT initiative. So there you have it. Now go out and conquer with your new IAM program.
We see we do have one question from the audience that I was hoping to ask you. The question's around the fact that communication is so important. And how has the pandemic made this a harder situation? You're not getting the face to face meetings and understanding the business needs. How have you dealt with that?
I think that this has actually helped things in the fact that before I think people were dependent upon, perhaps, those face to face meetings and not looking elsewhere for the communications and the instructions and so forth. When you go remote, obviously we can do videos and video chats and so forth. But people really knew now to check the intranet. What are our next steps? What's going on today in the company?
Whereas people really didn't, I would have to say, pay attention to the intranet a whole lot. We even force everyone to go to the intranet when they open Outlook. But people immediately went to their inbox. And so because everyone is working from home, the only way you're going to know what's going on is by using that intranet.
And the other key is to not inundate them. And we work very closely with our marcoms teams on this aspect, is don't inundate your users with constant emails. They don't need an email this morning from HR and one this afternoon from IT. You need to plan when these are going to go out if you're not going to use that centralized mechanism.
That's great. Thanks so much for your time today. This has been very insightful, and I think everybody can gain value from learning from others. And thanks everyone else for coming today. Please join us on September 2 for our next ID:30 session, "Bringing the Cloud Into Focus. Which is Right For You, In, For, or From the Cloud?"
[MUSIC PLAYING]
22:02