With what seems like a daily stream of news related to data breaches these days, why is identity and access management (IAM) still:
- Not moved to the top of every CIO/CTO roadmap
- Only talked about as just the management of an identity and not also the governance of that identity
- Not a standard swim lane with every project that requires any type of authentication to any service (on-premises or 3rd party hosted)?
I’ve written a number of different posts on the IAM topic this year (Identity and Access Management – The Cart or The Horse?, Business System Complexities (Make it Easier), and Business System Complexities and What To Do About It) and have had numerous client engagements discussing the topic, but I’m honestly still a little confused. I’m confused why this concept has not been more unilaterally adopted in organizations of all sizes. At West Monroe Partners, we have a concept that initiatives that remove “friction” are the ones that are most impactful and deliver the most value to an organization. Companies struggle with identity and access management from both ends, as evidenced by what I witness:
- The Business Side: It is extremely common to hear the business voice dissatisfaction with the number of identities they need to maintain, how they are not uniformly created (e.g. First.Last or Last.First), or how password policies are inconsistent.
- The Technology Side: I hear very often from IT departments that a lack of true business requirements consistently impedes their ability to implement an IAM solution and that the IT policies that are implemented are there to “protect” their users.
So then why are more companies not taking on a program to implement an IAM solution, when the stakes for not doing so seem so high and it’s a point of friction for everyone? My opinion is for the following two reasons:
First, IAM programs are hard to implement, but maybe not for the reason you may suspect. It’s because most companies are under the impression it’s the IT department’s challenge to overcome and they involve the business only when necessary. It’s been my experience that this is the exact opposite way to approach this challenge. If there is ever a program that requires strong business and technology alignment, this is that program. When starting an IAM program, companies are still boiling the ocean and often times, are doing so because expectations and scope have not been appropriately rationalized between the business side and technology side.
Second, it’s a matter of operating norms. In most organizations, there are technology platforms that you just expect to have access to, like a phone system (mobile, third party hosted, or otherwise), email system, and Internet access. These are some of the commodity systems you would never think about not providing to employees. In my short time as a technology consultant, I remember when not all my clients had always-on Internet connections, but rather on-demand dial-up connections via modem banks (hanging off Novell servers. Okay, I’ve been consulting for a while…). Business Internet today is what a dial tone was yesterday—it’s a basic part of operating a company. IAM is not thought of that way, yet. My opinion is that it should be and will become that type of deeply ingrained platform in the very near future. Just take a look at all the ways Microsoft Azure is making it easier and more cost effective for companies to implement IAM.
According to the latest report from the Identity Theft Resource Center (ITRC), a total of 541 data breaches have been recorded through September 8, 2015. So perhaps this is the year we start thinking more about the value a well-aligned and implemented IAM program can mean to our organizations.